cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1206
Views
5
Helpful
7
Replies
Highlighted

question about using Distribute list and ACL in bgp filtering

hi ,

i want to ask about some thing ;

in order to match prefix /prefix lenght using ACL , we put the word host

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24  prefix/prefix lenght

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

i mean is there another shape of ACl that can match prefix/prefix lenght of a route another than using "host"
word.


another question,

doees this rule applicable to another IGP routing protocols like ospf ACL ditribute list , or it  is only a special rule for BGP filtering issu??

regards

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N  permit|deny   ip  network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

View solution in original post

Highlighted

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

7 REPLIES 7
Highlighted
Advisor

Hi,

1)

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24  prefix/prefix lenght

No, this will match 10.0.0.0/8  for /24 you should have host 255.255.255.0

2)

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

No it will do the same as above command as  host is a shortcut for 0.0.0.0

3) to my best knowledge as a replacement to prefix-list it can only be used in BGP

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted

hi  , again :

is the command

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

is the same as

access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will match only one route which is 10.0.0.0/8 ????????

Highlighted
Hall of Fame Master

Hello Ahmed,

the modern way to do this kind of  prefix filtering is the use of IP prefix-lists that have been introduced for this job.

About the syntax to be used for IP extended ACL

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

matches only 10/8 and does not match more specific subnets

This is equivalent to

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

the following

> access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

is wrong  because there is one 0.0.0.0 that is not needed

That command would be rejected by CLI parser I guess

The following can be used:

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0

As Alain has noted IP extended ACLs are not supported for IGP.

Hope to help

Giuseppe

Highlighted

hi, in the 1st post there was a typo , sorry for that ,

my question again

both of

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

&

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

will give the same result of matching the  prefix/prefix lengh of 10.0.0.0/8 route .

now ,  the question is

does

>

access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will give the same result of the 1st two lines that i typed ???

regards

Highlighted

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N  permit|deny   ip  network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

View solution in original post

Highlighted

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Highlighted

thank u both ,

does this rule "using host " word , applicable only to bgp distribulte list ??

or we can usr the same rule in match prefix/prefixlengh in eigrp & ospf ??

regards

Content for Community-Ad