Solved: Re: question about using Distribute list and ACL in bgp filterin

Dr.X · ‎09-19-2012

hi ,

i want to ask about some thing ;

in order to match prefix /prefix lenght using ACL , we put the word host

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24 prefix/prefix lenght

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

i mean is there another shape of ACl that can match prefix/prefix lenght of a route another than using "host"
word.


another question,

doees this rule applicable to another IGP routing protocols like ospf ACL ditribute list , or it  is only a special rule for BGP filtering issu??

regards

Giuseppe Larosa · ‎09-19-2012

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N permit|deny ip network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

View solution in original post

cadet alain · ‎09-19-2012

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-19-2012

Hi,

1)

example :

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

this will match 10.0.0.0/24 prefix/prefix lenght

No, this will match 10.0.0.0/8 for /24 you should have host 255.255.255.0

2)

my questuion is , if i type ,

access-list 100 permit ip host 10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will this will match the route 10.0.0.0/24 prefix/prefix lenght ??

or it will match any route that start with 10.0.0.0 to 10.255.255.255 ???

No it will do the same as above command as host is a shortcut for 0.0.0.0

3) to my best knowledge as a replacement to prefix-list it can only be used in BGP

Regards.

Alain

Don't forget to rate helpful posts.

Dr.X · ‎09-19-2012

hi , again :

is the command

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

is the same as

access-list 100 permit ip  10.0.0.0  255.0.0.0  0.0.0.0 0.0.0.0

will match only one route which is 10.0.0.0/8 ????????

Giuseppe Larosa · ‎09-19-2012

Hello Ahmed,

the modern way to do this kind of prefix filtering is the use of IP prefix-lists that have been introduced for this job.

About the syntax to be used for IP extended ACL

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

matches only 10/8 and does not match more specific subnets

This is equivalent to

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

the following

> access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0

is wrong because there is one 0.0.0.0 that is not needed

That command would be rejected by CLI parser I guess

The following can be used:

access-list 100 permit ip host 10.0.0.0 255.0.0.0 0.0.0.0

As Alain has noted IP extended ACLs are not supported for IGP.

Hope to help

Giuseppe

Dr.X · ‎09-19-2012

hi, in the 1st post there was a typo , sorry for that ,

my question again

both of

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

&

access-list 100 permit ip host 10.0.0.0 host 255.0.0.0

will give the same result of matching the prefix/prefix lengh of 10.0.0.0/8 route .

now , the question is

does

>

access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0

will give the same result of the 1st two lines that i typed ???

regards

Giuseppe Larosa · ‎09-19-2012

Hello Ahmed,

no, the third statement does not provide same results

> access-list 100 permit ip 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0

This will match an IPv4 prefix with arbitrary first byte, all other bytes set to 0 with a subnet mask of 0.0.0.0. In practice only a default route 0.0.0.0/0 can match this statement

In IP access-list the order of parameters is very important and makes huge difference!

the schema is

access-list N permit|deny ip network_base_Address network_base_address_wildcard_mask Subnet_mask Subnet_Mask_wildcard

with the subnet mask taking the position of the destination address

Hope to help

Giuseppe

cadet alain · ‎09-19-2012

Hi,

no it won't , it will match all IP addresses. EDIT: with a deny it filtered all ip addresses in the test i did on GNS3)

Regards.

Alain

Don't forget to rate helpful posts.

Dr.X · ‎09-19-2012

thank u both ,

does this rule "using host " word , applicable only to bgp distribulte list ??

or we can usr the same rule in match prefix/prefixlengh in eigrp & ospf ??

regards

question about using Distribute list and ACL in bgp filtering