Solved: standard acl issue

Forward · ‎07-01-2025

Hi Team,

Can you please help on one acl issue ?

I have two devices connected A --- B (ios/ios-xe, issue on both) , having bgp neighbor ship.

Device A is advertising 2.2.0.0/16 and 12.12.12.0/24 prefixes to device B using bgp. Device B has route-map applied under bgp with standard acl statements.

deny 2.2.2.0 0.0.0.255
permit 2.2.0.0 0.0.15.255

deny 12.12.12.0 0.0.0.31
permit 12.12.12.0 0.0.0.255

Ideally, device B should reject 2.2.0.0/16 prefix and accept 12.12.12.0/24 prefix as per the acl statements. but device B is installing 2.2.0.0/16 prefix and rejecting 12.12.12.0/24 prefix. attaching "show ip access-lists" output from device B

cat6k#show ip access-lists 
Standard IP access list IMPORT_PREFIX
    10 permit 0.0.0.0
    20 deny   1.1.1.0, wildcard bits 0.0.0.255 (1 match)
    30 permit 1.1.0.0, wildcard bits 0.0.15.255 (4 matches)
    40 deny   2.2.2.0, wildcard bits 0.0.0.255
    50 permit 2.2.0.0, wildcard bits 0.0.15.255 (1 match)
    60 permit 11.11.11.0, wildcard bits 0.0.0.255 (1 match)
    70 deny   12.12.12.0, wildcard bits 0.0.0.31 (1 match)
    80 permit 12.12.12.0, wildcard bits 0.0.0.255

any leads why it is happening ?

Jonatan Jonasson · ‎07-01-2025

When you use a standard ACL with a route-map to control inbound routes in BGP, you have limited control, because it's not matching the prefix of the route to the mask you specified in the ACL, it's only comparing the network (2.2.0.0) with any mask to the ACL (2.2.0.0 0.0.15.255).

That's why the "permit 2.2.0.0 0.0.15.255" is being matched and the 2.2.0.0/16 route is being permitted.
And the "deny 12.12.12.0 0.0.0.31" is denying the 12.12.12.0/24 route.

That's why the recommendation, as others have mentioned, is to use a prefix-list instead of a standard access-list

So just re-create the IMPORT_PREFIX as a ip prefix list.
And in the route-map, instead of specifying:
match ip address IMPORT_PREFIX
You would do:
match ip address prefix-list IMPORT_PREFIX <- (assuming the ip prefix-list is named IMPORT_PREFIX)

---
Please mark helpful answers & solutions
---

View solution in original post

MHM Cisco World · ‎07-01-2025

for prefix use prefix-list
I recommend you not use standard or extended ACL for filter prefix

MHM

Forward · ‎07-01-2025

Hi Sir, Thank you for your inputs.

MHM Cisco World · ‎07-01-2025

You are so so welcome

MHM

Jens Albrecht · ‎07-01-2025

Hello @Forward,

your ACL permits the 2.2.0.0/16 prefix so depending on your route-map, the device appears to do what you configured.

You need to post the full config of ACL, route-map and BGP to allow us to see exactly what you configured, as well as the BGP routing table to see the result of your config.

Furthermore, I strongly prefer the use of prefix-lists over ACLs as they give much more flexibility.

HTH!

Forward · ‎07-01-2025

Hi Jens, Thank you for your inputs.

Jonatan Jonasson · ‎07-01-2025

When you use a standard ACL with a route-map to control inbound routes in BGP, you have limited control, because it's not matching the prefix of the route to the mask you specified in the ACL, it's only comparing the network (2.2.0.0) with any mask to the ACL (2.2.0.0 0.0.15.255).

That's why the "permit 2.2.0.0 0.0.15.255" is being matched and the 2.2.0.0/16 route is being permitted.
And the "deny 12.12.12.0 0.0.0.31" is denying the 12.12.12.0/24 route.

That's why the recommendation, as others have mentioned, is to use a prefix-list instead of a standard access-list

So just re-create the IMPORT_PREFIX as a ip prefix list.
And in the route-map, instead of specifying:
match ip address IMPORT_PREFIX
You would do:
match ip address prefix-list IMPORT_PREFIX <- (assuming the ip prefix-list is named IMPORT_PREFIX)

---
Please mark helpful answers & solutions
---

Forward · ‎07-01-2025

Thank you Jonathan for the inputs. It clarifies my doubt.