09-19-2012 02:23 AM - edited 03-07-2019 08:57 AM
hi ,
i want to ask about some thing ;
in order to match prefix /prefix lenght using ACL , we put the word host
example :
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
this will match 10.0.0.0/24 prefix/prefix lenght
my questuion is , if i type ,
access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
will this will match the route 10.0.0.0/24 prefix/prefix lenght ??
or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???
i mean is there another shape of ACl that can match prefix/prefix lenght of a route another than using "host"
word.
another question,
doees this rule applicable to another IGP routing protocols like ospf ACL ditribute list , or it is only a special rule for BGP filtering issu??
regards
Solved! Go to Solution.
09-19-2012 04:04 AM
Hello Ahmed,
no, the third statement does not provide same results
> access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement
In IP access-list the order of parameters is very important and makes huge difference!
the schema is
access-list N permit|deny ip network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard
with the subnet mask taking the position of the destination address
Hope to help
Giuseppe
09-19-2012 04:06 AM
Hi,
no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)
Regards.
Alain
Don't forget to rate helpful posts.
09-19-2012 02:59 AM
Hi,
1)
example :
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
this will match 10.0.0.0/24 prefix/prefix lenght
No, this will match 10.0.0.0/8 for /24 you should have host 255.255.255.0
2)
my questuion is , if i type ,
access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
will this will match the route 10.0.0.0/24 prefix/prefix lenght ??
or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???
No it will do the same as above command as host is a shortcut for 0.0.0.0
3) to my best knowledge as a replacement to prefix-list it can only be used in BGP
Regards.
Alain
Don't forget to rate helpful posts.
09-19-2012 03:08 AM
hi , again :
is the command
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
is the same as
access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
will match only one route which is 10.0.0.0/8 ????????
09-19-2012 03:16 AM
Hello Ahmed,
the modern way to do this kind of prefix filtering is the use of IP prefix-lists that have been introduced for this job.
About the syntax to be used for IP extended ACL
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
matches only 10/8 and does not match more specific subnets
This is equivalent to
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
the following
> access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
is wrong because there is one 0.0.0.0 that is not needed
That command would be rejected by CLI parser I guess
The following can be used:
access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0
As Alain has noted IP extended ACLs are not supported for IGP.
Hope to help
Giuseppe
09-19-2012 03:27 AM
hi, in the 1st post there was a typo , sorry for that ,
my question again
both of
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
&
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
will give the same result of matching the prefix/prefix lengh of 10.0.0.0/8 route .
now , the question is
does
>
access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
will give the same result of the 1st two lines that i typed ???
regards
09-19-2012 04:04 AM
Hello Ahmed,
no, the third statement does not provide same results
> access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement
In IP access-list the order of parameters is very important and makes huge difference!
the schema is
access-list N permit|deny ip network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard
with the subnet mask taking the position of the destination address
Hope to help
Giuseppe
09-19-2012 04:06 AM
Hi,
no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)
Regards.
Alain
Don't forget to rate helpful posts.
09-19-2012 04:19 AM
thank u both ,
does this rule "using host " word , applicable only to bgp distribulte list ??
or we can usr the same rule in match prefix/prefixlengh in eigrp & ospf ??
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide