Re: access-lists vs. prefix-lists
From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Mar 16 2005 - 06:34:19 GMT-3
I think you are mixing two things in one.
A (classless) route has two parts: a base network and a mask.
SACLs only care about the first part (the base network)
EACLs can (in some places) care about both.
PLs care about both always.
Bottom line: there is no way for a SACL to look after a (classless)
network mask.
John Matus wrote:
> ok, that is where i get confused.............
> if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see
> how that would match /24, /25, /26 routes. i would think that you
> would need to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240.
> how does it match those routes......hmm ok, slight epiphanie <sp?> is it
> because .252, .248, and .240 are all subsets of the .255 which means
> everything under the sun in that octet?
>
>
>> From: Carlos G Mendioroz <tron@huapi.ba.ar>
>> To: John Matus <john_matus@hotmail.com>
>> CC: ccielab@groupstudy.com
>> Subject: Re: access-lists vs. prefix-lists
>> Date: Tue, 15 Mar 2005 21:59:19 -0300
>>
>> John,
>> there are differences, some of wich can be dealt with, but prefix
>> lists are simpler to use when you are trying to deal with routes.
>>
>> In your example with ACL 5, your acl would let go:
>> 192.168.1.0/24
>> 192.168.1.0/25
>> 192.168.1.0/26
>> ...
>> 192.168.1.128/25
>> 192.168.1.128/26
>> ...
>> but the prefix list would only let 192.168.1.0/24.
>>
>> Some routing protocols do accept extended ACLs to care about masks, like
>>
>> access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>>
>> which would be an exact match of the example prefix list.
>>
>> Hope this helps.
>>
>> John Matus wrote:
>>
>>> Prefix-list vs. access-list question
>>>
>>> I�m a bit confused about the functionality of prefix-lists vs.
>>> access-lists. While I�m aware that prefix-lists seem to have some
>>> added granularity I�m a bit stumped as to when it is best practice to
>>> use one vs. the other. Here are a few examples of each
>>>
>>>
>>> EXAMPLE 1
>>> Router os 1
>>> Default-information originate route-map conditional
>>> -------------------------------------------
>>>
>>> Route-m conditional permit 10
>>> Match ip address prefix 5
>>>
>>> Ip prefix-list 5 permit 192.168.1.0/24
>>>
>>> OR
>>> Route-m conditional permit 10
>>> Match ip add 5
>>>
>>> Access-list 5 permit 192.168.1.0 0.0.0.255
>>>
>>> EXAMPLE 2
>>>
>>> Router rip
>>> Redistribute ospf 1 metric 1 route-map o2r
>>> -------------------------------------------
>>>
>>> Route-map o2r permit 10
>>> Match ip add prefix-list 5
>>>
>>> Access-list 5 permit 192.168.1.0 0.0.0.0.255
>>>
>>> OR
>>>
>>> Route-map o2r permit 10
>>> Match ip address prefix-list 5
>>>
>>> Ip prefix-list 5 permit 192.168.1.0/24
>>>
>>> Do both methods accomplish exactly the same thing or is the matching
>>> mechanism different in access and prefix lists?
>>>
>>> _________________________________________________________________
>>> Don�t just search. Find. Check out the new MSN Search!
>>> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>> --
>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee.
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
--
Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4
: Sun Apr 03 2005 - 17:56:46 GMT-3