RE: Extended ACL & EXACT match

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Fri Jul 15 2005 - 00:46:53 GMT-3

Dillon,

This is the old way of using an extended ACL to match on a routes
netmask. The new way is with prefix-lists.

You can tell because the destination address has a wildcard mask of
0.0.0.0 and, as you noted, a strange match destination address.

Another way of looking at this is:

Access-list 100 permit ip <match address> <match bits as wildcard mask>
<match netmask> <netmask wildcard bits>

So:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.0

Says match route prefix 192.168.1.X with a /24 netmask.

Or

Ip prefix-list test 192.168.1.0/24

Another way is:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.255

Says match route prefix 192.168.1.X with any netmask less than /32 down
to a /24 bitmask.

Or

Ip prefix-list test 192.168.1.0/24 le 32

Give it a whirl now that you know and see what happens.

HTH,

Andy
-----Original Message-----
From: Dillon Yang [mailto:dillony@gmail.com]
Sent: Thursday, July 14, 2005 8:12 PM
To: Group Study
Subject: Extended ACL & EXACT match

hi, group:

base on CDDOC, we can see this:
<quote>

extended access-list command

The following examples show how wildcard bits are used to indicate the
bits of the prefix or mask that are relevant. Wildcard bits are similar
to the bitmasks that are used with normal access lists.
Prefix or mask bits corresponding to wildcard bits set to 1 are ignored
during comparisons and prefix or mask bits corresponding to wildcard
bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any
more specific routes of 192.108.0.0 (including 192.108.0.0
255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0
0.0.255.255
 
</quote>

But, I still can not understand the meaning of "255.255.0.0
0.0.255.255", for a advertised route, the source pair part "192.108.0.0
0.0.0.0" has already contained the route infomation, who want to check
the destination pair part ""255.255.0.0 0.0.255.255", routing protocol?
or ACL?
How does it know the pair part is a MASK and not a DESTINATION?

[pratice]
 
  I labbed it with the following result. It shows the acl "permit ip
11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 " DOES NOT match address
EXACTLY, for it allows the more special route "*> 11.6.9.0/24
0.0.0.0 ".!!!

router bgp 600
 no synchronization
 bgp log-neighbor-changes
 network 11.6.6.0 mask 255.255.255.0
 network 11.6.7.0 mask 255.255.255.0
 network 11.6.8.0 mask 255.255.255.0
 network 11.6.9.0 mask 255.255.255.0
 aggregate-address 11.6.0.0 255.255.240.0
 neighbor 135.3.24.2 remote-as 200
 neighbor 135.3.24.2 ebgp-multihop 10
 neighbor 135.3.24.2 distribute-list out600 out
 no auto-summary

R6#sib
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.8.0/21]
R6#clear ip bgp 135.3.24.2 soft
R6#s access-l
Extended IP access list out600
    permit ip 11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 (2 matches)
R6#ib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.0.0/20]
R6#
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no pcess-list extended out600 R6(config)# R6(config)#
           HlV..K+{st extended out600 R6(config-ext-nacl)#nermit ip
11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 R6(config-ext-nacl)#end R6#
*Mar 1 05:14:07: %SYS-5-CONFIG_I: Configured from console by console
R6#clear ip bgp 135.3.24.2 soft R6#sib nei 135.3.24.2 ad BGP table
version is 6, local router ID is 211.211.211.1 Status codes: s
suppressed, d damped, h history, * valid, > best, i - internal Origin
codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i
R6#s access-l
Extended IP access list out600
    permit ip 11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 (5 matches)

[11.6.6.0/22]
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no ip access-list extended out600 R6(config)#ip access-list
extended out600 R6(config-ext-nacl)#permit ip 11.6.6.0 0.0.3.255
255.255.252.0 0.0.3.255^Z R6#conf t *Mar 1 05:26:42: %SYS-5-CONFIG_I:
Configured from console by console R6#clear ip bgp 135.3.24.2 soft R6#s
access-l Extended IP access list out600
    permit ip 11.6.4.0 0.0.3.255 255.255.252.0 0.0.3.255 (2 matches)
R6#sib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i

Any advice?

TIA
dillon

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3