hai_manish Mon, 06/09/2008 - 07:54
User Badges:

Hi,


The other IP can't be 255.255.252.0


what you want to know exactly. Any particular thing or full command (how it works)


Thanks,


anasubra_2 Mon, 06/09/2008 - 08:00
User Badges:

Hi Manish,


Thanks for the reply .....


I found the access-list in this format on a route-map which is associated with BGP in inbound. I was thinking if the intent for this access-list is to allow yy.xx.224.0/22 ,it should have been access-list zzz permit ip yy.xx.224.0 0.0.3.255 any.


Is the above right ? .If this is , then i am as trying to invalidate the existing ACL.


Regards

Anantha Subramanian Natarajan

hai_manish Mon, 06/09/2008 - 08:07
User Badges:

Hi,


Ya thats the right command to allow yy.xx.224.0/22 to any.


Thanks,

anasubra_2 Mon, 06/09/2008 - 08:10
User Badges:

Hi manish,


Thanks


Regards

Anantha Subramanian Natarajan

Richard Burts Mon, 06/09/2008 - 08:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anantha


Perhaps if we knew a bit more about the context in which this access list was configured we might understand it better.


If you assume that it is a typical access list configured to filter data traffic on an interface then it makes little sense, especially with the destination address being 255.255.252.0.


However if this access list were configured and used as part of a distribute list in the configuration of BGP then it would make a lot more sense. If BGP this access list used in a distribute list would permit BGP to accept or to advertise (depending on whether it was inbound or outbound) network yy.xx.224.0 with a /22 mask.


While we usually think of distribute list using a standard access list (as it does in RIP or EIGRP - or even OSPF) in BGP you can use an extended access list where you may want to specify both the network and the network mask.


[note] I see in the response posted just as I was writing my response that this is used for BGP. In this case the access list is valid as written.


HTH


Rick

anasubra_2 Mon, 06/09/2008 - 08:05
User Badges:

Hi Rick,


Thanks for the reply.....So do you mean, the below command


access-list zzz permit ip host xx.yy.224.0 host 255.255.252.0


when associated to route-map which is then called in bgp inbound,then it means to match xx.yy.224.0/22 ?


Thanks


Regards

Anantha Subramanian Natarajan

Richard Burts Mon, 06/09/2008 - 08:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anantha


Yes it will match on both the network prefix value (xx.yy.224.0) and on the mask (/22).


If you change the access list to access-list zzz permit ip yy.xx.224.0 0.0.3.255 any then you will seriously change the function of the access list. And if the previous version of the access list was working then the new version of the access list will break some part of your BGP impelmentation.


HTH


Rick

anasubra_2 Mon, 06/09/2008 - 08:20
User Badges:

Hi Rick,


Good explanation..Thanks .....Then the thing which I couldn't understand is the how the existing ACL works.


I am thinking,the existing ACL will match packet from specific source xx.yy.224.0/32 comming from specific host 255.255.252.0/32.Is that right ??..Sorry to take your time on this..But me missing some basic on it ..


Thanks


Regards

Anantha Subramanian Natarajan

anasubra_2 Mon, 06/09/2008 - 08:22
User Badges:

Hi Rick,


Just a correction on above understanding ...instead of from ,use to to host 255.255.252.0/32


Regards

Anantha Subramanian Natarajan

Richard Burts Mon, 06/09/2008 - 08:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Anantha


No that is not right. We typically think of extended access list as specifying source-address, source-mask, destination-address, destination-mask. But the definition of the parameters is quite different when an extended access list is used for BGP. In this usage the parameters have this meaning network-prefix, #-significant-bits, prefix-mask, #-significant-bits)


So it works very differently in BGP than it does in normal access list usage.


HTH


Rick

anasubra_2 Mon, 06/09/2008 - 08:42
User Badges:

Hi Rick,


Thats awesome,,Can you please refer me to some link,which explains that ......


Once again ,thank you very much


Regards

Anantha Subramanian Natarajan

anasubra_2 Mon, 06/09/2008 - 10:17
User Badges:

Hi Rick,


Thank you very much


Regards

Anantha Subramanian Natarajan

Actions

This Discussion