Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
17
Helpful
13
Replies

ACL

anasubra_2
Level 1
Level 1

‎06-09-2008 07:50 AM - edited ‎03-05-2019 11:31 PM

Hi All,

Can anyone help me to understand the below access-list

access-list zzz permit ip host yy.xx.224.0 host 255.255.252.0

Thanks

Regards

Anantha Subramanian Natarajan

Labels:
0 Helpful
13 Replies 13

hai_manish
Level 1
Level 1

‎06-09-2008 07:54 AM

Hi,

The other IP can't be 255.255.252.0

what you want to know exactly. Any particular thing or full command (how it works)

Thanks,

anasubra_2
Level 1
Level 1
In response to hai_manish

‎06-09-2008 08:00 AM

Hi Manish,

Thanks for the reply .....

I found the access-list in this format on a route-map which is associated with BGP in inbound. I was thinking if the intent for this access-list is to allow yy.xx.224.0/22 ,it should have been access-list zzz permit ip yy.xx.224.0 0.0.3.255 any.

Is the above right ? .If this is , then i am as trying to invalidate the existing ACL.

Regards

Anantha Subramanian Natarajan

0 Helpful

hai_manish
Level 1
Level 1
In response to anasubra_2

‎06-09-2008 08:07 AM

Hi,

Ya thats the right command to allow yy.xx.224.0/22 to any.

Thanks,

anasubra_2
Level 1
Level 1
In response to hai_manish

‎06-09-2008 08:10 AM

Hi manish,

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎06-09-2008 08:01 AM

Anantha

Perhaps if we knew a bit more about the context in which this access list was configured we might understand it better.

If you assume that it is a typical access list configured to filter data traffic on an interface then it makes little sense, especially with the destination address being 255.255.252.0.

However if this access list were configured and used as part of a distribute list in the configuration of BGP then it would make a lot more sense. If BGP this access list used in a distribute list would permit BGP to accept or to advertise (depending on whether it was inbound or outbound) network yy.xx.224.0 with a /22 mask.

While we usually think of distribute list using a standard access list (as it does in RIP or EIGRP - or even OSPF) in BGP you can use an extended access list where you may want to specify both the network and the network mask.

[note] I see in the response posted just as I was writing my response that this is used for BGP. In this case the access list is valid as written.

HTH

Rick

HTH

Rick

anasubra_2
Level 1
Level 1
In response to Richard Burts

‎06-09-2008 08:05 AM

Hi Rick,

Thanks for the reply.....So do you mean, the below command

access-list zzz permit ip host xx.yy.224.0 host 255.255.252.0

when associated to route-map which is then called in bgp inbound,then it means to match xx.yy.224.0/22 ?

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to anasubra_2

‎06-09-2008 08:14 AM

Anantha

Yes it will match on both the network prefix value (xx.yy.224.0) and on the mask (/22).

If you change the access list to access-list zzz permit ip yy.xx.224.0 0.0.3.255 any then you will seriously change the function of the access list. And if the previous version of the access list was working then the new version of the access list will break some part of your BGP impelmentation.

HTH

Rick

HTH

Rick

anasubra_2
Level 1
Level 1
In response to Richard Burts

‎06-09-2008 08:20 AM

Hi Rick,

Good explanation..Thanks .....Then the thing which I couldn't understand is the how the existing ACL works.

I am thinking,the existing ACL will match packet from specific source xx.yy.224.0/32 comming from specific host 255.255.252.0/32.Is that right ??..Sorry to take your time on this..But me missing some basic on it ..

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

anasubra_2
Level 1
Level 1
In response to anasubra_2

‎06-09-2008 08:22 AM

Hi Rick,

Just a correction on above understanding ...instead of from ,use to to host 255.255.252.0/32

Regards

Anantha Subramanian Natarajan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to anasubra_2

‎06-09-2008 08:24 AM

Anantha

No that is not right. We typically think of extended access list as specifying source-address, source-mask, destination-address, destination-mask. But the definition of the parameters is quite different when an extended access list is used for BGP. In this usage the parameters have this meaning network-prefix, #-significant-bits, prefix-mask, #-significant-bits)

So it works very differently in BGP than it does in normal access list usage.

HTH

Rick

HTH

Rick

anasubra_2
Level 1
Level 1
In response to Richard Burts

‎06-09-2008 08:42 AM

Hi Rick,

Thats awesome,,Can you please refer me to some link,which explains that ......

Once again ,thank you very much

Regards

Anantha Subramanian Natarajan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to anasubra_2

‎06-09-2008 09:16 AM

Anantha

This tech note has a discussion of using extended access lists in the distribute list for BGP:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml#acclists

HTH

Rick

HTH

Rick
0 Helpful

anasubra_2
Level 1
Level 1
In response to Richard Burts

‎06-09-2008 10:17 AM

Hi Rick,

Thank you very much

Regards

Anantha Subramanian Natarajan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card