Re: access-lists vs. prefix-lists

From: Joe Smith (j333smith@hotmail.com)
Date: Thu Mar 17 2005 - 20:12:44 GMT-3

• Next message: Edwards, Andrew M: "RE: Where Next?"
• Previous message: Jongsoo.Kim@Intelsat.com: "RE: Complex real-life BGP problem"
• Maybe in reply to: John Matus: "access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you break it down, it should start to make sense.

192.168.1.0 0.0.0.252

Last Octet of mask
128 - don't care
64 - don't care
32 - don't care
16 - don't care
8 - don't care
4 - don't care
2 - 0
1 - 0

So as long as the 1 and 2 bit are zero the rest will match --

192.168.1.0 Are the 1 & 2 bits zero? Yes
192.168.1.1 Are the 1 & 2 bits zero? No
192.168.1.2 Are the 1 & 2 bits zero? No
192.168.1.4 Are the 1 & 2 bits zero? Yes
192.168.1.5 Are the 1 & 2 bits zero? No
192.168.1.6 Are the 1 & 2 bits zero? No
192.168.1.7 Are the 1 & 2 bits zero? No
192.168.1.8 Are the 1 & 2 bits zero? Yes
etc...

>From: "John Matus" <john_matus@hotmail.com>
>Reply-To: "John Matus" <john_matus@hotmail.com>
>To: tron@huapi.ba.ar
>CC: simon.hart@btinternet.com, ccielab@groupstudy.com
>Subject: Re: access-lists vs. prefix-lists
>Date: Thu, 17 Mar 2005 22:18:17 +0000
>
>hmmm.......ok, i was always under the impression that the wildcard mask was
>checked against the the network address (i.e. - .4, .8, .12...etc for the
>.252 wildcard) so that the access-list:
>
>access-list 5 permit 192.168.1.20 0.0.0.252
>
>would only permit .20, .21, .22, and .23.
>
>...but it looks as if that is not the consensus opinion/knowledge so i
>guess i've learned something from this.
>thanks very much for your input!!!
>
>>From: Carlos G Mendioroz <tron@huapi.ba.ar>
>>To: John Matus <john_matus@hotmail.com>
>>CC: simon.hart@btinternet.com, ccielab@groupstudy.com
>>Subject: Re: access-lists vs. prefix-lists
>>Date: Thu, 17 Mar 2005 18:46:24 -0300
>>
>>Well, nobody seems to pay attention to what I say (: grin :)
>>but I also guess nobody will back you on this.
>>
>>As I said, SACLs (Standard Access Control Lists) don't care about masks.
>>
>>And the 0.0.0.252 is a "don't care wildcard bits" value (aka mask) that
>>implies that all but the last 2 bits in the last byte are not being
>>evaluated (i.e. anything will match) and thus Simon is right.
>>
>>John Matus wrote:
>>>i'm not so sure about that. the .252 matches agains the 4th octet in
>>>the address, which in this case is 0 (which includes .1, .2, and .3). i
>>>think that the .252 wildcard would only match the .4 network in the case
>>>that the access-list stated:
>>>
>>>"access-list 5 permit 192.168.1.4 0.0.0.252"
>>>
>>>can anyone back me up on this?
>>>
>>>>From: "simon hart" <simon.hart@btinternet.com>
>>>>To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>>>>CC: <ccielab@groupstudy.com>
>>>>Subject: RE: access-lists vs. prefix-lists
>>>>Date: Wed, 16 Mar 2005 20:33:12 -0000
>>>>
>>>>
>>>>Yes there is a difference
>>>>
>>>>An access-list of
>>>>
>>>>access-list 5 permit 192.168.1.0 0.0.0.252
>>>>
>>>>Will let through the following advertised routes
>>>>
>>>>192.168.1.0, 192.168.1.4, 192.168.1.8, 192.168.1.12 ...........
>>>>192.168.1.252
>>>>
>>>>The prefix list will only let through 192.168.1.0 if it has a subnet
>>>>mask of
>>>>255.255.255.252
>>>>
>>>>The key is that the prefix-list is specific
>>>>
>>>>Simon
>>>>
>>>>-----Original Message-----
>>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>>John Matus
>>>>Sent: 16 March 2005 18:40
>>>>To: simon.hart@btinternet.com; tron@huapi.ba.ar
>>>>Cc: ccielab@groupstudy.com
>>>>Subject: RE: access-lists vs. prefix-lists
>>>>
>>>>
>>>>yes, that i'm aware of...........
>>>>i guess i was looking for a "best-practice" for specific situations. i
>>>>ususally use prefix lists w/ bgp and acl's for redistribution but i just
>>>>wanted to clarify that BOTH will work......but i also wanted to verify
>>>>that
>>>>there is no difference between:
>>>>
>>>>access-list 5 permit 192.168.1.0 0.0.0.252
>>>>
>>>>and
>>>>
>>>>ip prefix-list 5 permit 192.168.1.0/30
>>>>
>>>> >From: "simon hart" <simon.hart@btinternet.com>
>>>> >To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>>>> >CC: <ccielab@groupstudy.com>
>>>> >Subject: RE: access-lists vs. prefix-lists
>>>> >Date: Wed, 16 Mar 2005 08:17:11 -0000
>>>> >
>>>> >John,
>>>> >
>>>> >You need to remember how an access list wildcard mask works.
>>>> >
>>>> >192.168.1.0 0.0.0.255
>>>> >
>>>> >Where you have a 0 bit in the wildcard then the corresponding bit
>>>>within
>>>> >the
>>>> >IP Address must match. So in the example above 192.168.1 must match.
>>>> >
>>>> >Where you have a 1 bit then the Wildcard mask does not care about the
>>>> >corresponding bit within IP address (also known as the 'don't care
>>>>bit),
>>>> >thus the 255 in the last octect means that the corresponding bit
>>>>within the
>>>> >IP address can be anything between 1 and 255.
>>>> >
>>>> >Therefore when matching routes with an access list, the access list
>>>>would
>>>> >let through 'Prefixes' from:
>>>> >
>>>> >192.168.1.0 to 192.168.1.255
>>>> >
>>>> >Obviously within this range there would be no routes that are
>>>>advertised as
>>>> >routes from a routing protocol (like broadcast), however it does
>>>>capture
>>>> >everything.
>>>> >
>>>> >A Prefix list is far more precise 192.168.1.0/24 will only let
>>>>through
>>>> >192.168.1.0, if you wanted the prefix list to act like the access
>>>>list, you
>>>> >would use the ge and le statements at the end of the prefix.
>>>> >
>>>> >My advice would be, when dealing with routes, and in particular BGP
>>>>use a
>>>> >prefix list
>>>> >
>>>> >Simon
>>>> >
>>>> >-----Original Message-----
>>>> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>> >John Matus
>>>> >Sent: 16 March 2005 01:19
>>>> >To: tron@huapi.ba.ar
>>>> >Cc: ccielab@groupstudy.com
>>>> >Subject: Re: access-lists vs. prefix-lists
>>>> >
>>>> >
>>>> >ok, that is where i get confused.............
>>>> >if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see
>>>>how
>>>> >that would match /24, /25, /26 routes. i would think that you would
>>>>need
>>>> >to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240. how does
>>>>it
>>>> >match those routes......hmm ok, slight epiphanie <sp?> is it because
>>>>.252,
>>>> >.248, and .240 are all subsets of the .255 which means everything
>>>>under the
>>>> >sun in that octet?
>>>> >
>>>> >
>>>> > >From: Carlos G Mendioroz <tron@huapi.ba.ar>
>>>> > >To: John Matus <john_matus@hotmail.com>
>>>> > >CC: ccielab@groupstudy.com
>>>> > >Subject: Re: access-lists vs. prefix-lists
>>>> > >Date: Tue, 15 Mar 2005 21:59:19 -0300
>>>> > >
>>>> > >John,
>>>> > >there are differences, some of wich can be dealt with, but prefix
>>>>lists
>>>> >are
>>>> > >simpler to use when you are trying to deal with routes.
>>>> > >
>>>> > >In your example with ACL 5, your acl would let go:
>>>> > >192.168.1.0/24
>>>> > >192.168.1.0/25
>>>> > >192.168.1.0/26
>>>> > >...
>>>> > >192.168.1.128/25
>>>> > >192.168.1.128/26
>>>> > >...
>>>> > >but the prefix list would only let 192.168.1.0/24.
>>>> > >
>>>> > >Some routing protocols do accept extended ACLs to care about masks,
>>>>like
>>>> > >
>>>> > >access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>>>> > >
>>>> > >which would be an exact match of the example prefix list.
>>>> > >
>>>> > >Hope this helps.
>>>> > >
>>>> > >John Matus wrote:
>>>> > >>Prefix-list vs. access-list question
>>>> > >>
>>>> > >>Im a bit confused about the functionality of prefix-lists vs.
