topic Re: extended access-list in Routing and SD-WAN

extended access-list

kousikdutta — Tue, 05 Mar 2019 18:47:26 GMT

Hi All,

I have a doubt regarding extended access list. We are writing the extended access-list by below format.

IP ACCESS-LIST (NAME OR NUMBER ) PERMIT IP HOST (SOURCE) HOST (DESTINATION)

But in the cisco document its mention as below

access-list 101 permit ip host 6.6.6.0 host 255.255.255.0
access-list 102 permit ip host 7.7.7.0 host 255.255.255.0
!

link - https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-community.html

Can anyone please explain what is the meaning of accesslist

Regards,

Re: extended access-list

Joseph W. Doherty — Tue, 17 Jul 2018 17:42:46 GMT

ACLs might be used for matching traffic in case beyond doing with security filters. Your reference link is such an example.

Re: extended access-list

kousikdutta — Wed, 18 Jul 2018 06:09:41 GMT

Hi,

I did not understand clearly. Can you please explain.

Regards,

Re: extended access-list

Pawan Raut — Wed, 18 Jul 2018 06:25:50 GMT

Two way to write down ACL on Router.

Format 1
access-list 101 permit ip host 6.6.6.0 host 255.255.255.0
access-list 102 permit ip host 7.7.7.0 host 255.255.255.0

Format 2

ip access-list extended 101
permit ip host 6.6.6.0 host 255.255.255.0
permit ip host 7.7.7.0 host 255.255.255.0
!

Note: You can write number ACL using both format but in actual configuration it will appear as format1.

But you can write name base ACL in format 2 only and it will display in actual device configuration as format2. You can try and test it.

Kindly rate for helpful post

Regards,

Pawan

Re: extended access-list

kousikdutta — Wed, 18 Jul 2018 08:35:09 GMT

Hi Pawan,

Thanks for take it quickly. My quarry is not related the format. My question is regarding (HOST 255.255.255.0) regarding destination.

My question is why we are using destination as 255.255.255.0

Regards,

Re: extended access-list

Pawan Raut — Wed, 18 Jul 2018 09:47:20 GMT

Oh its my bad I didn't noticed it is subnet mask yes after host there should be IP address.

Re: extended access-list

Joseph W. Doherty — Wed, 18 Jul 2018 10:53:46 GMT

Ah, again because the ACL is not being used for a security filter, your reference concerns BGP network addressing. Specifically, I believe the purpose is to communicate matching prefixes 6.6.6.0/24 and 7.7.7.0/24 via a community string.

Again, ACLs might be used for "things" other than "access control".

Re: extended access-list

Richard Burts — Wed, 18 Jul 2018 13:44:50 GMT

Joseph is certainly on the right track. Let me take a slightly different approach to an explanation. First let us remember that access lists can be used for many purposes. So in looking at an access list we must look at how it is applied. I am confident that if the original poster looks at how those access lists are applied he will find that it used in configuration of BGP to control advertisements to or from a neighbor.

It is an older approach in configuring BGP to use an extended access list to control advertisements and in more modern approach we would use prefix list to accomplish this purpose. So what is the meaning of the access list when used in BGP? We tend to think of the access list in these terms

access-list 101 permit ip <source address> <mask of source address> <destination address> <mask of destination address>

But when used with BGP we would think of it in these terms

access-list 101 permit ip <prefix to advertise> <how many bits of prefix are significant> <mask for advertisement> <how many bits of mask are significant>

So Joseph is correct that the result of those access lists would be to permit advertisement of 6.6.6.0/24 and 7.7.7.0/24 (though I am not where he gets community string into it).

HTH

Rick

[edit] I see in the original post that the link given apparently does introduce communities and that must be where Joseph gets the community reference.

Re: extended access-list

Joseph W. Doherty — Wed, 18 Jul 2018 14:43:20 GMT

"[edit] I see in the original post that the link given apparently does introduce communities and that must be where Joseph gets the community reference."

Yup.

"It is an older approach in configuring BGP to use an extended access list to control advertisements and in more modern approach we would use prefix list to accomplish this purpose."

Rick is spot on - the "modern" prefix list might also be considered less confusing, as an ACL would no longer be needed to match the network prefix. To further clarify, the (second) "host 255.255.255.0" isn't matching a host address its being used to match a /24 network prefix. The /24 network is the (first) host IP 6.6.6.0 or 7.7.7.0. BTW, for the first host IP, the 4th octet could be anything as the second host IP's 4th octet will mask it out.