Re: access-lists vs. prefix-lists

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Thu Mar 17 2005 - 18:46:24 GMT-3

• Next message: Jongsoo.Kim@Intelsat.com: "RE: Multicast Helper address - broadcast to multicast"
• Previous message: gladston@br.ibm.com: "CCIE Happy Final"
• Maybe in reply to: John Matus: "access-lists vs. prefix-lists"
• Next in thread: Joe Smith: "Re: access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, nobody seems to pay attention to what I say (: grin :)
but I also guess nobody will back you on this.

As I said, SACLs (Standard Access Control Lists) don't care about masks.

And the 0.0.0.252 is a "don't care wildcard bits" value (aka mask) that
implies that all but the last 2 bits in the last byte are not being
evaluated (i.e. anything will match) and thus Simon is right.

John Matus wrote:
> i'm not so sure about that. the .252 matches agains the 4th octet in
> the address, which in this case is 0 (which includes .1, .2, and .3).
> i think that the .252 wildcard would only match the .4 network in the
> case that the access-list stated:
>
> "access-list 5 permit 192.168.1.4 0.0.0.252"
>
> can anyone back me up on this?
>
>> From: "simon hart" <simon.hart@btinternet.com>
>> To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>> CC: <ccielab@groupstudy.com>
>> Subject: RE: access-lists vs. prefix-lists
>> Date: Wed, 16 Mar 2005 20:33:12 -0000
>>
>>
>> Yes there is a difference
>>
>> An access-list of
>>
>> access-list 5 permit 192.168.1.0 0.0.0.252
>>
>> Will let through the following advertised routes
>>
>> 192.168.1.0, 192.168.1.4, 192.168.1.8, 192.168.1.12 ...........
>> 192.168.1.252
>>
>> The prefix list will only let through 192.168.1.0 if it has a subnet
>> mask of
>> 255.255.255.252
>>
>> The key is that the prefix-list is specific
>>
>> Simon
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> John Matus
>> Sent: 16 March 2005 18:40
>> To: simon.hart@btinternet.com; tron@huapi.ba.ar
>> Cc: ccielab@groupstudy.com
>> Subject: RE: access-lists vs. prefix-lists
>>
>>
>> yes, that i'm aware of...........
>> i guess i was looking for a "best-practice" for specific situations. i
>> ususally use prefix lists w/ bgp and acl's for redistribution but i just
>> wanted to clarify that BOTH will work......but i also wanted to verify
>> that
>> there is no difference between:
>>
>> access-list 5 permit 192.168.1.0 0.0.0.252
>>
>> and
>>
>> ip prefix-list 5 permit 192.168.1.0/30
>>
>> >From: "simon hart" <simon.hart@btinternet.com>
>> >To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>> >CC: <ccielab@groupstudy.com>
>> >Subject: RE: access-lists vs. prefix-lists
>> >Date: Wed, 16 Mar 2005 08:17:11 -0000
>> >
>> >John,
>> >
>> >You need to remember how an access list wildcard mask works.
>> >
>> >192.168.1.0 0.0.0.255
>> >
>> >Where you have a 0 bit in the wildcard then the corresponding bit within
>> >the
>> >IP Address must match. So in the example above 192.168.1 must match.
>> >
>> >Where you have a 1 bit then the Wildcard mask does not care about the
>> >corresponding bit within IP address (also known as the 'don't care bit),
>> >thus the 255 in the last octect means that the corresponding bit
>> within the
>> >IP address can be anything between 1 and 255.
>> >
>> >Therefore when matching routes with an access list, the access list
>> would
>> >let through 'Prefixes' from:
>> >
>> >192.168.1.0 to 192.168.1.255
>> >
>> >Obviously within this range there would be no routes that are
>> advertised as
>> >routes from a routing protocol (like broadcast), however it does capture
>> >everything.
>> >
>> >A Prefix list is far more precise 192.168.1.0/24 will only let through
>> >192.168.1.0, if you wanted the prefix list to act like the access
>> list, you
>> >would use the ge and le statements at the end of the prefix.
>> >
>> >My advice would be, when dealing with routes, and in particular BGP
>> use a
>> >prefix list
>> >
>> >Simon
>> >
>> >-----Original Message-----
>> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> >John Matus
>> >Sent: 16 March 2005 01:19
>> >To: tron@huapi.ba.ar
>> >Cc: ccielab@groupstudy.com
>> >Subject: Re: access-lists vs. prefix-lists
>> >
>> >
>> >ok, that is where i get confused.............
>> >if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see
>> how
>> >that would match /24, /25, /26 routes. i would think that you would