>>>> > >>access-lists. While Im aware that prefix-lists seem to have some
>>>>added
>>>> > >>granularity Im a bit stumped as to when it is best practice to use
>>>>one
>>>> > >>vs. the other. Here are a few examples of each
>>>> > >>
>>>> > >>
>>>> > >>EXAMPLE 1
>>>> > >>Router os 1
>>>> > >>Default-information originate route-map conditional
>>>> > >>-------------------------------------------
>>>> > >>
>>>> > >>Route-m conditional permit 10
>>>> > >>Match ip address prefix 5
>>>> > >>
>>>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>>>> > >>
>>>> > >>OR
>>>> > >>Route-m conditional permit 10
>>>> > >>Match ip add 5
>>>> > >>
>>>> > >>Access-list 5 permit 192.168.1.0 0.0.0.255
>>>> > >>
>>>> > >>EXAMPLE 2
>>>> > >>
>>>> > >>Router rip
>>>> > >>Redistribute ospf 1 metric 1 route-map o2r
>>>> > >>-------------------------------------------
>>>> > >>
>>>> > >>Route-map o2r permit 10
>>>> > >>Match ip add prefix-list 5
>>>> > >>
>>>> > >>Access-list 5 permit 192.168.1.0 0.0.0.0.255
>>>> > >>
>>>> > >>OR
>>>> > >>
>>>> > >>Route-map o2r permit 10
>>>> > >>Match ip address prefix-list 5
>>>> > >>
>>>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>>>> > >>
>>>> > >>Do both methods accomplish exactly the same thing or is the
>>>>matching
>>>> > >>mechanism different in access and prefix lists?
>>>> > >>
>>>> > >>_________________________________________________________________
>>>> > >>Dont just search. Find. Check out the new MSN Search!
>>>> > >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>>> > >>
>>>> >
>>>> >>_______________________________________________________________________
>>>> > >>Subscription information may be found at:
>>>> > >>http://www.groupstudy.com/list/CCIELab.html
>>>> > >>
>>>> > >
>>>> > >--
>>>> > >Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>>> >
>>>> >_________________________________________________________________
>>>> >Is your PC infected? Get a FREE online computer virus scan from
>>>>McAfee.
>>>> >Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>>> >
>>>> >_______________________________________________________________________
>>>> >Subscription information may be found at:
>>>> >http://www.groupstudy.com/list/CCIELab.html
>>>> >--
>>>> >No virus found in this incoming message.
>>>> >Checked by AVG Anti-Virus.
>>>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>>>> >
>>>> >--
>>>> >No virus found in this outgoing message.
>>>> >Checked by AVG Anti-Virus.
>>>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>>>> >
>>>>
>>>>_________________________________________________________________
>>>>Dont just search. Find. Check out the new MSN Search!
>>>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>>>
>>>>_______________________________________________________________________
>>>>Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>--
>>>>No virus found in this incoming message.
>>>>Checked by AVG Anti-Virus.
>>>>Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>>>
>>>>--
>>>>No virus found in this outgoing message.
>>>>Checked by AVG Anti-Virus.
>>>>Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>>>
>>>
>>>_________________________________________________________________
>>>FREE pop-up blocking with the new MSN Toolbar  get it now!
>>>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>>
>>>
>>
>>--
>>Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
>_________________________________________________________________
>Dont just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Edwards, Andrew M: "RE: Where Next?"
• Previous message: Jongsoo.Kim@Intelsat.com: "RE: Complex real-life BGP problem"
• Maybe in reply to: John Matus: "access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:47 GMT-3