From: JP (jenseike@start.no)
Date: Sun Apr 17 2005 - 10:18:43 GMT-3
Ok, here it goes for prefix-list
A normal access-list CANNOT check the subnet mask of a network. It can only
check bits to make sure they match, nothing more. A prefix-list has an
advantage over an access-list in that it CAN check BOTH bits and subnet
mask - both would have to match for the network to be either permitted or
denyed.
For checking bits a prefix list ALWAYS goes from left to right and CANNOT
skip any bits. A basic example would be this:
172.16.8.0/24
If there is only a / after the network (no le or ge) then the number after
the / is BOTH bits checked and subnet mask. So in this case it will check
the 24 bits from left to right (won't care about the last 8 bits) AND it
will make sure that it has a 24 bit mask. BOTH the 24 bits checked and the
24 bit subnet mask must match for the network to be permitted or denied.
No we can do a range of subnet masks also that could be permitted or denyed:
172.16.8.0/24 ge 25
If we use either the le or ge (or both le and ge) after the /, then the
number directly after the / becomes ONLY bits checked and the number after
the ge or le (or both) is the subnet mask. So in this case we are still
going to check the first 24 bits of the network from left to right. If those
match we are then going to check the subnet mask, which in this case can be
GREATER THAN OR EQUAL TO 25 bits - meaning that as long as the first 24 bits
of the network match the subnet mask could be 25,26,27,28,29,30,31,or 32
bits. They would all match.
We can also do:
172.16.8.0/24 le 28
Again this will check the first 24 bits of the network to make sure that
they match. Then it will check to make sure that the subnet mask is LESS
THAN OR EQUAL TO 28 bits. Now this isn't going to be 28 bits down to 0 bits,
the subnet mask can't be any lower than the bits we are checking. So the
valid range of subnet masks for this one would be 28 bits down to 24 bits
(24,25,26,27,and 28). All of those would match.
We can also do both ge and le:
172.16.8.0/24 ge 25 le 27
Here again we are checking the first 24 bits to make sure they match. Then
our subnet mask must be GREATER THAN OR EQUAL TO 25 bits LESS THAN OR EQUAL
TO 27 bits. Meaning that 25,26,and 27 bit subnet masks would match.
Now for a couple of examples:
If we have the following networks:
172.16.8.0/28
172.16.8.16/28
172.16.8.32/28
172.16.8.48/28
172.16.8.64/28
We could permit all of these networks with on prefix-list statement:
172.16.8.0/24 ge 28 le 28
This will check the first 24 bits to make sure they match. All of these
networks have 172.16.8 as the first 24 bits, and it won't care what is in
the last 8 bits. Then it will check to make sure that the subnet mask is
GREATER THAN OR EQUAL TO 28 bits LESS THAN OR EQUAL TO 28 bits - the only
number that works for this is 28 bits. So the first 24 bits in the network
must match and it has to have a 28 bit subnet mask. All 5 of our networks
would match for this.
We could be even more precise with this and use:
172.16.8.0/25 ge 28 le 28
If we take a look at our 4th octects we will see that for all of them the
128 bit is off so we can check that bit also (25 bits total we are
checking).
0 -- 0 0 0 0 0 0 0 0
16 - 0 0 0 1 0 0 0 0
32 - 0 0 1 0 0 0 0 0
48 - 0 0 1 1 0 0 0 0
64 - 0 1 0 0 0 0 0 0
This would be closer to permitting the 5 networks that we have.
We could also permit only the classful networks. The first thing that we
need to do is figure out exactly what a classful network is.
For a class A network we know that it has to have an 8 bit mask and must be
between 0 and 127 in the first octect. If we break down 0 and 127 we get:
0 --- 0 0 0 0 0 0 0 0
127 - 0 1 1 1 1 1 1 1
For the first octect of a class A network the first bit has to be a 0, it
must be off. So we can do a prefix-list like this:
0.0.0.0/1 ge 8 le 8
In our first octet the first bit is a 0 (which is what it would need to be
to be class A), with the /1 we have we are ONLY checking the first bit to
make sure its a 0 (meaning it would be a class A network 0 - 127). We are
then making sure that this class A network actually has a class A subnet
mask of 8 bits, and only 8 bits would match.
For the class B's we need to make sure that they have a 16 bit subnet mask
and that they are in the range of 128 - 191 in the first octet. If we break
down 128 and 191 we get:
128 - 1 0 0 0 0 0 0 0
191 - 1 0 1 1 1 1 1 1
The first two bits are what we are going to care about. We need to make sure
that the first two bits in the first octet are 1 0 . The first number that
we can use as our standard we are checking against is 128 - 128 has a 1 0 as
the first two bits in its first octet.
128.0.0.0/2 ge 16 le 16
So we are checking the first two bits to make sure the network has a 1 0,
meaning that it must be in the range of 128 - 191. We are then going to
check to make sure that it has the classful 16 bit mask, and ONLY a 16 bit
mask.
Finally we have the class C networks. Class C networks are in the range of
192 - 223 and they must have a 24 bit mask. If we break down 192 and 223 we
get:
192 - 1 1 0 0 0 0 0 0
223 - 1 1 0 1 1 1 1 1
The first 3 bits in the first octet are what we care about. 192 would be the
first number we can put in that first octect that will have 1 1 0 as its
first 3 bits.
192.0.0.0/3 ge 24 le 24
We are going to check the first 3 bits of the octet and make sure that its 1
1 0 meaning that it has to be in the range of 192 - 223 being class C, then
we are going to check to make sure it has a class C classful subnet of 24
bits.
Finally how to permit or deny any could be very helpful:
0.0.0.0/0 le 32
This is 'any' for a prefix-list. It says check 0 bits, I don't care what any
of the bits are. It also says that the subnet mask can be 32 bits or less
(down to the number of bits we are checking) down to 0. So we aren't going
to check any bits and the network can have a subnet mask of anything between
0 and 32 bits. This would be 'any'.
Jens P.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Anthony Liu
Sent: 17. april 2005 14:01
To: JP; Ccielab@Groupstudy. Com; Lee Donald
Subject: RE: Access-list question - Allowing even and odd numbers in 3rd
octet -
Great explanation JP.
Just wanted to add that Prefix-lists are also a good choice!
Anthony
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
JP
Sent: Sunday, April 17, 2005 2:48 AM
To: Ccielab@Groupstudy. Com; Lee Donald
Subject: RE: Access-list question - Allowing even and odd numbers in 3rd
octet -
Hi again ,
Just to wolow up on the last post, here is how to work with special extended
access-list
Okay, lets tackle the 'special' extended access-lists.
These 'special' extened access-lists came about because a normal access-list
cannot specify the subnet mask of a network it is checking. A normal
access-list can ONLY check bits.
So if we had a requirement where we wanted to permit ONLY the 172.82.30.0/24
network, with a normal access list we would do something like this:
access-list 1 permit 172.82.30.0 0.0.0.255
Does this meet the requirements? No! This access-list will check the first
octet to make sure it is 172. It will check the second octet to make sure
that it is 82, and it will check the third octet to make sure it is 30. It
won't care what is in the fourth octet.
Will this permit our 172.82.30.0/24 network? YES. Will it ONLY permit this
network? NO!
172.82.30.1/30
172.82.30.33/28
172.82.30.129/25
and many, many more networks will also be permitted. Why? Because the normal
access-list ONLY checks bits. For the the above examples the first 3 octets
match, and we don't care about the 4th so all of these networks get in.
There is no way to check to make sure that it is 24 bits.
So they came up with these 'special' extended access-lists. Normally these
would be source and destination, but BGP understands these to be source and
mask. I don't think that any other routing protocol understands these
"special" access-lists, and it may confuse them.
So if we wanted to permit our previous example of 172.82.30.0/24 we would
use the following:
access-list 100 permit ip 172.82.30.0 0.0.0.255 host 255.255.255.0
This will check the first three octets to make sure they match. It won't
care about the fourth octet. Then we will make sure that the network is 24
bits. Remember that it is bits checked, then mask.
So for your example we have the two networks:
10.10.10.0/24 and 10.10.11.0/24
The first thing we need to do is figure out what address will summarize them
as precisley as we can. The first two octets are the same, so we will look
at the third octet.
...128643216 8 4 2 1
10 - 0 0 0 0 1 0 1 0
11 - 0 0 0 0 1 0 1 1
So we have 7 common bits in the third octet, which means our summary address
will be 10.10.10.0/23 or 10.10.10.0 255.255.254.0
Our 'special' extended access-list to deny this particular summary would be:
access-list 100 deny ip 10.10.10.0 0.0.1.255 host 255.255.254.0
access-list 100 permit ip any any
I know that you wanted to permit this summary, but this is just an example.
Jens P
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Lee Donald
Sent: 17. april 2005 12:13
To: ccielab@groupstudy.com
Subject: Access-list question - Allowing even and odd numbers in 3rd
octet -
Can anyone put some more logic to this for me, I'm having a bad brain day.
I need to allow all odd numbers in the 3rd octet in via an access-list which
I know is
Access-list 5 permit 0.0.0.0 0.0.252.0
Then I tried to let just the evens in but got confused, and couldn't get my
dough brain round it.
Can anybody remind me of this and the way it works?
Thanks in advance.
Regards
Lee.
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:59 GMT-3