RE: access-lists vs. prefix-lists

From: simon hart (simon.hart@btinternet.com)
Date: Wed Mar 16 2005 - 05:17:11 ART

• Next message: Nicky: "RE: BGP MD5 Error Message"
• Previous message: Jason Guy (jguy): "RE: BGP MD5 Error Message"
• Maybe in reply to: John Matus: "RE: access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

You need to remember how an access list wildcard mask works.

192.168.1.0 0.0.0.255

Where you have a 0 bit in the wildcard then the corresponding bit within the
IP Address must match. So in the example above 192.168.1 must match.

Where you have a 1 bit then the Wildcard mask does not care about the
corresponding bit within IP address (also known as the 'don't care bit),
thus the 255 in the last octect means that the corresponding bit within the
IP address can be anything between 1 and 255.

Therefore when matching routes with an access list, the access list would
let through 'Prefixes' from:

192.168.1.0 to 192.168.1.255

Obviously within this range there would be no routes that are advertised as
routes from a routing protocol (like broadcast), however it does capture
everything.

A Prefix list is far more precise 192.168.1.0/24 will only let through
192.168.1.0, if you wanted the prefix list to act like the access list, you
would use the ge and le statements at the end of the prefix.

My advice would be, when dealing with routes, and in particular BGP use a
prefix list

Simon

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
John Matus
Sent: 16 March 2005 01:19
To: tron@huapi.ba.ar
Cc: ccielab@groupstudy.com
Subject: Re: access-lists vs. prefix-lists

ok, that is where i get confused.............
if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see how
that would match /24, /25, /26 routes. i would think that you would need
to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240. how does it
match those routes......hmm ok, slight epiphanie <sp?> is it because .252,
.248, and .240 are all subsets of the .255 which means everything under the
sun in that octet?

>From: Carlos G Mendioroz <tron@huapi.ba.ar>
>To: John Matus <john_matus@hotmail.com>
>CC: ccielab@groupstudy.com
>Subject: Re: access-lists vs. prefix-lists
>Date: Tue, 15 Mar 2005 21:59:19 -0300
>
>John,
>there are differences, some of wich can be dealt with, but prefix lists are
>simpler to use when you are trying to deal with routes.
>
>In your example with ACL 5, your acl would let go:
>192.168.1.0/24
>192.168.1.0/25
>192.168.1.0/26
>...
>192.168.1.128/25
>192.168.1.128/26
>...
>but the prefix list would only let 192.168.1.0/24.
>
>Some routing protocols do accept extended ACLs to care about masks, like
>
>access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>
>which would be an exact match of the example prefix list.
>
>Hope this helps.
>
>John Matus wrote:
>>Prefix-list vs. access-list question
>>
>>Im a bit confused about the functionality of prefix-lists vs.
>>access-lists. While Im aware that prefix-lists seem to have some added
>>granularity Im a bit stumped as to when it is best practice to use one
>>vs. the other. Here are a few examples of each
>>
>>
>>EXAMPLE 1
>>Router os 1
>>Default-information originate route-map conditional
>>-------------------------------------------
>>
>>Route-m conditional permit 10
>>Match ip address prefix 5
>>
>>Ip prefix-list 5 permit 192.168.1.0/24
>>
>>OR
>>Route-m conditional permit 10
>>Match ip add 5
>>
>>Access-list 5 permit 192.168.1.0 0.0.0.255
>>
>>EXAMPLE 2
>>
>>Router rip
>>Redistribute ospf 1 metric 1 route-map o2r
>>-------------------------------------------
>>
>>Route-map o2r permit 10
>>Match ip add prefix-list 5
>>
>>Access-list 5 permit 192.168.1.0 0.0.0.0.255
>>
>>OR
>>
>>Route-map o2r permit 10
>>Match ip address prefix-list 5
>>
>>Ip prefix-list 5 permit 192.168.1.0/24
>>
>>Do both methods accomplish exactly the same thing or is the matching
>>mechanism different in access and prefix lists?
>>
>>_________________________________________________________________
>>Dont just search. Find. Check out the new MSN Search!
>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>
>--
>Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina

• Next message: Nicky: "RE: BGP MD5 Error Message"
• Previous message: Jason Guy (jguy): "RE: BGP MD5 Error Message"
• Maybe in reply to: John Matus: "RE: access-lists vs. prefix-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART