RE: Extended ACL & EXACT match

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Jul 15 2005 - 00:52:35 GMT-3

• Next message: Paresh Khatri: "RE: Distance vs Eigrp neighbor"
• Previous message: Andy: "Re: ISDN - default route"
• Maybe in reply to: Dillon Yang: "Extended ACL & EXACT match"
• Next in thread: Schulz, Dave: "RE: Extended ACL & EXACT match"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dillon,
        The syntax of the extended ACL is:

access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>

        The source portion of the extended ACL is used to match the
network portion of the BGP route and the destination portion of the ACL
is used to match the subnet mask of the BGP route. Here are some
examples:

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Matches 10.0.0.0/16 - Only

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.0.0.0/24 - Only

access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.1.1.0/24 - Only

access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
Matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
Matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0

Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255

Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127
Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /25 to /32 subnet mask

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dillon Yang
Sent: Thursday, July 14, 2005 8:12 PM
To: Group Study
Subject: Extended ACL & EXACT match

hi, group:

base on CDDOC, we can see this:
<quote>

extended access-list command

The following examples show how wildcard bits are used to indicate the
bits of the prefix or mask that are relevant. Wildcard bits are similar
to the bitmasks that are used with normal access lists.
Prefix or mask bits corresponding to wildcard bits set to 1 are ignored
during comparisons and
prefix or mask bits corresponding to wildcard bits set to 0 are used in
comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any
more specific routes of 192.108.0.0 (including 192.108.0.0
255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0
0.0.255.255
 
</quote>

But, I still can not understand the meaning of "255.255.0.0
0.0.255.255", for a advertised route, the source pair part "192.108.0.0
0.0.0.0" has already contained the route infomation, who want to check
the destination pair part ""255.255.0.0 0.0.255.255", routing protocol?
or ACL?
How does it know the pair part is a MASK and not a DESTINATION?

[pratice]
 
  I labbed it with the following result. It shows the acl "permit ip
11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 " DOES NOT match address
EXACTLY, for it allows the more special route "*> 11.6.9.0/24
0.0.0.0 ".!!!

router bgp 600
 no synchronization
 bgp log-neighbor-changes
 network 11.6.6.0 mask 255.255.255.0
 network 11.6.7.0 mask 255.255.255.0
 network 11.6.8.0 mask 255.255.255.0
 network 11.6.9.0 mask 255.255.255.0
 aggregate-address 11.6.0.0 255.255.240.0
 neighbor 135.3.24.2 remote-as 200
 neighbor 135.3.24.2 ebgp-multihop 10
 neighbor 135.3.24.2 distribute-list out600 out
 no auto-summary

R6#sib
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.8.0/21]
R6#clear ip bgp 135.3.24.2 soft
R6#s access-l
Extended IP access list out600
    permit ip 11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 (2 matches)
R6#ib nei 135.3.24.2 ad
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.0.0/20]
R6#
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no pcess-list extended out600
R6(config)#
R6(config)#
           HlV..K+{st extended out600
R6(config-ext-nacl)#nermit ip 11.6.0.0 0.0.15.255 255.255.240.0
0.0.15.255
R6(config-ext-nacl)#end
R6#
*Mar 1 05:14:07: %SYS-5-CONFIG_I: Configured from console by console
R6#clear ip bgp 135.3.24.2 soft
R6#sib nei 135.3.24.2 ad
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i
R6#s access-l
Extended IP access list out600
    permit ip 11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 (5 matches)

[11.6.6.0/22]
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no ip access-list extended out600
R6(config)#ip access-list extended out600
R6(config-ext-nacl)#permit ip 11.6.6.0 0.0.3.255 255.255.252.0
0.0.3.255^Z
R6#conf t
*Mar 1 05:26:42: %SYS-5-CONFIG_I: Configured from console by console
R6#clear ip bgp 135.3.24.2 soft
R6#s access-l
Extended IP access list out600
    permit ip 11.6.4.0 0.0.3.255 255.255.252.0 0.0.3.255 (2 matches)
R6#sib nei 135.3.24.2 ad
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i

Any advice?

TIA
dillon

• Next message: Paresh Khatri: "RE: Distance vs Eigrp neighbor"
• Previous message: Andy: "Re: ISDN - default route"
• Maybe in reply to: Dillon Yang: "Extended ACL & EXACT match"
• Next in thread: Schulz, Dave: "RE: Extended ACL & EXACT match"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3