GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IP EXTENDED ACCESS-LIST USAGE IN BGP posted 04/07/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


At 10:55 AM 4/7/2003 -0700, Jason Wydra wrote:
I don't quite understand the logic of this access list.

access-list access-list-number permit ip network-number network-do-not-care-bits mask mask-do-not-care-bits

If you want to filter on 172.16.0.0 only you would do this (according to Halabi page 314):

access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0

Think of a route as 2 completely separate parts, the address and the mask.


In your access list above you are specifying a network of 172.16.0.0, while your mask (0.0.255.255) says you don't care about the last 2 octets (more about this in a minute). You are also specifying a mask of 255.255.0.0, while your mask (0.0.0.0) says all bits must match, so this access list will only match a route with a 16 bit mask.

Because the network address always has all zero's, and we are only matching a 16 bit mask, you could have accomplished the same thing with 172.16.0.0 0.0.0.0 for the network address.

Another example might help. If we wanted to match 172.16.0.0/16 - 24, we would have to have a mask range from 255.255.0.0 255.255.255.0. To achieve this, we could use a mask of 255.255.0.0 with a "don't care" mask of 0.0.255.0. So our access list would then be

access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.255.0


Another example would be if you wanted to pass an aggregate-address with the more specifics to one AS but only pass the summary to anything beyond. The Halabi book (p. 348) shows this for of the access list using the summary 172.16.0.0/16.

access-list 101 permit ip 172.16.0.0 0.0.255.255 host 255.255.0.0

Can someone explain the logic behind these access lists and also the difference in using "host" statements within. Also, could you use a prefix-list to accomplish the same with less confusion and complexity?

The host statement is really just a shortcut, and makes much more sense in the context of packet filtering. "Host" is just short for an exact match, meaning all 0s in the "don't care" mask. For example:


host 172.16.0.0

is exactly the same as:

172.16.0.0 0.0.0.0

This sort of makes sense in the network section, and although it works exactly the same in the mask section, it is less intuitive. If you want to match 1 mask exactly, you could just replace the "0.0.0.0" following the mask with a "host" preceding the mask. So the 2 examples you gave above are exactly the same.

Prefix lists are much easier to use and understand, but slightly less flexible. Prefix lists assume a contiguous mask, which in almost all real word applications is just fine. Where it doesn't work is in some exercises where you must match addresses with an odd 2nd octet, or something along those lines.


Thanks,

Jason Wydra



---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more