Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1512
Views
0
Helpful
3
Replies

bgp and extended access-list

Go to solution
zeeshanr202
Level 1
Level 1

‎04-05-2007 12:44 PM - edited ‎03-05-2019 03:20 PM

hi

i am having difficulty understanding the following:

please consider the configuration as under:

routerA(config) access-list 1 deny 198.198.198.0 0.0.0.255

access-list 1 permit any.

routerA(config-router)bgp neighbor 1.1.1.1 remote-as 20

neighbor 1.1.1.1 distribute-list 1 out

------------------------------------------------

the above configuration will cause router A no to send any update about 198.198.198.0 to neighbor 1.1.1.1

so the network number specified in access-list 1 will be checked against the the network being advertised in update. incase of match, specified action deny or permit will be carried out.

correct me please if i am wrong

second scenario:

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 168.168.168.0 0.0.0.255

router A(config-router)nighbor 1.1.1.1 distribute-list 102 out

now which network number is being checked against the network number in the update? is it 198.198.198.0 or 168.168.168.0 ?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mheusinger
Level 10
Level 10

‎04-24-2007 08:56 AM

Hi,

Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.

So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.

Hope this helps! Please rate all posts.

Regards, Martin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
brispin
Level 1
Level 1

‎04-11-2007 10:19 AM

Your first part of understanding is right.In the second part source if the souce is 198.198.198.0 and if destination is 168.168.168.0 network it will not be sent out.

0 Helpful

Go to solution
mheusinger
Level 10
Level 10

‎04-24-2007 08:56 AM

Hi,

Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.

So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful

Go to solution
zeeshanr202
Level 1
Level 1
In response to mheusinger

‎05-10-2007 08:07 AM

thanks martin for your help. i got it now

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card