>> need
>> >to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240. how does it
>> >match those routes......hmm ok, slight epiphanie <sp?> is it because
>> .252,
>> >.248, and .240 are all subsets of the .255 which means everything
>> under the
>> >sun in that octet?
>> >
>> >
>> > >From: Carlos G Mendioroz <tron@huapi.ba.ar>
>> > >To: John Matus <john_matus@hotmail.com>
>> > >CC: ccielab@groupstudy.com
>> > >Subject: Re: access-lists vs. prefix-lists
>> > >Date: Tue, 15 Mar 2005 21:59:19 -0300
>> > >
>> > >John,
>> > >there are differences, some of wich can be dealt with, but prefix
>> lists
>> >are
>> > >simpler to use when you are trying to deal with routes.
>> > >
>> > >In your example with ACL 5, your acl would let go:
>> > >192.168.1.0/24
>> > >192.168.1.0/25
>> > >192.168.1.0/26
>> > >...
>> > >192.168.1.128/25
>> > >192.168.1.128/26
>> > >...
>> > >but the prefix list would only let 192.168.1.0/24.
>> > >
>> > >Some routing protocols do accept extended ACLs to care about masks,
>> like
>> > >
>> > >access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>> > >
>> > >which would be an exact match of the example prefix list.
>> > >
>> > >Hope this helps.
>> > >
>> > >John Matus wrote:
>> > >>Prefix-list vs. access-list question
>> > >>
>> > >>Im a bit confused about the functionality of prefix-lists vs.
>> > >>access-lists. While Im aware that prefix-lists seem to have some
>> added
>> > >>granularity Im a bit stumped as to when it is best practice to
>> use one
>> > >>vs. the other. Here are a few examples of each
>> > >>
>> > >>
>> > >>EXAMPLE 1
>> > >>Router os 1
>> > >>Default-information originate route-map conditional
>> > >>-------------------------------------------
>> > >>
>> > >>Route-m conditional permit 10
>> > >>Match ip address prefix 5
>> > >>
>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>> > >>
>> > >>OR
>> > >>Route-m conditional permit 10
>> > >>Match ip add 5
>> > >>
>> > >>Access-list 5 permit 192.168.1.0 0.0.0.255
>> > >>
>> > >>EXAMPLE 2
>> > >>
>> > >>Router rip
>> > >>Redistribute ospf 1 metric 1 route-map o2r
>> > >>-------------------------------------------
>> > >>
>> > >>Route-map o2r permit 10
>> > >>Match ip add prefix-list 5
>> > >>
>> > >>Access-list 5 permit 192.168.1.0 0.0.0.0.255
>> > >>
>> > >>OR
>> > >>
>> > >>Route-map o2r permit 10
>> > >>Match ip address prefix-list 5
>> > >>
>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>> > >>
>> > >>Do both methods accomplish exactly the same thing or is the matching
>> > >>mechanism different in access and prefix lists?
>> > >>
>> > >>_________________________________________________________________
>> > >>Dont just search. Find. Check out the new MSN Search!
>> > >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>> > >>
>> >
>> >>_______________________________________________________________________
>> > >>Subscription information may be found at:
>> > >>http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >
>> > >--
>> > >Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>> >
>> >_________________________________________________________________
>> >Is your PC infected? Get a FREE online computer virus scan from McAfee.
>> >Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>> >
>> >_______________________________________________________________________
>> >Subscription information may be found at:
>> >http://www.groupstudy.com/list/CCIELab.html
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG Anti-Virus.
>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>> >
>> >--
>> >No virus found in this outgoing message.
>> >Checked by AVG Anti-Virus.
>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>> >
>>
>> _________________________________________________________________
>> Dont just search. Find. Check out the new MSN Search!
>> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> --
>> No virus found in this incoming message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar  get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

• Next message: Jongsoo.Kim@Intelsat.com: "RE: Multicast Helper address - broadcast to multicast"
• Previous message: gladston@br.ibm.com: "CCIE Happy Final"
• Maybe in reply to: John Matus: "access-lists vs. prefix-lists"
• Next in thread: Joe Smith: "Re: access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:47 GMT-3