cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

question about using Distribute list and ACL in bgp filtering

Ahmed M Alzaeem
Beginner
Beginner

hi ,

i want to ask about some thing ;

in order to match prefix /prefix lenght using ACL , we put the word host

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24  prefix/prefix lenght

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

i mean is there another shape of ACl that can match prefix/prefix lenght of a route another than using "host"
word.


another question,

doees this rule applicable to another IGP routing protocols like ospf ACL ditribute list , or it  is only a special rule for BGP filtering issu??

regards

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N  permit|deny   ip  network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

View solution in original post

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

7 REPLIES 7

cadet alain
Mentor
Mentor

Hi,

1)

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24  prefix/prefix lenght

No, this will match 10.0.0.0/8  for /24 you should have host 255.255.255.0

2)

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

No it will do the same as above command as  host is a shortcut for 0.0.0.0

3) to my best knowledge as a replacement to prefix-list it can only be used in BGP

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

hi  , again :

is the command

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

is the same as

access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will match only one route which is 10.0.0.0/8 ????????

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Ahmed,

the modern way to do this kind of  prefix filtering is the use of IP prefix-lists that have been introduced for this job.

About the syntax to be used for IP extended ACL

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

matches only 10/8 and does not match more specific subnets

This is equivalent to

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

the following

> access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

is wrong  because there is one 0.0.0.0 that is not needed

That command would be rejected by CLI parser I guess

The following can be used:

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0

As Alain has noted IP extended ACLs are not supported for IGP.

Hope to help

Giuseppe

hi, in the 1st post there was a typo , sorry for that ,

my question again

both of

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

&

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

will give the same result of matching the  prefix/prefix lengh of 10.0.0.0/8 route .

now ,  the question is

does

>

access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will give the same result of the 1st two lines that i typed ???

regards

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N  permit|deny   ip  network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

thank u both ,

does this rule "using host " word , applicable only to bgp distribulte list ??

or we can usr the same rule in match prefix/prefixlengh in eigrp & ospf ??

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: