From: Fahad Khan (fahad.khan@gmail.com)
Date: Fri Aug 15 2008 - 04:38:13 ART
Plz confirm that this kind of ACL can only be used in BGP?
Thanks,
On 8/15/08, David Prall <dcp@dcptech.com> wrote:
>
> If this is for an access-list in a route-map for redistribution you can use
> an extended ACL. The first portion is the network and the second portion is
> the subnet mask.
>
> If my quick memory is right:
> access-list 100 permit ip 192.168.0.0 0.0.255.64 255.255.0.0 0.0.255.64
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Hobbs
> > Sent: Thursday, August 14, 2008 9:28 PM
> > To: Igor Manassypov
> > Cc: ccielab@groupstudy.com
> > Subject: Re: rule for prefix-access list conversion
> >
> > Hi Igor,
> >
> > Well I don't think you can do it, but I could be wrong. Some easy
> > prefix-length only matches can be converted but not complex ge or le
> > matches. Here is my attempt and maybe someone can point out
> > if I am path...
> >
> > Suppose you had the requirement:
> >
> > Only allow 192.168.0.0 routes with subnet less than /26
> >
> > Our prefix-list would be easy:
> > ip prefix-list ALLOW permit 192.168.0.0/16 le 26
> >
> > Our ACL would be harder to find. but we know our first 16
> > bits: 192.168.
> >
> > So our acl looks like this for now:
> >
> > access-list 1 permit 192.168.x.x 0.0.x.x
> >
> > We dont care what the third bit is either so we could now go:
> >
> > access-list 1 permit 192.168.0.x 0.0.255.x
> >
> > That leaves the last bits of the network and mask. We can
> > break out the
> > networks of the 4th octet in binary:
> >
> > xxxx xxxx
> >
> > /24 = 0000 0000
> >
> > /25 = 0000 0000
> > 1000 0000
> >
> > /26 = 0000 0000
> > 0100 0000
> > 1000 0000
> > 1100 0000
> >
> > /27 = 0000 0000
> > 0010 0000
> > 0100 0000
> > 0110 0000
> > 1000 0000
> > 1010 0000
> > 1100 0000
> > 1110 0000
> >
> > We can already see where this is headed. Our first two bits
> > are "don't care"
> > and our last 6 must be 0 in order to be considered less than /26.
> >
> > so we could have this:
> >
> > access-list 1 permit 192.168.0.0 0.0.255.128
> >
> > However this would prevent a problem for networks such as
> > 192.168.11.0/28because the network has all 0's and for all the router
> > knows could be a /24,
> > /25 or /26 with all 0's.
> >
> > So we need to deny all of these:
> >
> > 192.168.0.0/27,/28,/29,/30
> > 192.168.1.0/27,/28,/29,/30
> > 192.168.2.0/27,/28,/29,/30
> >
> > Don't know a way of doing it without too many entries...and
> > if we were to
> > deny these first we would deny their /24,/25,/26 counterparts...
> >
> > maybe that's why prefix-lists were invented...
> >
> >
> >
> >
> >
> > On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov
> > <imanassypov@rogers.com>wrote:
> >
> > > Hello,
> > >
> > > What is the rule for converting between 'prefix-list' and
> > 'access-list'?
> > >
> > > Thanks!
> > >
> > >
> > > Igor M., M.Eng, P.Eng
> > > Network Architect
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> > ______________________________________________________________
> > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- *FAHAD KHANBE Computer Systems NED,
CCNA,CCDA,CCNP,FOUNDFE,CLSE,QOS,JNCIA,JNCIS,MCP,CCIE (Written)
Systems Support Engineer, Premier Systems (Pvt) limited,
Karachi, Pakistan
92-321-2370510*.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART