GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Simple ACL question posted 06/23/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Brian,

Sorry for a dumb question but how prefix list can filter odd/even routes?

Thanks,
Shahid

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]On Behalf Of
Brian McGahan
Sent: Sunday, June 22, 2003 6:02 PM
To: 'Daniel Cisco Group Study'; ccielab@xxxxxxxxxxxxxx
Subject: RE: Simple ACL question


Daniel,

	Technically neither of these answers are correct.  A standard
access-list can only be used to check the network portion of a prefix,
not the mask.

access-list 1 permit 172.16.30.0 will match:

172.16.30.0/24
172.16.30.0/25
172.16.30.0/26
172.16.30.0/27
172.16.30.0/28
172.16.30.0/29
172.16.30.0/30
172.16.30.0/31
172.16.30.0/32

access-list 1 permit 192.168.2.64 will match:

192.168.2.64/26
192.168.2.64/27
192.168.2.64/28
192.168.2.64/29
192.168.2.64/30
192.168.2.64/31
192.168.2.64/32

	As far a standard access-lists go, you could think of the above
two answers as the least incorrect answers.  The following two answers
are even more incorrect:

access-list 1 permit 172.16.30.0 0.0.0.255 will match 

172.16.30.x/24
172.16.30.x/25
172.16.30.x/26
172.16.30.x/27
172.16.30.x/28
172.16.30.x/29
172.16.30.x/30
172.16.30.x/31
172.16.30.x/32

where "x" is any number.  

access-list 1 permit 192.168.2.64 0.0.0.63 will match 

192.168.2.y/26
192.168.2.y/27
192.168.2.y/28
192.168.2.y/29
192.168.2.y/30
192.168.2.y/31
192.168.2.y/32

where 64 <= y <= 127


If you want to be 100% accurate, use a prefix-list.  In the case of BGP,
you can also use an extended access-list.  If you want to match the
following networks:

172.16.30.0 / 24
192.168.2.64 / 26

Your syntax should be either

Ip prefix-list X permit 172.16.30.0/24
Ip prefix-list X permit 192.168.2.64/26

Or

Access-list 100 permit ip host 172.16.30.0 host 255.255.255.0
Access-list 100 permit ip host 192.168.2.64 host 255.255.255.192


	Access-lists should really only be used to filter traffic.
Whenever you are dealing with actual routes, use a prefix-list.  The
prefix-list can be applied in 3 ways, as a distribute-list, matched in a
route-map, or directly to a BGP neighbor.


HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@xxxxxxxxxxxxxxx

CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625


> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
Of
> Daniel Cisco Group Study
> Sent: Sunday, June 22, 2003 7:38 PM
> To: ccielab@xxxxxxxxxxxxxx
> Subject: Simple ACL question
> 
> Simple question:
> 
> I need to create an ACL to filter / redistribute / (whatever) the two
> routes:
> 
> 172.16.30.0 / 24
> 192.168.2.64 / 26
> 
> I've always used the "lazy", or what I call the efficient method:
> 
> access-list 1 permit 172.16.30.0
> access-list 1 permit 192.168.2.64
> 
> It has always worked for me no problem.
> 
> 
> However, every "authority" always specifies the masks:
> 
> access-list 1 permit 172.16.30.0 0.0.0.255
> access-list 1 permit 192.168.2.64 0.0.0.63
> 
> In my mind, these masks are simply killing electrons, and taking up my
> time.... I know how to use them, but why bother?
> 
> 
> The big questions:
> 
> (1) Am I wrong in saying that these masks are unnecessary?
> 
> (2) In the lab, do we play it safe, and specify the "useless" masks?
> 
> (3) Has anyone (knowingly) got away with the first method in the lab?
> (without breaking NDA)
> 
> 
> I don't mind having to specify the masks, but I'd love to know WHY I
> should (apart from losing marks if I don't)........
> 
> Daniel
> 
> 
> 
> 
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> www.mimesweeper.com
> **********************************************************************
> 
> 
>
_______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> 
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html


_______________________________________________________________________
You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.

Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html