Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

BGP Standrad ACL and Exteneded ACL concept

Cisco says :

((there are two types of access lists, standard and extended.

The main difference is that a standard access list is applied to the source IP address, whereas an extended access list is normally applied to the source and destination of a packet.

However, when used to filter routes within BGP, the first address or wildcard bit set given in an extended access list applies to the prefix.

The second address or wildcard bit set applies to the subnet mask of the advertised route.))

I am looking to understand the concept from this below phrase :

((-----However, when used to filter routes within BGP, the first address or wildcard bit set given in an extended access list applies to the prefix.

The second address or wildcard bit set applies to the subnet mask of the advertised route))

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: BGP Standrad ACL and Exteneded ACL concept

That's right...

ACLs are used for a lot of different purposes within IOS. In this case, this is how you interpret the ACL.

Hope that helps - pls rate the post if it does.

Regards,

Paresh

3 REPLIES
Purple

Re: BGP Standrad ACL and Exteneded ACL concept

Hi,

Yes, the usage is different when an extended ACL is applied to BGP updates.

For example,

access-list 101 permit ip 10.1.20.0 0.0.0.255 255.255.255.0 0.0.0.255

The first address here is 10.1.20.0 0.0.0.255. This will match on any of the following:

10.1.20.0

10.1.20.1

10.1.20.2

10.1.20.3

. . .

10.1.20.254

10.1.20.255

The second address here is 255.255.255.0 0.0.0.255. This will match on any of the following:

255.255.255.0

255.255.255.1

255.255.255.2

255.255.255.3

. . .

255.255.255.254

255.255.255.255

Therefore, that access-list will match any prefix that satisfies both the prefix and mask portion from above. As an example, the following prefixes match both the conditions and will be permitted:

10.1.20.0/24

10.1.20.0/25

10.1.20.0/26

10.1.20.0/27

10.1.20.0/28

10.1.20.0/29

10.1.20.0/30

10.1.20.0/31

10.1.20.0/32

....

10.1.20.128/25

..

10.1.20.130/32

..

Basically, you are matching on both the prefix and its mask when using extended ACLs.

If you want to know why you would use such an ACL, here's a question that would have the above ACL as an answer: permit all subnets of 10.1.20/24. The above will permit all such subnets, regardless of their length.

Pls remember to rate posts.

Regards,

Paresh.

Community Member

Re: BGP Standrad ACL and Exteneded ACL concept

((Yes, the usage is different when an extended ACL is applied to BGP updates.))

That means the usage of extended ACL here with BGP not like before, we do not have source and destination,,,,we have got prefix and length of prefix.

A source now has been used for prefix,,,and a destination has been used for length of prefix.

Purple

Re: BGP Standrad ACL and Exteneded ACL concept

That's right...

ACLs are used for a lot of different purposes within IOS. In this case, this is how you interpret the ACL.

Hope that helps - pls rate the post if it does.

Regards,

Paresh

207
Views
0
Helpful
3
Replies
CreatePlease to create content