06-09-2008 07:50 AM - edited 03-05-2019 11:31 PM
Hi All,
Can anyone help me to understand the below access-list
access-list zzz permit ip host yy.xx.224.0 host 255.255.252.0
Thanks
Regards
Anantha Subramanian Natarajan
06-09-2008 07:54 AM
Hi,
The other IP can't be 255.255.252.0
what you want to know exactly. Any particular thing or full command (how it works)
Thanks,
06-09-2008 08:00 AM
Hi Manish,
Thanks for the reply .....
I found the access-list in this format on a route-map which is associated with BGP in inbound. I was thinking if the intent for this access-list is to allow yy.xx.224.0/22 ,it should have been access-list zzz permit ip yy.xx.224.0 0.0.3.255 any.
Is the above right ? .If this is , then i am as trying to invalidate the existing ACL.
Regards
Anantha Subramanian Natarajan
06-09-2008 08:07 AM
Hi,
Ya thats the right command to allow yy.xx.224.0/22 to any.
Thanks,
06-09-2008 08:10 AM
Hi manish,
Thanks
Regards
Anantha Subramanian Natarajan
06-09-2008 08:01 AM
Anantha
Perhaps if we knew a bit more about the context in which this access list was configured we might understand it better.
If you assume that it is a typical access list configured to filter data traffic on an interface then it makes little sense, especially with the destination address being 255.255.252.0.
However if this access list were configured and used as part of a distribute list in the configuration of BGP then it would make a lot more sense. If BGP this access list used in a distribute list would permit BGP to accept or to advertise (depending on whether it was inbound or outbound) network yy.xx.224.0 with a /22 mask.
While we usually think of distribute list using a standard access list (as it does in RIP or EIGRP - or even OSPF) in BGP you can use an extended access list where you may want to specify both the network and the network mask.
[note] I see in the response posted just as I was writing my response that this is used for BGP. In this case the access list is valid as written.
HTH
Rick
06-09-2008 08:05 AM
Hi Rick,
Thanks for the reply.....So do you mean, the below command
access-list zzz permit ip host xx.yy.224.0 host 255.255.252.0
when associated to route-map which is then called in bgp inbound,then it means to match xx.yy.224.0/22 ?
Thanks
Regards
Anantha Subramanian Natarajan
06-09-2008 08:14 AM
Anantha
Yes it will match on both the network prefix value (xx.yy.224.0) and on the mask (/22).
If you change the access list to access-list zzz permit ip yy.xx.224.0 0.0.3.255 any then you will seriously change the function of the access list. And if the previous version of the access list was working then the new version of the access list will break some part of your BGP impelmentation.
HTH
Rick
06-09-2008 08:20 AM
Hi Rick,
Good explanation..Thanks .....Then the thing which I couldn't understand is the how the existing ACL works.
I am thinking,the existing ACL will match packet from specific source xx.yy.224.0/32 comming from specific host 255.255.252.0/32.Is that right ??..Sorry to take your time on this..But me missing some basic on it ..
Thanks
Regards
Anantha Subramanian Natarajan
06-09-2008 08:22 AM
Hi Rick,
Just a correction on above understanding ...instead of from ,use to to host 255.255.252.0/32
Regards
Anantha Subramanian Natarajan
06-09-2008 08:24 AM
Anantha
No that is not right. We typically think of extended access list as specifying source-address, source-mask, destination-address, destination-mask. But the definition of the parameters is quite different when an extended access list is used for BGP. In this usage the parameters have this meaning network-prefix, #-significant-bits, prefix-mask, #-significant-bits)
So it works very differently in BGP than it does in normal access list usage.
HTH
Rick
06-09-2008 08:42 AM
Hi Rick,
Thats awesome,,Can you please refer me to some link,which explains that ......
Once again ,thank you very much
Regards
Anantha Subramanian Natarajan
06-09-2008 09:16 AM
Anantha
This tech note has a discussion of using extended access lists in the distribute list for BGP:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml#acclists
HTH
Rick
06-09-2008 10:17 AM
Hi Rick,
Thank you very much
Regards
Anantha Subramanian Natarajan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: