cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1188
Views
0
Helpful
8
Replies

extended access-list

kousikdutta
Level 1
Level 1

Hi All,

 

I have a doubt regarding extended access list. We are writing the extended access-list by below format.

 

IP ACCESS-LIST (NAME OR NUMBER ) PERMIT IP HOST (SOURCE) HOST (DESTINATION)

 

But in the cisco document its mention as below

 

access-list 101 permit ip host 6.6.6.0 host 255.255.255.0
access-list 102 permit ip host 7.7.7.0 host 255.255.255.0
!

 link - https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-community.html

 

Can anyone please explain what is the meaning of accesslist

Regards,

K

8 Replies 8

Joseph W. Doherty
Hall of Fame
Hall of Fame
ACLs might be used for matching traffic in case beyond doing with security filters. Your reference link is such an example.

Hi,

I did not understand clearly. Can you please explain.

 

Regards,

K

Two way to write down ACL on Router.

 

Format 1 
access-list 101 permit ip host 6.6.6.0 host 255.255.255.0
access-list 102 permit ip host 7.7.7.0 host 255.255.255.0

 

Format 2

ip access-list extended 101
permit ip host 6.6.6.0 host 255.255.255.0
permit ip host 7.7.7.0 host 255.255.255.0
!

 

Note: You can write number ACL using both format but in actual configuration it will appear as format1.

But you can write name base ACL in format 2 only and it will display in actual device configuration as format2. You can try and test it.

 

Kindly rate for helpful post

 

Regards,

Pawan

Hi Pawan,

 

Thanks for take it quickly. My quarry is not related the format. My question is regarding (HOST 255.255.255.0) regarding destination.

 

My question is why we are using destination as 255.255.255.0

 

Regards,

Oh its my bad I didn't noticed it is subnet mask yes after host there should be IP address.

Ah, again because the ACL is not being used for a security filter, your reference concerns BGP network addressing. Specifically, I believe the purpose is to communicate matching prefixes 6.6.6.0/24 and 7.7.7.0/24 via a community string.

Again, ACLs might be used for "things" other than "access control".

Joseph is certainly on the right track. Let me take a slightly different approach to an explanation. First let us remember that access lists can be used for many purposes. So in looking at an access list we must look at how it is applied. I am confident that if the original poster looks at how those access lists are applied he will find that it used in configuration of BGP to control advertisements to or from a neighbor.

 

It is an older approach in configuring BGP to use an extended access list to control advertisements and in more modern approach we would use prefix list to accomplish this purpose. So what is the meaning of the access list when used in BGP? We tend to think of the access list in these terms

access-list 101 permit ip <source address> <mask of source address> <destination address> <mask of destination address>

But when used with BGP we would think of it in these terms

access-list 101 permit ip <prefix to advertise> <how many bits of prefix are significant> <mask for advertisement> <how many bits of mask are significant>

So Joseph is correct that the result of those access lists would be to permit advertisement of 6.6.6.0/24 and 7.7.7.0/24 (though I am not where he gets community string into it).

 

HTH

 

Rick

 

[edit] I see in the original post that the link given apparently does introduce communities and that must be where Joseph gets the community reference.

HTH

Rick

"[edit] I see in the original post that the link given apparently does introduce communities and that must be where Joseph gets the community reference."

Yup.

"It is an older approach in configuring BGP to use an extended access list to control advertisements and in more modern approach we would use prefix list to accomplish this purpose."

Rick is spot on - the "modern" prefix list might also be considered less confusing, as an ACL would no longer be needed to match the network prefix. To further clarify, the (second) "host 255.255.255.0" isn't matching a host address its being used to match a /24 network prefix. The /24 network is the (first) host IP 6.6.6.0 or 7.7.7.0. BTW, for the first host IP, the 4th octet could be anything as the second host IP's 4th octet will mask it out.