Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

bgp and extended access-list

hi

i am having difficulty understanding the following:

please consider the configuration as under:

routerA(config) access-list 1 deny 198.198.198.0 0.0.0.255

access-list 1 permit any.

routerA(config-router)bgp neighbor 1.1.1.1 remote-as 20

neighbor 1.1.1.1 distribute-list 1 out

------------------------------------------------

the above configuration will cause router A no to send any update about 198.198.198.0 to neighbor 1.1.1.1

so the network number specified in access-list 1 will be checked against the the network being advertised in update. incase of match, specified action deny or permit will be carried out.

correct me please if i am wrong

second scenario:

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 168.168.168.0 0.0.0.255

router A(config-router)nighbor 1.1.1.1 distribute-list 102 out

now which network number is being checked against the network number in the update? is it 198.198.198.0 or 168.168.168.0 ?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: bgp and extended access-list

Hi,

Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.

So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.

Hope this helps! Please rate all posts.

Regards, Martin

3 REPLIES
Community Member

Re: bgp and extended access-list

Your first part of understanding is right.In the second part source if the souce is 198.198.198.0 and if destination is 168.168.168.0 network it will not be sent out.

Re: bgp and extended access-list

Hi,

Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.

So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: bgp and extended access-list

thanks martin for your help. i got it now

502
Views
0
Helpful
3
Replies
CreatePlease to create content