Re: rule for prefix-access list conversion

From: Hobbs (deadheadblues@gmail.com)
Date: Thu Aug 14 2008 - 22:28:11 ART

• Next message: Scott Morris: "RE: Difference between VWIC-2MFT-T1, VWIC-2MFT-T1-DI and"
• Previous message: Scott Morris: "RE: Summarizing LSA-3 in ospf"
• Maybe in reply to: Igor Manassypov: "rule for prefix-access list conversion"
• Next in thread: David Prall: "RE: rule for prefix-access list conversion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Igor,

Well I don't think you can do it, but I could be wrong. Some easy
prefix-length only matches can be converted but not complex ge or le
matches. Here is my attempt and maybe someone can point out if I am path...

Suppose you had the requirement:

Only allow 192.168.0.0 routes with subnet less than /26

Our prefix-list would be easy:
ip prefix-list ALLOW permit 192.168.0.0/16 le 26

Our ACL would be harder to find. but we know our first 16 bits: 192.168.

So our acl looks like this for now:

access-list 1 permit 192.168.x.x 0.0.x.x

We dont care what the third bit is either so we could now go:

access-list 1 permit 192.168.0.x 0.0.255.x

That leaves the last bits of the network and mask. We can break out the
networks of the 4th octet in binary:

      xxxx xxxx

/24 = 0000 0000

/25 = 0000 0000
      1000 0000

/26 = 0000 0000
        0100 0000
        1000 0000
        1100 0000

/27 = 0000 0000
        0010 0000
        0100 0000
        0110 0000
        1000 0000
        1010 0000
        1100 0000
        1110 0000

We can already see where this is headed. Our first two bits are "don't care"
and our last 6 must be 0 in order to be considered less than /26.

so we could have this:

access-list 1 permit 192.168.0.0 0.0.255.128

However this would prevent a problem for networks such as
192.168.11.0/28because the network has all 0's and for all the router
knows could be a /24,
/25 or /26 with all 0's.

So we need to deny all of these:

192.168.0.0/27,/28,/29,/30
192.168.1.0/27,/28,/29,/30
192.168.2.0/27,/28,/29,/30

Don't know a way of doing it without too many entries...and if we were to
deny these first we would deny their /24,/25,/26 counterparts...

maybe that's why prefix-lists were invented...

On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov <imanassypov@rogers.com>wrote:

> Hello,
>
> What is the rule for converting between 'prefix-list' and 'access-list'?
>
> Thanks!
>
>
> Igor M., M.Eng, P.Eng
> Network Architect
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Scott Morris: "RE: Difference between VWIC-2MFT-T1, VWIC-2MFT-T1-DI and"
• Previous message: Scott Morris: "RE: Summarizing LSA-3 in ospf"
• Maybe in reply to: Igor Manassypov: "rule for prefix-access list conversion"
• Next in thread: David Prall: "RE: rule for prefix-access list conversion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART