RE: Prefix list vs Access list - same? from Ryan West on 2009-06-02 (Ccielab archives 06/2009)

From: Ryan West <rwest_at_zyedge.com>
Date: Tue, 2 Jun 2009 09:12:13 -0400

And every other variation of prefix from /16 to the host route. As Dale and
Divin both mentioned, the extended ACL should be used to match specific prefix
length routes if you're required to use. The use of the ACL in the form
access-list 10 permit 192.168.0.0 0.0.0.255 would actually allow a series of
/30's as well, so my original answer was not entirely correct in that regard.

Lab it up and see the difference. If a question is asking for a specific
route to be matched and requires a standard ACL, you want to use the single
"host" entry in option 3. Option 4 would still work, but it does allow 254
other route combinations.

-ryan

From: Hong Chan [mailto:howard.chan34_at_gmail.com]
Sent: Tuesday, June 02, 2009 4:47 AM
To: Ryan West
Cc: Alexandre V Oliveira; ccielab_at_groupstudy.com
Subject: Re: Prefix list vs Access list - same?

access-list 10 permit 192.168.0.0
This should means the host route, /32

2009/6/2 Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
Hello,

Hey fellows, a simple and direct question:

Is there any difference that can be considered wrong in lab for these
sentences below?
1- ip prefix-list 10 permit 192.168.0.0/24<http://192.168.0.0/24> le 32 <--
allows 192.168.0.0 and every possible subnet combination from /24 to /32
2- ip prefix-listB 10 permit 192.168.0.0/24<http://192.168.0.0/24> <-- allows
just 192.168.0.0/24<http://192.168.0.0/24>
3- access-list 10 permit 192.168.0.0 <-- in a routing process, this would
allow the subnet 192.168.0.0, but could mean anything from a /16 to a /32
4- access-list 10 permit 192.168.0.0 0.0.0.255 <-- allows just the /24

Can I use any one of them for matching network
192.168.0.0/24<http://192.168.0.0/24>? I see they
work, but can they be correct for any instance? (we usually don't know
who can correct our lab, so have to be prepared).
---- Yes, the answer is it depends. You'll find that your freedom in
selection is already dictated to you by what a question either asks or denies
you from choosing. As far as matching the
192.168.0.0/24<http://192.168.0.0/24> network, option 1 would possibly be
frown upon. Option 3 is pretty typical when matching routes.

Thanks

Alexandre.

-ryan

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Tue Jun 02 2009 - 09:12:13 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:36 ART