Route Filtering with Extended Access-list

fsebera · ‎03-23-2005

I am trying to get additional details on BGP and or OSPF DISTRIBUTE-LIST ROUTE FILTERING using the SPECIAL EXTENDED ACCESS-LIST. Yes I am aware that route filtering can be accomplished using prefix-list but I've heard the CCIE LAB may require the access-list version. I have checked my 35 different CCNA, CCNP, CCIE, CCIE LAB PREP, OSPF, BGP, ETC ETC books and none of the these books give much more than a BRIEF mention of the extended access-list usage. I have also checked numerous web sites but keep coming up empty.

If necessary, I would be willing to pay via paypal to get useful detailed information. Sorry, I know this is not the cert forum but not much action in that forum.

SAMPLE

I would like to permit/deny the following nets

1.2.0.0 /16

1.2.0.0 /17

1.2.0.0 /18

1.2.0.0 /19

1.2.64.0 /20

1.2.32.0 /21

and deny/permit everything else

(or something similar to the above example)

[The above is just for demonstration purposes for this question]

Router bgp 64512

Neighbor 1.2.3.4 remote-as 65666

Neighbor 1.2.3.4 distribute-list 101 out

access-list 101 permit ip 1.2.0.0 0.0.240.0 255.255.240.0 0.0.8.0

Thanks in advance

Frank

Richard Burts · ‎03-23-2005

The usage of extended access lists in distribute lists is subtle and can be confusing. The big challenge is that we must think about the parts of the access list very differently. Usually when we think about extended access lists we think source-address, source-mask, destination-address, destination-mask. However when the extended access list is to be used as a route filter in a distribute list we must think of it as route (prefix), route-mask (how many bits of the route are significant), length (how long a prefix should be considered a match), and length-mask (how many bits of the length are significant).

I believe that the best way to understand this is to get into a lab or test situation. Have a router learn the routes from something, and have the router advertise those routes to something. And then start experimenting with the access list and distribute list and see what the effect is.

If you do this experiment it will not only teach you about extended access lists as route filters it will help you understand that prefix lists are a much more effectie way to filter when you care about prefix length as well as prefix value.

HTH

Rick

HTH

Rick

amikat · ‎03-23-2005

Hi,

You may consider to read the document at:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml

Best regards,

Antonin

Robert Zalavary · ‎05-02-2016

If anyone is still interested so many years later. Here is the key for calcalating prefix ranges you want to filter with.

Step 1:

Permit an IP address and specify which bits may vary as a starting point

permit ip 192.168.0.0 0.0.255.255

This will allow IPs (routes /16 to /32) from 192.168.0.0 to 192.168.255.255 through to Step 2.

Step 2:

Specify the maximum size of the network your are interested, let's say it is /16

permit ip 192.168.0.0 0.0.255.255 255.255.0.0

Step 3:

Then specify the minimum size of the network you want your maximum size network range to. Let's say we want prefixes greater than or equal to 16 and less than or equal to 32.

permit ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255

Now, let's see another example.

I have a line in my config and I wish to achieve the same condition using extended ACL.

ip prefix-list cisco seq 10 permit 0.0.0.0/0 le 19

It will look like this

access-list 100 permit ip 0.0.0.0 255.255.255.255 255.255.224.0 0.0.0.0

Another example

ip prefix-list cisco seq 10 permit 192.168.0.0/22 le 28 ge 30

Calculation:

Part 1: 192.168.0.0 0.0.9.255 => 192.168.0.0 /22
Part 2a (ge): 255.255.255.240 => /28
Part 2b (le): 255.255.255.255 - (/30) 255.255.255.252 = 0.0.0.3 => /30

Result:

access-list 100 permit ip 192.168.0.0 0.9.255 255.255.255.240 0.0.0.3

Example 3

ip prefix-list cisco seq 10 permit 10.250.0.0/16 le 24 ge 17

Calculation:

Part 1: 10.250.0.0 0.0.255.255 => 10.250.0.0 /16
Part 2a (ge): 255.255.128.0 => /17
Part 2b (le): 255.255.255.255 - (/24) 255.255.255.0= 0.0.0.255 => /24

Result:

access-list 100 permit ip 10.250.0.0 0.0.255.255 255.255.128.0 0.0.0.255

Regards,

Robert Zalavary

diasporia · ‎07-23-2017

Robert, the first example(example#0) of "how to use an extended-acl" to do what a prefix-list *construct* means is *correct*

Examples 1,2 3are wrong.

In example#3 your prefix-list is:

ip prefix-list cisco seq 10 permit 10.250.0.0/16 le 24 ge 17

The correct representation using extended-acl:

10.250.0.0 0.0.255.0 255.255.128.0 0.0.127.0 permits /17 thru /24

Your extended-acl allows everything from a /17 thru /32 for any /17 from 10.250.0.0

Example#2

ip prefix-list cisco seq 10 permit 192.168.0.0/22 le 28 ge 30

In this case you have to explicitly deny all /29s of base /22 and permit rest

deny 192.168.0.0 0.0.0.3.248 255.255.255.248 0.0.0.0

permit 192.168.0.0 0.0.3.255 255.255.252.0 0.0.3.255

or

permit 192.168.0.0 0.0.3.240 255.255.255.252.0 0.0.3.240- permits /22 thru /28

permit 192.168.0.0 0.0.3.255 255.255.255.252 0.0.0.3 -permits /30 thru /32

Example#1

ip prefix-list cisco seq 10 permit 0.0.0.0/0 le 19

Corresponding extended-acl syntax:

0.0.0.0 255.255.255.255 128.0.0.0 127.255.224.0

-this representation allows /1 thru /19

an interesting-twist: 0.0.0.0 255.255.255.255 0.0.0.0 255.255.224.0 This would allow a default + /1 thru /19

Your extended-acl is an exact-match of all /19s only - 0.0.0.0/19 or 0.0.0.0/0 eq 19

le 19 in a prefix-list is /1 thru /19

Even after all these years, people still don't understand wildcard-masks.

Stick to prefix-lists. Don't implement extended-ACL equivalents quite simply because you will probably get it wrong.

gornication · ‎08-31-2020

Hi!

So..
permit ip 1.2.0.0 0.0.0.0 255.255.0.0 0.0.0.0
permit ip 1.2.0.0 0.0.0.0 255.255.128.0 0.0.0.0
permit ip 1.2.0.0 0.0.0.0 255.255.192.0 0.0.0.0

permit ip 1.2.0.0 0.0.0.0 255.255.224.0 0.0.0.0

permit ip 1.2.64.0 0.0.0.0 255.255.240.0 0.0.0.0

permit ip 1.2.32.0 0.0.0.0 255.255.248.0 0.0.0.0

access-list 101 permit ip 1.2.0.0 0.0.240.0 255.255.240.0 0.0.8.0
1.2.0.0/20 - 255.254.7.0/20
1.2.0.0/20 - 255.254.15.0/21
Correct me please, if I am wrong somewhere.

Are we just talking about BGP here? What does this look like in the case of IGP?
I came across options where the first (first two) attribute is the advertising router (probably its ID), the second is the advertised prefix, and when the source fields of the ACL are used to identify the network, the destination fields identify the smallest prefix length allowed in the network range. In the second variant, this is probably always a range of up to /32.

MHM Cisco World · ‎10-12-2020

Extended ACL is used to filter route and source of this route,
check my Facebook page
MHM Cisco World

paul driver · ‎10-14-2020

Hello
Sometimes access-lists are not as powerful than prefix-lists to filter routes and in your example I would suggest to use a PL to obtain better control of the filtering

Example:
ip prefix-list PL permit 1.2.0.0/8 ge 15 le 20
ip prefix-list PL permit 1.2.32.0/17 ge 19 le 22
< these will filter any class A prefix beginning with 1.2.0.0 but with hosts bits greater than 15 and less than value of 22 which should incorporate your prefix listing:

router bgp xx
neighbor x.x.x. prefix-list PL IN/OUT

or

route-map PL_rm
match ip address prefix-list PL
router bgp xx
neighbor x.x.x. route-map PL_rm IN/OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul