03-23-2005 08:00 AM - edited 03-02-2019 10:14 PM
I am trying to get additional details on BGP and or OSPF DISTRIBUTE-LIST ROUTE FILTERING using the SPECIAL EXTENDED ACCESS-LIST. Yes I am aware that route filtering can be accomplished using prefix-list but I've heard the CCIE LAB may require the access-list version. I have checked my 35 different CCNA, CCNP, CCIE, CCIE LAB PREP, OSPF, BGP, ETC ETC books and none of the these books give much more than a BRIEF mention of the extended access-list usage. I have also checked numerous web sites but keep coming up empty.
If necessary, I would be willing to pay via paypal to get useful detailed information. Sorry, I know this is not the cert forum but not much action in that forum.
SAMPLE
I would like to permit/deny the following nets
1.2.0.0 /16
1.2.0.0 /17
1.2.0.0 /18
1.2.0.0 /19
1.2.64.0 /20
1.2.32.0 /21
and deny/permit everything else
(or something similar to the above example)
[The above is just for demonstration purposes for this question]
Router bgp 64512
Neighbor 1.2.3.4 remote-as 65666
Neighbor 1.2.3.4 distribute-list 101 out
access-list 101 permit ip 1.2.0.0 0.0.240.0 255.255.240.0 0.0.8.0
Thanks in advance
Frank
03-23-2005 08:23 AM
The usage of extended access lists in distribute lists is subtle and can be confusing. The big challenge is that we must think about the parts of the access list very differently. Usually when we think about extended access lists we think source-address, source-mask, destination-address, destination-mask. However when the extended access list is to be used as a route filter in a distribute list we must think of it as route (prefix), route-mask (how many bits of the route are significant), length (how long a prefix should be considered a match), and length-mask (how many bits of the length are significant).
I believe that the best way to understand this is to get into a lab or test situation. Have a router learn the routes from something, and have the router advertise those routes to something. And then start experimenting with the access list and distribute list and see what the effect is.
If you do this experiment it will not only teach you about extended access lists as route filters it will help you understand that prefix lists are a much more effectie way to filter when you care about prefix length as well as prefix value.
HTH
Rick
03-23-2005 10:27 AM
Hi,
You may consider to read the document at:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml
Best regards,
Antonin
05-02-2016 08:01 AM
Permit an IP address and specify which bits may vary as a starting point
permit ip 192.168.0.0 0.0.255.255
This will allow IPs (routes /16 to /32) from 192.168.0.0 to 192.168.255.255 through to Step 2.
permit ip 192.168.0.0 0.0.255.255 255.255.0.0
permit ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
I have a line in my config and I wish to achieve the same condition using extended ACL.
ip prefix-list cisco seq 10 permit 0.0.0.0/0 le 19
It will look like this
access-list 100 permit ip 0.0.0.0 255.255.255.255 255.255.224.0 0.0.0.0
ip prefix-list cisco seq 10 permit 192.168.0.0/22 le 28 ge 30
Calculation:
Part 1: 192.168.0.0 0.0.9.255 => 192.168.0.0 /22
Part 2a (ge): 255.255.255.240 => /28
Part 2b (le): 255.255.255.255 - (/30) 255.255.255.252 = 0.0.0.3 => /30
Result:
access-list 100 permit ip 192.168.0.0 0.9.255 255.255.255.240 0.0.0.3
ip prefix-list cisco seq 10 permit 10.250.0.0/16 le 24 ge 17
Calculation:
Part 1: 10.250.0.0 0.0.255.255 => 10.250.0.0 /16
Part 2a (ge): 255.255.128.0 => /17
Part 2b (le): 255.255.255.255 - (/24) 255.255.255.0= 0.0.0.255 => /24
Result:
access-list 100 permit ip 10.250.0.0 0.0.255.255 255.255.128.0 0.0.0.255
Regards,
Robert Zalavary
07-23-2017 12:31 PM
Robert, the first example(example#0) of "how to use an extended-acl" to do what a prefix-list *construct* means is *correct*
Examples 1,2 3are wrong.
In example#3 your prefix-list is:
ip prefix-list cisco seq 10 permit 10.250.0.0/16 le 24 ge 17
The correct representation using extended-acl:
10.250.0.0 0.0.255.0 255.255.128.0 0.0.127.0 permits /17 thru /24
Your extended-acl allows everything from a /17 thru /32 for any /17 from 10.250.0.0
Example#2
ip prefix-list cisco seq 10 permit 192.168.0.0/22 le 28 ge 30
In this case you have to explicitly deny all /29s of base /22 and permit rest
deny 192.168.0.0 0.0.0.3.248 255.255.255.248 0.0.0.0
permit 192.168.0.0 0.0.3.255 255.255.252.0 0.0.3.255
or
permit 192.168.0.0 0.0.3.240 255.255.255.252.0 0.0.3.240- permits /22 thru /28
permit 192.168.0.0 0.0.3.255 255.255.255.252 0.0.0.3 -permits /30 thru /32
Example#1
ip prefix-list cisco seq 10 permit 0.0.0.0/0 le 19
Corresponding extended-acl syntax:
0.0.0.0 255.255.255.255 128.0.0.0 127.255.224.0
-this representation allows /1 thru /19
an interesting-twist: 0.0.0.0 255.255.255.255 0.0.0.0 255.255.224.0 This would allow a default + /1 thru /19
Your extended-acl is an exact-match of all /19s only - 0.0.0.0/19 or 0.0.0.0/0 eq 19
le 19 in a prefix-list is /1 thru /19
Even after all these years, people still don't understand wildcard-masks.
Stick to prefix-lists. Don't implement extended-ACL equivalents quite simply because you will probably get it wrong.
08-31-2020 04:42 AM
Hi!
So..
permit ip 1.2.0.0 0.0.0.0 255.255.0.0 0.0.0.0
permit ip 1.2.0.0 0.0.0.0 255.255.128.0 0.0.0.0
permit ip 1.2.0.0 0.0.0.0 255.255.192.0 0.0.0.0
permit ip 1.2.0.0 0.0.0.0 255.255.224.0 0.0.0.0
permit ip 1.2.64.0 0.0.0.0 255.255.240.0 0.0.0.0
permit ip 1.2.32.0 0.0.0.0 255.255.248.0 0.0.0.0
access-list 101 permit ip 1.2.0.0 0.0.240.0 255.255.240.0 0.0.8.0
1.2.0.0/20 - 255.254.7.0/20
1.2.0.0/20 - 255.254.15.0/21
Correct me please, if I am wrong somewhere.
Are we just talking about BGP here? What does this look like in the case of IGP?
I came across options where the first (first two) attribute is the advertising router (probably its ID), the second is the advertised prefix, and when the source fields of the ACL are used to identify the network, the destination fields identify the smallest prefix length allowed in the network range. In the second variant, this is probably always a range of up to /32.
10-12-2020 07:51 AM
Extended ACL is used to filter route and source of this route,
check my Facebook page
MHM Cisco World
10-14-2020 03:54 PM - edited 10-14-2020 04:15 PM
Hello
Sometimes access-lists are not as powerful than prefix-lists to filter routes and in your example I would suggest to use a PL to obtain better control of the filtering
Example:
ip prefix-list PL permit 1.2.0.0/8 ge 15 le 20
ip prefix-list PL permit 1.2.32.0/17 ge 19 le 22
< these will filter any class A prefix beginning with 1.2.0.0 but with hosts bits greater than 15 and less than value of 22 which should incorporate your prefix listing:
router bgp xx
neighbor x.x.x. prefix-list PL IN/OUT
or
route-map PL_rm
match ip address prefix-list PL
router bgp xx
neighbor x.x.x. route-map PL_rm IN/OUT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide