RE: Extended ACL & EXACT match

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Fri Jul 15 2005 - 21:21:21 GMT-3

Dave,

your syntax will produce an error where the "len < ge <= le"

IOW, the bit match length must be less than the 'ge' value. Further,
the 'le' value must be greater than or equal to the 'ge'.

So, to permit only the /24 route use:

ip prefix-list test permit 1.1.1.0/24

If you want to specify bitmask lengths to match on, use the ge and le
options. As an example, match on all subnet masks for the 1.1.1.0/24
subnet:

ip prefix-list test permit 1.1.1.0/24 le 32 (e.g. match 24 high order
bits with a mask from /32 down to a /24 )

HTH,

andy

        -----Original Message-----
        From: Schulz, Dave [mailto:DSchulz@dpsciences.com]
        Sent: Friday, July 15, 2005 4:46 AM
        To: Edwards, Andrew M; nobody@groupstudy.com; Dillon Yang ;
Group Study
        Subject: RE: Extended ACL & EXACT match

        Andrew -

        If I use the prefix list that you say here (Ip prefix-list test
192.168.1.0/24 le 32)....will match any mask. However, if I want to
match exactly the 24 bit mask, shouldn't I use.....

        Ip prefix-list test 192.168.1.0/24 le 24 ge 24

        Just wondering.

        Dave

        -----Original Message-----
        From: nobody@groupstudy.com
        To: Dillon Yang; Group Study
        Sent: 7/14/2005 11:46 PM
        Subject: RE: Extended ACL & EXACT match

        Dillon,

        This is the old way of using an extended ACL to match on a
routes
        netmask. The new way is with prefix-lists.

        You can tell because the destination address has a wildcard mask
of
        0.0.0.0 and, as you noted, a strange match destination address.

        Another way of looking at this is:

        Access-list 100 permit ip <match address> <match bits as
wildcard mask>
        <match netmask> <netmask wildcard bits>

        So:

        Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0
0.0.0.0

        Says match route prefix 192.168.1.X with a /24 netmask.

        Or

        Ip prefix-list test 192.168.1.0/24

        Another way is:

        Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0
0.0.0.255

        Says match route prefix 192.168.1.X with any netmask less than
/32 down
        to a /24 bitmask.

        Or

        Ip prefix-list test 192.168.1.0/24 le 32

        Give it a whirl now that you know and see what happens.

        HTH,

        Andy
        -----Original Message-----
        From: Dillon Yang [mailto:dillony@gmail.com]
        Sent: Thursday, July 14, 2005 8:12 PM
        To: Group Study
        Subject: Extended ACL & EXACT match

        hi, group:

        base on CDDOC, we can see this:
        <quote>

        extended access-list command

        The following examples show how wildcard bits are used to
indicate the
        bits of the prefix or mask that are relevant. Wildcard bits are
similar
        to the bitmasks that are used with normal access lists.
        Prefix or mask bits corresponding to wildcard bits set to 1 are
ignored
        during comparisons and prefix or mask bits corresponding to
wildcard
        bits set to 0 are used in comparison.

        The following example permits 192.108.0.0 255.255.0.0 but denies
any
        more specific routes of 192.108.0.0 (including 192.108.0.0
        255.255.255.0):

        access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0
0.0.0.0
        access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0
        0.0.255.255

        </quote>

        But, I still can not understand the meaning of "255.255.0.0
        0.0.255.255", for a advertised route, the source pair part
"192.108.0.0
        0.0.0.0" has already contained the route infomation, who want to
check
        the destination pair part ""255.255.0.0 0.0.255.255", routing
protocol?
        or ACL?
        How does it know the pair part is a MASK and not a DESTINATION?

        [pratice]

          I labbed it with the following result. It shows the acl
"permit ip
        11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 " DOES NOT match
address
        EXACTLY, for it allows the more special route "*> 11.6.9.0/24
        0.0.0.0 ".!!!

        router bgp 600
         no synchronization
         bgp log-neighbor-changes
         network 11.6.6.0 mask 255.255.255.0
         network 11.6.7.0 mask 255.255.255.0
         network 11.6.8.0 mask 255.255.255.0
         network 11.6.9.0 mask 255.255.255.0
         aggregate-address 11.6.0.0 255.255.240.0
         neighbor 135.3.24.2 remote-as 200
         neighbor 135.3.24.2 ebgp-multihop 10
         neighbor 135.3.24.2 distribute-list out600 out
         no auto-summary

        R6#sib
        BGP table version is 6, local router ID is 211.211.211.1
        Status codes: s suppressed, d damped, h history, * valid, >
best, i -
        internal Origin codes: i - IGP, e - EGP, ? - incomplete

           Network Next Hop Metric LocPrf Weight
Path
        *> 11.6.0.0/20 0.0.0.0 32768 i
        *> 11.6.6.0/24 0.0.0.0 0 32768 i
        *> 11.6.7.0/24 0.0.0.0 0 32768 i
        *> 11.6.8.0/24 0.0.0.0 0 32768 i
        *> 11.6.9.0/24 0.0.0.0 0 32768 i

        [11.6.8.0/21]
        R6#clear ip bgp 135.3.24.2 soft
        R6#s access-l
        Extended IP access list out600
            permit ip 11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 (2
matches)
        R6#ib nei 135.3.24.2 ad BGP table version is 6, local router ID
is
        211.211.211.1 Status codes: s suppressed, d damped, h history, *
valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? -
incomplete

           Network Next Hop Metric LocPrf Weight
Path
        *> 11.6.8.0/24 0.0.0.0 0 32768 i
        *> 11.6.9.0/24 0.0.0.0 0 32768 i

        [11.6.0.0/20]
        R6#
        R6#conf t
        Enter configuration commands, one per line. End with CNTL/Z.
        R6(config)#no pcess-list extended out600 R6(config)# R6(config)#
                   HlV..K+{st extended out600
R6(config-ext-nacl)#nermit ip
        11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255
R6(config-ext-nacl)#end R6#
        *Mar 1 05:14:07: %SYS-5-CONFIG_I: Configured from console by
console
        R6#clear ip bgp 135.3.24.2 soft R6#sib nei 135.3.24.2 ad BGP
table
        version is 6, local router ID is 211.211.211.1 Status codes: s
        suppressed, d damped, h history, * valid, > best, i - internal
Origin
        codes: i - IGP, e - EGP, ? - incomplete

           Network Next Hop Metric LocPrf Weight
Path
        *> 11.6.0.0/20 0.0.0.0 32768 i
        *> 11.6.6.0/24 0.0.0.0 0 32768 i
        *> 11.6.7.0/24 0.0.0.0 0 32768 i
        *> 11.6.8.0/24 0.0.0.0 0 32768 i
        *> 11.6.9.0/24 0.0.0.0 0 32768 i
        R6#s access-l
        Extended IP access list out600
            permit ip 11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 (5
matches)

        [11.6.6.0/22]
        R6#conf t
        Enter configuration commands, one per line. End with CNTL/Z.
        R6(config)#no ip access-list extended out600 R6(config)#ip
access-list
        extended out600 R6(config-ext-nacl)#permit ip 11.6.6.0 0.0.3.255
        255.255.252.0 0.0.3.255^Z R6#conf t *Mar 1 05:26:42:
%SYS-5-CONFIG_I:
        Configured from console by console R6#clear ip bgp 135.3.24.2
soft R6#s
        access-l Extended IP access list out600
            permit ip 11.6.4.0 0.0.3.255 255.255.252.0 0.0.3.255 (2
matches)
        R6#sib nei 135.3.24.2 ad BGP table version is 6, local router ID
is
        211.211.211.1 Status codes: s suppressed, d damped, h history, *
valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? -
incomplete

           Network Next Hop Metric LocPrf Weight
Path
        *> 11.6.6.0/24 0.0.0.0 0 32768 i
        *> 11.6.7.0/24 0.0.0.0 0 32768 i

        Any advice?

        TIA
        dillon

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3