RE: access-lists vs. prefix-lists

From: John Matus (john_matus@hotmail.com)
Date: Wed Mar 16 2005 - 15:39:46 ART

yes, that i'm aware of...........
i guess i was looking for a "best-practice" for specific situations. i
ususally use prefix lists w/ bgp and acl's for redistribution but i just
wanted to clarify that BOTH will work......but i also wanted to verify that
there is no difference between:

access-list 5 permit 192.168.1.0 0.0.0.252

and

ip prefix-list 5 permit 192.168.1.0/30

>From: "simon hart" <simon.hart@btinternet.com>
>To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>CC: <ccielab@groupstudy.com>
>Subject: RE: access-lists vs. prefix-lists
>Date: Wed, 16 Mar 2005 08:17:11 -0000
>
>John,
>
>You need to remember how an access list wildcard mask works.
>
>192.168.1.0 0.0.0.255
>
>Where you have a 0 bit in the wildcard then the corresponding bit within
>the
>IP Address must match. So in the example above 192.168.1 must match.
>
>Where you have a 1 bit then the Wildcard mask does not care about the
>corresponding bit within IP address (also known as the 'don't care bit),
>thus the 255 in the last octect means that the corresponding bit within the
>IP address can be anything between 1 and 255.
>
>Therefore when matching routes with an access list, the access list would
>let through 'Prefixes' from:
>
>192.168.1.0 to 192.168.1.255
>
>Obviously within this range there would be no routes that are advertised as
>routes from a routing protocol (like broadcast), however it does capture
>everything.
>
>A Prefix list is far more precise 192.168.1.0/24 will only let through
>192.168.1.0, if you wanted the prefix list to act like the access list, you
>would use the ge and le statements at the end of the prefix.
>
>My advice would be, when dealing with routes, and in particular BGP use a
>prefix list
>
>Simon
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>John Matus
>Sent: 16 March 2005 01:19
>To: tron@huapi.ba.ar
>Cc: ccielab@groupstudy.com
>Subject: Re: access-lists vs. prefix-lists
>
>
>ok, that is where i get confused.............
>if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see how
>that would match /24, /25, /26 routes. i would think that you would need
>to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240. how does it
>match those routes......hmm ok, slight epiphanie <sp?> is it because .252,
>.248, and .240 are all subsets of the .255 which means everything under the
>sun in that octet?
>
>
> >From: Carlos G Mendioroz <tron@huapi.ba.ar>
> >To: John Matus <john_matus@hotmail.com>
> >CC: ccielab@groupstudy.com
> >Subject: Re: access-lists vs. prefix-lists
> >Date: Tue, 15 Mar 2005 21:59:19 -0300
> >
> >John,
> >there are differences, some of wich can be dealt with, but prefix lists
>are
> >simpler to use when you are trying to deal with routes.
> >
> >In your example with ACL 5, your acl would let go:
> >192.168.1.0/24
> >192.168.1.0/25
> >192.168.1.0/26
> >...
> >192.168.1.128/25
> >192.168.1.128/26
> >...
> >but the prefix list would only let 192.168.1.0/24.
> >
> >Some routing protocols do accept extended ACLs to care about masks, like
> >
> >access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> >
> >which would be an exact match of the example prefix list.
> >
> >Hope this helps.
> >
> >John Matus wrote:
> >>Prefix-list vs. access-list question
> >>
> >>Im a bit confused about the functionality of prefix-lists vs.
> >>access-lists. While Im aware that prefix-lists seem to have some added
> >>granularity Im a bit stumped as to when it is best practice to use one
> >>vs. the other. Here are a few examples of each
> >>
> >>
> >>EXAMPLE 1
> >>Router os 1
> >>Default-information originate route-map conditional
> >>-------------------------------------------
> >>
> >>Route-m conditional permit 10
> >>Match ip address prefix 5
> >>
> >>Ip prefix-list 5 permit 192.168.1.0/24
> >>
> >>OR
> >>Route-m conditional permit 10
> >>Match ip add 5
> >>
> >>Access-list 5 permit 192.168.1.0 0.0.0.255
> >>
> >>EXAMPLE 2
> >>
> >>Router rip
> >>Redistribute ospf 1 metric 1 route-map o2r
> >>-------------------------------------------
> >>
> >>Route-map o2r permit 10
> >>Match ip add prefix-list 5
> >>
> >>Access-list 5 permit 192.168.1.0 0.0.0.0.255
> >>
> >>OR
> >>
> >>Route-map o2r permit 10
> >>Match ip address prefix-list 5
> >>
> >>Ip prefix-list 5 permit 192.168.1.0/24
> >>
> >>Do both methods accomplish exactly the same thing or is the matching
> >>mechanism different in access and prefix lists?
> >>
> >>_________________________________________________________________
> >>Dont just search. Find. Check out the new MSN Search!
> >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >>
> >>_______________________________________________________________________
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >
> >--
> >Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
>_________________________________________________________________
>Is your PC infected? Get a FREE online computer virus scan from McAfee.
>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>--
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>
>--
>No virus found in this outgoing message.
>Checked by AVG Anti-Virus.
>Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART