Solved: Re: Question about BGP prefix-lists

hfakoor222 · ‎08-12-2023

I am wondering if when using the

host

keyword in extended ACL's for BGP, that

host = 255.255.255.255

In the ENARSI OCG, page 487 states thus:

Example 12-16 shows R1’s BGP configuration, which demonstrates filtering with

distribution lists

The configuration uses an extended ACL named

ACL-ALLOW

that contains two entries. The first entry allows any network that starts in the

192.168.0.0 to 192.168.255.255

range with any length of network. The second entry allows networks that contain the

100.64.x.0

pattern with a

prefix length of /25

to demonstrate the wildcard abilities of an extended ACL with BGP. The

distribute list

is then associated with R2’s BGP session.

ip access-list extended ACL-ALLOW
permit ip 192.168.0.0 0.0.255.255 host 255.255.255.255
permit ip 100.64.0.0 0.0.255.0 host 255.255.255.128
!
router bgp 65100
address-family ipv4
neighbor 10.12.1.2 distribute-list ACL-ALLOW in

and now on page 614 we see:

Judging from the last 2 boxes in the table:

this leads me to believe the host keyword is equal to

255.255.255.255

for BGP ACL's

i.e

permit ip 100.64.0.0 0.0.255.0 host 255.255.255.128

is really

permit ip 100.64.0.0 0.0.255.0 255.255.255.255  0.0.0.127

am i correct in assuming this?

No need to lab any of this, I would've labbed it myself, my brain is getting fatigued, there's too much material on this exam to have to lab everything...

I'm wondering if someone can confirm this off-hand?

Richard Burts · ‎08-13-2023

I do not think that the original poster is correct. I do not understand how he gets to this "this leads me to believe the host keyword is equal to

255.255.255.255

for BGP ACL's" How does host equal

255.255.255.255

? It really is more equal to

0.0.0.0

In an extended ACL

255.255.255.255

would be the same as "any". When you use

host

in an extended ACL it says the following field is an address and apply a host specific mask to that address.

If you use

permit ip 100.64.0.0 0.0.255.0 host 255.255.255.128

The result would be

permit ip 100.64.0.0 0.0.255.0 255.255.255.128 0.0.0.0

HTH

Rick

View solution in original post

M02@rt37 · ‎08-13-2023

Hello @hfakoor222,

You are correct. In the context of extended ACLs for BGP, the

host

keyword essentially specifies a single IP address, and when combined with a wildcard mask, it's equivalent to specifying a subnet mask of

255.255.255.255

for that particular IP address.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎08-13-2023

I do not think that the original poster is correct. I do not understand how he gets to this "this leads me to believe the host keyword is equal to

255.255.255.255

for BGP ACL's" How does host equal

255.255.255.255

? It really is more equal to

0.0.0.0

In an extended ACL

255.255.255.255

would be the same as "any". When you use

host

in an extended ACL it says the following field is an address and apply a host specific mask to that address.

If you use

permit ip 100.64.0.0 0.0.255.0 host 255.255.255.128

The result would be

permit ip 100.64.0.0 0.0.255.0 255.255.255.128 0.0.0.0

HTH

Rick

M02@rt37 · ‎08-13-2023

Thanks @Richard Burts for your clarification.

As you correctly mentioned, The

host

keyword applies a host-specific mask to the specified IP address !

Thank you for clearing this up.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hfakoor222 · ‎08-13-2023

I am seeing your logic here. Thanks.

David Ruess · ‎08-13-2023

I don't believe so. The second entry in the extended ACL as it relates to BGP filtering is to control what mask the prefix can have.

So for a host entry it would need to be

255.255.255.255 0.0.0.0

which is exactly one host. This denotes

a /32

mask which only a host can have.

The second example in your book is the closest to explaining it. See below:

The second part is

255.255.255.0 0.0.0.0

which is anything with

a /24

mask. The first entry of the second part of the extended ACL (confusing I know) is the mask as it is. The second entry of the second part of all 0s tell us which bits to care about. think back to Wildcard masks with Network statements in IGP's. The wildcard mask of

0.0.0.0

means this IP and this IP only (i.e. a host)

This might also help:

https://ine.com/blog/2008-01-08-using-extended-acls-for-bgp-filtering

Edit: I didn't see Richard reply for some reason as no responses loaded for the question but also agree with him.

-David

Giuseppe Larosa · ‎08-14-2023

Hello @hfakoor222 ,

IP

prefix-lists

are a better tool then using extended ACLs and they are more clear to understand.

The usage of extended ACLs was a necessity before introduction of IP

prefix-lists

and it worked only with BGP.

Now, we all use

prefix-lists

instead

I wonder why such a tricky feature is still explained.

Hope to help

Giuseppe

M02@rt37 · ‎08-14-2023

Tatally agree with you @Giuseppe Larosa!

My point of view is, while IP

prefix-lists

do offer benefits like

clearer

syntax and more granular control, extended ACLs were used out of necessity in the past, especially with BGP ???!!! However, over time, IP

prefix-lists

have become a more preferred and versatile option for controlling routing decisions. It's possible that explanations of extended ACLs are still provided due to historical context and to help individuals understand older network configurations they might encounter.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

David Ruess · ‎08-14-2023

Hello @Giuseppe Larosa I am not sure that I follow. Unless I am misunderstanding the functionality

Prefix lists

and Extended ACLS can provide vastly different prefix manipulation. For example an extended ACL can match on discontiguous bits such as matching only even numbers in the 2nd octet. Or matching any number in the 3rd octet. I am unaware that

prefix lists

can do that without multiple statements (making the code more obscure the more lines you add). Extended ACLs are also used in EIGRP for controlling routes from certain neighbors, something

prefix lists

cannot do. Can you expand or clarify on their deprecation as it seems to be implemented in 2 major protocols?

Thanks.

-David

MHM Cisco World · ‎08-14-2023

I send you message.

Richard Burts · ‎08-14-2023

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick