Access-list problem in BGP

Unanswered Question
Jan 31st, 2010


Following access list is used in BGP route filtering with "distribute-list Name_Of_Access_List  out" comand :

ip access-list ex filter

deny ip host host ( /28 subnet )

deny ip host host  ( / 24 subnet )

permit ip any any

I didnt undersatnd exact how these lists are filtering the routes ( if they are ) or there is any configuration error.

In my opinion source subnet can be matched by following access-list

ip access-list ex filter

deny ip any ( / 28 subnet )

deby ip any ( /24 subnet )

permit ip any any

Please share the experience.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
milan.kulik Sun, 01/31/2010 - 13:33


IMHO, your first ACL will deny and exact match, i.e. 2 prefixes only.

While the second ACL will deny and plus all longer prefixes (,, e.g.).

That's why prefix-list syntax is more intuitive and recommended.


and compare with



Richard Burts Sun, 01/31/2010 - 14:42


You wonder whether the original access lists are filtering the routes or whether there is some config error. This is because this use of extended access list to filter routes in BGP works differently that what we normally expect in an access list. Almost all of us started with extended access lists thinking of them as source address, source mask, destination address, destination mask. But that is not how the access list works when used with BGP. In the case with BGP the first pair is describing the network ID and mask (which bits in the network are significant) while the second pair describes the mask of the network (how many bits are significant).

In the original access list it specified:

deny ip host host ( /28 subnet )

this denies a /28 and also a /29 or a /30. Your proposed alternative would not achieve the same results.

As Milan points out the use of extended access list in distribute list is the older way to filter routes in BGP and the newer and better way to filter is to use prefix lists.



milan.kulik Mon, 02/01/2010 - 00:57

Hi Rick,

are you sure

deny ip host host ( /28 subnet )

this denies a /28 and also a /29 or a /30?

IMHO, this is the same syntax as the first line in CCO example A in "neighbor distribute-list" section of

which says

"The following extended access list example will permit route but deny any more specific routes of (including

access-list 101 permit ip

access-list 101 deny ip "

So it denies only /28, doesn't it?

I was wrong in my previous answer, the second ACL would not permit /28 plus all longer prefixes.

That effect would be achieved by using a standard ACL though:

ip access-list 99 deny ip ( / 28 and longer )

ip access-list 99  deny ip ( /24 subnet and longer )

ip access-list 99 permit ip any any


marikakis Mon, 02/01/2010 - 01:30

Hi Milan,

I think the reason prefix-lists came to existance is exactly the confusion caused by the ACL syntax. I personally have to look this up everytime I come across it. If I am not mistaken:

1. Standard ACL checks the network address only and cannot check the length of the mask. So, it also permits longer prefixes.

2. Extended ACL can be used to specify an exact match on a prefix length using the host/ syntax for the network mask portion of the ACE.

3. Extended ACL can match more prefixes if the mask portion is relaxed (e.g., but this is more confusing, isn't it? (Edit: the ACL you posted uses this trick to deny only longer prefixes because the intended network has already been permitted)

Kind Regards,


milan.kulik Mon, 02/01/2010 - 02:15

Hi Maria,

I agree totally!

But I met an ACL:

access-list 18 deny

... lines omitted...

access-list 18 permit

Does the first line deny (B-class default subnet mask) only?

Or also longer prefixes? And the second line is a mistake permitting what the first line denied?

Generally, I don't like the Cisco wildcard concept, why didn't they simply say: "We admit non-contiguous subnet masks within ACLs."?

The effect would be the same and much less confusing.



marikakis Mon, 02/01/2010 - 02:40

Hi Milan,

There exist variations based on the mask of the network portion (not the mask of the mask ). I think the additional thing that comes into play is networks that begin with 172.22.x.x, but the x.x is not a zero, and this independently of the actual mask. Does this make sense?

Kind Regards,


p.s. Great discussion. Only problem is that if you ask me the same tomorrow, I won't remember anything and will have to think all over again!

milan.kulik Mon, 02/01/2010 - 04:41

Hi Maria,

yes, you are correct, there's a difference between and 172.22.x.x where x.x is not a zero.

It's explained by the fact

access-list 99 deny
is the same as access-list 99 deny host

or access-list 99 deny

I.e., the network part has to include and the subnet mask length is ignored.



marikakis Mon, 02/01/2010 - 03:04

Let's make it more confusing, shall we? Is the second ACL posted by the author equivalent to a 'deny ip any any'?

Edit: Here is a document I think has a good explanation of those things:

I think the answer to my previous question is no, but did you think about it for a while? I think the problem with all this is the numerous masks.

milan.kulik Mon, 02/01/2010 - 04:21

Hi Maria,

deny ip any = deny ip

deny ip any = deny ip

So according to the link you provided it would deny

10.10.1.x where x=0-15

10.10.2.x where x=0-255

with any subnet mask length.

And the last line

permit ip any any

would permit anything else.



marikakis Mon, 02/01/2010 - 05:46

Hi Milan,

When you said 'with any subnet mask length', what did you mean? That's where I was getting at. I guess only equal or longer prefixes of the corresponding network, and not shorter. If you think of the ACE as a normal ACE, this is obvious, but if you put the subnet and its own mask into the mix, it can look a bit weird. I think some combinations with lot's of don't care bits in the mask portion come down to the same thing, depending on the network portion (which sets the 'base' using Giuseppe's words).

Kind Regards,


milan.kulik Mon, 02/01/2010 - 06:37

Hi Maria,

you mean something like, e.g.?

No, it would not match as it would be sent as in fact in the routing update.

Giuseppe's term "base address mask" is a little missleading for me.

What's the base address mask in

deny ip ?

IMHO, we have to look at the prefix/length pair twice:

1) does the prefix match the ACE source part?

2) does the length match the destination part?

And that's all.

And we all agree the prefix-list syntax is much more comfortable :-)



marikakis Mon, 02/01/2010 - 07:55

Hi Milan,

You won't get me into terminology discussion! 'Base' terminology reminds me of hardware talk (base address + offset) about memories and helps me. I think the base address would be and the base address mask would be (if you look at it as a normal mask and not inverted). Then you look at the prefix length as you said, but you have to stay above the 'base'! Whatever helps anyone to remember all this is fine with me.

LOL! I think we convinced the author to use prefix-lists!

Kind Regards,


Reza Sharifi Sun, 01/31/2010 - 14:31


Milan is right.  Prefix list is so much easier and more common to use with BGP.  In addition you can actually use for example /24 at the cli

instead of



Giuseppe Larosa Mon, 02/01/2010 - 04:40

Hello Subodth, Maria, Milan etc.

as Rick has explained the use of extended IP ACLs with BGP is very peculiar and it is no so widely documented.

We had some headaches first times we saw them in a production router some years ago.

The trick is to look at the lines in the following way:

source part = base address and base address mask host = this specific base address

destination part = mask  with host keyword means this specific mask only, without host keyword a range of subnet masks could be referred

so the ACL may be used to emulate an IP Prefix-list in some aspects.

I think it was introduced before the introduction of IP Prefix lists.

I would suggest to use IP prefix-lists that are easier to be understood and that have been introduced specifically for route filtering.

Hope to help


bapatsubodh Mon, 02/01/2010 - 08:00


Thanks guys for so much interest shown in solving my difficulty.

I did configure similar routers in gns3 and configured. And it worked.

Here is how I am trying to remember the login particularly for BGP route filtering.

on router 1

show ip bgp / 30 ( /  29   (

If I want to block ONLY /30 from appearing in bgp routes

Here is my logic it may be terribly wrong !!

exact prefix is : how do we match these exactly :

in binary it is

0000 1010 . 00001010 . 0000 0001 . 0000 00000  to match exact this bit pattern we need mask of all zero : 00000000.00000000.0000000.00000000.

similarly if we need to match / 30 mask we need following pattern in binary is

1111 1111 . 1111 1111. 1111 1111. 1111 1100  to match this we need all zero 00000000.00000000.0000000.00000000

( still  syntax logic  for source address and destination address is not clear for--> how it applies to this BGP filtering case )

so to exactly match :

we had

access-list 101 permit ip or in other words

access-list 101 permit ip host host

Prefix list :   /   30 --> is source subnet which you need to match exactly ( )

/30 --> Target or destination subnet : match exactly : )

For the time being it is clear to me but quite possible I will forget it and even may  trigger another good thread.

I need to read prefix-list may a while till i digest all this thread replies !! 

Thanks all you friends for all your help.


milan.kulik Mon, 02/01/2010 - 08:14

Hi Subodh,

to the syntax logic:

Simply forget source address and destination address in a case of distribution list.

The extended ACL is using prefix part and length (mask) part in this case.

It's just a different usage of  extended ACLs.

And believe us, the prefix-list syntax is much more friendly once you start using it :-)




This Discussion