Subodh

You wonder whether the original access lists are filtering the routes or whether there is some config error. This is because this use of extended access list to filter routes in BGP works differently that what we normally expect in an access list. Almost all of us started with extended access lists thinking of them as source address, source mask, destination address, destination mask. But that is not how the access list works when used with BGP. In the case with BGP the first pair is describing the network ID and mask (which bits in the network are significant) while the second pair describes the mask of the network (how many bits are significant).

In the original access list it specified:

deny ip host 10.10.1.0 host 255.255.255.240 ( /28 subnet )

this denies a /28 and also a /29 or a /30. Your proposed alternative would not achieve the same results.

As Milan points out the use of extended access list in distribute list is the older way to filter routes in BGP and the newer and better way to filter is to use prefix lists.

HTH

Rick

Hi Rick,

are you sure

deny ip host 10.10.1.0 host 255.255.255.240 ( /28 subnet )

this denies a /28 and also a /29 or a /30?

IMHO, this is the same syntax as the first line in CCO example A in "neighbor distribute-list" section of http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdbgp.html#wp1019302

which says

"The following extended access list example will permit route 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0

access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 "

I was wrong in my previous answer, the second ACL would not permit /28 plus all longer prefixes.

That effect would be achieved by using a standard ACL though:

ip access-list 99 deny ip 10.10.1.0 0.0.0.15 ( / 28 and longer )

ip access-list 99  deny ip 10.10.2.0 0.0.0.255 ( /24 subnet and longer )

ip access-list 99 permit ip any any

Hi Milan,

I think the reason prefix-lists came to existance is exactly the confusion caused by the ACL syntax. I personally have to look this up everytime I come across it. If I am not mistaken:

1. Standard ACL checks the network address only and cannot check the length of the mask. So, it also permits longer prefixes.

2. Extended ACL can be used to specify an exact match on a prefix length using the host/0.0.0.0 syntax for the network mask portion of the ACE.

3. Extended ACL can match more prefixes if the mask portion is relaxed (e.g. 255.255.255.0 0.0.0.255), but this is more confusing, isn't it? (Edit: the ACL you posted uses this trick to deny only longer prefixes because the intended network has already been permitted)

Kind Regards,

Maria

Hi Maria,

I agree totally!

But I met an ACL:

access-list 18 deny   172.22.0.0

... lines omitted...

access-list 18 permit 172.22.0.0 0.0.255.255

Does the first line deny 172.20.0.0/16 (B-class default subnet mask) only?

Or also longer prefixes? And the second line is a mistake permitting what the first line denied?

Generally, I don't like the Cisco wildcard concept, why didn't they simply say: "We admit non-contiguous subnet masks within ACLs."?

The effect would be the same and much less confusing.

BR,

Milan

Hi Milan,

There exist variations based on the mask of the network portion (not the mask of the mask ). I think the additional thing that comes into play is networks that begin with 172.22.x.x, but the x.x is not a zero, and this independently of the actual mask. Does this make sense?

Kind Regards,

Maria

p.s. Great discussion. Only problem is that if you ask me the same tomorrow, I won't remember anything and will have to think all over again!

Hi Maria,

yes, you are correct, there's a difference between 172.22.0.0 and 172.22.x.x where x.x is not a zero.

It's explained by the fact

access-list 99 deny 172.22.0.0
is the same as access-list 99 deny host 172.22.0.0

or access-list 99 deny 172.22.0.0 0.0.0.0

I.e., the network part has to include 172.22.0.0 and the subnet mask length is ignored.

Thanks!

Milan

Let's make it more confusing, shall we? Is the second ACL posted by the author equivalent to a 'deny ip any any'?

Edit: Here is a document I think has a good explanation of those things:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml#acclists

I think the answer to my previous question is no, but did you think about it for a while? I think the problem with all this is the numerous masks.

Hi Maria,

deny ip 10.10.1.0 0.0.0.15 any = deny ip 10.10.1.0 0.0.0.15  0.0.0.0 255.255.255.255

deny ip 10.10.2.0 0.0.0.255 any = deny ip 10.10.2.0 0.0.0.255  0.0.0.0 255.255.255.255

So according to the link you provided it would deny

10.10.1.x where x=0-15

10.10.2.x where x=0-255

with any subnet mask length.

And the last line

permit ip any any

would permit anything else.

BR,

Milan

Hi Milan,

When you said 'with any subnet mask length', what did you mean? That's where I was getting at. I guess only equal or longer prefixes of the corresponding network, and not shorter. If you think of the ACE as a normal ACE, this is obvious, but if you put the subnet and its own mask into the mix, it can look a bit weird. I think some combinations with lot's of don't care bits in the mask portion come down to the same thing, depending on the network portion (which sets the 'base' using Giuseppe's words).

Kind Regards,

Maria

Hi Maria,

you mean something like 10.10.1.0/20, e.g.?

No, it would not match as it would be sent as 10.10.0.0/20 in fact in the routing update.

Giuseppe's term "base address mask" is a little missleading for me.

What's the base address mask in

deny ip 10.10.1.0 0.0.0.15  0.0.0.0 255.255.255.255 ?

IMHO, we have to look at the prefix/length pair twice:

1) does the prefix match the ACE source part?

2) does the length match the destination part?

And that's all.

And we all agree the prefix-list syntax is much more comfortable :-)

BR,

Milan

Hi Milan,

You won't get me into terminology discussion! 'Base' terminology reminds me of hardware talk (base address + offset) about memories and helps me. I think the base address would be 10.10.1.0 and the base address mask would be 0.0.0.15 (if you look at it as a normal mask and not inverted). Then you look at the prefix length as you said, but you have to stay above the 'base'! Whatever helps anyone to remember all this is fine with me.

LOL! I think we convinced the author to use prefix-lists!

Kind Regards,

Maria