RE: rule for prefix-access list conversion

From: David Prall (dcp@dcptech.com)
Date: Thu Aug 14 2008 - 22:38:34 ART

If this is for an access-list in a route-map for redistribution you can use
an extended ACL. The first portion is the network and the second portion is
the subnet mask.

If my quick memory is right:
access-list 100 permit ip 192.168.0.0 0.0.255.64 255.255.0.0 0.0.255.64

David 

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On 
> Behalf Of Hobbs
> Sent: Thursday, August 14, 2008 9:28 PM
> To: Igor Manassypov
> Cc: ccielab@groupstudy.com
> Subject: Re: rule for prefix-access list conversion
> 
> Hi Igor,
> 
> Well I don't think you can do it, but I could be wrong. Some easy
> prefix-length only matches can be converted but not complex ge or le
> matches. Here is my attempt and maybe someone can point out 
> if I am path...
> 
> Suppose you had the requirement:
> 
> Only allow 192.168.0.0 routes with subnet less than /26
> 
> Our prefix-list would be easy:
> ip prefix-list ALLOW permit 192.168.0.0/16 le 26
> 
> Our ACL would be harder to find. but we know our first 16 
> bits: 192.168.
> 
> So our acl looks like this for now:
> 
> access-list 1 permit 192.168.x.x 0.0.x.x
> 
> We dont care what the third bit is either so we could now go:
> 
> access-list 1 permit 192.168.0.x 0.0.255.x
> 
> That leaves the last bits of the network and mask. We can 
> break out the
> networks of the 4th octet in binary:
> 
>       xxxx xxxx
> 
> /24 = 0000 0000
> 
> /25 = 0000 0000
>       1000 0000
> 
> /26 = 0000 0000
>         0100 0000
>         1000 0000
>         1100 0000
> 
> /27 = 0000 0000
>         0010 0000
>         0100 0000
>         0110 0000
>         1000 0000
>         1010 0000
>         1100 0000
>         1110 0000
> 
> We can already see where this is headed. Our first two bits 
> are "don't care"
> and our last 6 must be 0 in order to be considered less than /26.
> 
> so we could have this:
> 
> access-list 1 permit 192.168.0.0 0.0.255.128
> 
> However this would prevent a problem for networks such as
> 192.168.11.0/28because the network has all 0's and for all the router
> knows could be a /24,
> /25 or /26 with all 0's.
> 
> So we need to deny all of these:
> 
> 192.168.0.0/27,/28,/29,/30
> 192.168.1.0/27,/28,/29,/30
> 192.168.2.0/27,/28,/29,/30
> 
> Don't know a way of doing it without too many entries...and 
> if we were to
> deny these first we would deny their /24,/25,/26 counterparts...
> 
> maybe that's why prefix-lists were invented...
> 
> 
> 
> 
> 
> On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov 
> <imanassypov@rogers.com>wrote:
> 
> > Hello,
> >
> > What is the rule for converting between 'prefix-list' and 
> 'access-list'?
> >
> > Thanks!
> >
> >
> > Igor M., M.Eng, P.Eng
> > Network Architect
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > 
> ______________________________________________________________
> _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> ______________________________________________________________
> _________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART