Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
7
Replies

standard access-list migration to prefix-list

Go to solution
sg_london
Level 1
Level 1

‎05-12-2008 07:43 AM - edited ‎03-03-2019 09:55 PM

Hello all.

I have the following access-list configured on one of the device here to filter the bgp update

router bgp <bla>

neighbor CORE distribute-list <x>

!

ip access-list standard <x>

deny "output omitted"

deny 155.195.64.0 0.0.0.255

deny "output omitted"

permit any

and I want to migrate this towards an ip prefix-list while keeping the exact same behavior.

My problem is I have small subsets of the 155.195.64.0/24 who will soon be residing on the other part of my network (dont ask me why) .155.195.64.32/28-155.195.64.0/29-155.195.64.8/29 and I need to allow those subnets to get through while disregarding the 155.195.64.0/24

The problem is access-list are processed as an exact match when the le or ge keyword is not entered.

So I am not sure about the correct configuration to use . So far I came up with this :

ip prefix-list <x> deny 155.195.64.0/24 le 27

!

ip prefix-list <x> permit 155.195.64.32/28

ip prefix-list <x> permit 155.195.64.0/29

ip prefix-list <x> permit 155.195.64.8/29

!

ip prefix-list <x> permit 0.0.0.0/0 le 32

Any ligh welcome !

Thanks

D.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mheusing
Cisco Employee
Cisco Employee
In response to Kevin Dorrell

‎05-14-2008 04:07 AM

A remark:

The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:

ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32

So the solution looks like this:

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

ip prefix-list deny 155.195.64.0/24 le 32

ip prefix-list permit 0.0.0.0/0 le 32

Hope this helps! Please use the rating system.

Regards, Martin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎05-12-2008 09:44 AM

You need to allow those subnets, then do a deny on /24 with a permit any any at the end.

!Permit your subnets

!

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

!

!Deny the major network

!

ip prefix-list deny 155.195.64.0/24

!

!Permit any any

!

ip prefix-list permit 0.0.0.0/0 le 32

HTH,

__

Edison.

0 Helpful

Go to solution
sg_london
Level 1
Level 1
In response to Edison Ortiz

‎05-13-2008 01:21 AM

Thanks Edison, that is what I was thinking as well .

Rgds.

D.

0 Helpful

Go to solution
sg_london
Level 1
Level 1
In response to sg_london

‎05-13-2008 04:55 AM

One more thing to add here , a standard access list Ie

"access-list 1 permit 10.10.0.0 0.0.31.255" will permit the /19 aggregate as well as the more specific /24 networks.

In my case "deny 155.195.128.0 0.0.0.255" is denying /24 as well as the more specific networks.

If I replace deny 155.195.128.0 0.0.0.255 by ip prefix-list deny 155.195.128.0/24 , then I will "only" match on the /24 subnets and not on the more specific networks anymore ...............

Don't forget A standard access list looks at the network address only and can not check the length of the network mask.

So I was thinking of using:

ip prefix-list deny 155.195.128.0/25

!

ip prefix-list deny 155.195.128.0/25 ge 26 (deny all masks with a length greater than 26 bits routes with a prefix of 155.195.128.0/25)

What do you think ?

Rgds.

D.

0 Helpful

Go to solution
sg_london
Level 1
Level 1
In response to sg_london

‎05-14-2008 01:28 AM

No one ?????

Thanks.

D.

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10
In response to sg_london

‎05-14-2008 04:04 AM

If you want the same effect as that access-list statement, you can do

ip prefix-list deny 155.195.128.0/24 le 32

That would deny 155.195.128/24 and any of its more specific subnets, i.e. with any prefix length between 24 and 32 inclusive.

As for those subnets you want to allow, as long as they appear as "permits" in the prefix-list above the deny, then they will be allowed.

Kevin Dorrell

Luxembourg

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10
In response to Edison Ortiz

‎05-14-2008 03:46 AM

--- Please disregard ---

Note to myself:

"It is sometimes wiser to keep your mouth shut and risk that someone thinks you a fool, than to open it and remove all doubt."

0 Helpful

Go to solution
mheusing
Cisco Employee
Cisco Employee
In response to Kevin Dorrell

‎05-14-2008 04:07 AM

A remark:

The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:

ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32

So the solution looks like this:

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

ip prefix-list deny 155.195.64.0/24 le 32

ip prefix-list permit 0.0.0.0/0 le 32

Hope this helps! Please use the rating system.

Regards, Martin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card