Re: Extended ACL & EXACT match

From: Dillon Yang (dillony@gmail.com)
Date: Fri Jul 15 2005 - 23:55:24 GMT-3

Hi, Scott:

 Thanks a lot. The document you mentioned is about the follow, right? the link need an account, I cant read it.
</quote>
Filtering Using distribute?list with a Standard Access List...................................................................2
Filtering Using distribute?list with an Extended Access List................................................................2
Filtering Using the ip prefix?list Command...........................................................................................3
Related Information
</quote>
  TIA
  dillon

----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'Dillon Yang'" <dillony@gmail.com>; "'Edwards, Andrew M'" <andrew.m.edwards@boeing.com>; "'Brian Dennis'" <bdennis@internetworkexpert.com>; "'Group Study'" <ccielab@groupstudy.com>
Sent: Saturday, July 16, 2005 12:34 AM
Subject: RE: Extended ACL & EXACT match

It's all based on where/how you APPLY the ACL as far as how it is
interpreted.

So this kind of ACL would not be placed on an interface. Interface-based
ACLs would be interpreted exactly as you note, and there is no destination
of 255.255.0.0 at all!

But when you apply the ACL with a distribute-list function in BGP, the ACL
becomes interpreted by the router under different circumstances. That way
things will work out the way they're supposed to.

http://www.cisco.com/en/US/partner/tech/tk365/technologies_tech_note09186a00
801310cb.shtml#acclists

HTH,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dillon Yang
Sent: Friday, July 15, 2005 12:12 PM
To: Edwards, Andrew M; Brian Dennis; Group Study
Subject: Re: Extended ACL & EXACT match

Hi, Edward, Brain, group:

  Thanks for reply. I think I have mastered the usage of it, but I want to
know how the IOS passes the ACL and treats it as a valid route, instead of
drops it for there is NO such a destination as "255.255.255.0 0.0.0.0" or
"255.255.0.0 0.0.255.255". In other words, how it works?

 TIA
 dillon

----- Original Message -----
From: "Edwards, Andrew M" <andrew.m.edwards@boeing.com>
To: "Dillon Yang" <dillony@gmail.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Friday, July 15, 2005 11:46 AM
Subject: RE: Extended ACL & EXACT match

Dillon,

This is the old way of using an extended ACL to match on a routes
netmask. The new way is with prefix-lists.

You can tell because the destination address has a wildcard mask of
0.0.0.0 and, as you noted, a strange match destination address.

Another way of looking at this is:

Access-list 100 permit ip <match address> <match bits as wildcard mask>
<match netmask> <netmask wildcard bits>

So:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.0

Says match route prefix 192.168.1.X with a /24 netmask.

Or

Ip prefix-list test 192.168.1.0/24

Another way is:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.255

Says match route prefix 192.168.1.X with any netmask less than /32 down
to a /24 bitmask.

Or

Ip prefix-list test 192.168.1.0/24 le 32

Give it a whirl now that you know and see what happens.

HTH,

Andy
-----Original Message-----
From: Dillon Yang [mailto:dillony@gmail.com]
Sent: Thursday, July 14, 2005 8:12 PM
To: Group Study
Subject: Extended ACL & EXACT match

hi, group:

base on CDDOC, we can see this:
<quote>

extended access-list command

The following examples show how wildcard bits are used to indicate the
bits of the prefix or mask that are relevant. Wildcard bits are similar
to the bitmasks that are used with normal access lists.
Prefix or mask bits corresponding to wildcard bits set to 1 are ignored
during comparisons and prefix or mask bits corresponding to wildcard
bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any
more specific routes of 192.108.0.0 (including 192.108.0.0
255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0
0.0.255.255
 
</quote>

But, I still can not understand the meaning of "255.255.0.0
0.0.255.255", for a advertised route, the source pair part "192.108.0.0
0.0.0.0" has already contained the route infomation, who want to check
the destination pair part ""255.255.0.0 0.0.255.255", routing protocol?
or ACL?
How does it know the pair part is a MASK and not a DESTINATION?

[pratice]
 
  I labbed it with the following result. It shows the acl "permit ip
11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 " DOES NOT match address
EXACTLY, for it allows the more special route "*> 11.6.9.0/24
0.0.0.0 ".!!!

router bgp 600
 no synchronization
 bgp log-neighbor-changes
 network 11.6.6.0 mask 255.255.255.0
 network 11.6.7.0 mask 255.255.255.0
 network 11.6.8.0 mask 255.255.255.0
 network 11.6.9.0 mask 255.255.255.0
 aggregate-address 11.6.0.0 255.255.240.0
 neighbor 135.3.24.2 remote-as 200
 neighbor 135.3.24.2 ebgp-multihop 10
 neighbor 135.3.24.2 distribute-list out600 out
 no auto-summary

R6#sib
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.8.0/21]
R6#clear ip bgp 135.3.24.2 soft
R6#s access-l
Extended IP access list out600
    permit ip 11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 (2 matches)
R6#ib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.0.0/20]
R6#
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no pcess-list extended out600 R6(config)# R6(config)#
           HlV..K+{st extended out600 R6(config-ext-nacl)#nermit ip
11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 R6(config-ext-nacl)#end R6#
*Mar 1 05:14:07: %SYS-5-CONFIG_I: Configured from console by console
R6#clear ip bgp 135.3.24.2 soft R6#sib nei 135.3.24.2 ad BGP table
version is 6, local router ID is 211.211.211.1 Status codes: s
suppressed, d damped, h history, * valid, > best, i - internal Origin
codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i
R6#s access-l
Extended IP access list out600
    permit ip 11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 (5 matches)

[11.6.6.0/22]
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no ip access-list extended out600 R6(config)#ip access-list
extended out600 R6(config-ext-nacl)#permit ip 11.6.6.0 0.0.3.255
255.255.252.0 0.0.3.255^Z R6#conf t *Mar 1 05:26:42: %SYS-5-CONFIG_I:
Configured from console by console R6#clear ip bgp 135.3.24.2 soft R6#s
access-l Extended IP access list out600
    permit ip 11.6.4.0 0.0.3.255 255.255.252.0 0.0.3.255 (2 matches)
R6#sib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i

Any advice?

TIA
dillon

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3