Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

Need help in understanding ACL

Hi All,

Can somebody explain me in deep the following ACL.

access-list 101 permit ip 193.78.0.0 0.0.255.255 255.255.0.0 0.0.0.0

Especially the underline part and how it affects.

PS: I have marked this as discussion and not as question, because i don't know what would be the correct answer. Also it is not a issue, just wanted to understand.

Regards,

Smitesh

4 REPLIES
Cisco Employee

Need help in understanding ACL

Hi Smitesh,

This ACL seems to be used in a route-map, probably for redistribution or route filtering purposes, isn't it?

This ACL specifies an IP network address/mask combination that shall be permitted when performing the redistribution or route filtering (or wherever this ACL is used). As this is an extended ACL, it has a source and a destination match parts. The source part matches the address of the filtered network, the destination part matches its subnet mask. In particular, this ACL would match all networks whose address is 193.78.x.x and whose mask is exactly 255.255.0.0 - logically, the only reasonable network would then be 193.78.0.0/255.255.0.0. The ACL could be written down even more precisely as:

access-list 101 permit ip 193.78.0.0 0.0.0.0 255.255.0.0 0.0.0.0

or

access-list 101 permit ip host 193.78.0.0 host 255.255.0.0

Remember, this ACL is matching [IP network address, IP network mask] tuples as the [Source, Destination] if used in route-maps, distribute-lists or similar applications when filtering routes.

Because of the peculiarity with using the extended ACLs for network/netmask filtering purposes, it is more recommended to use prefix lists that are more efficiently organized and searched for, and also allow for some applications (notably Outbound Route Filtering in BGP) that would not be possible with arbitrary ACLs.

Best regards,

Peter

Need help in understanding ACL

Thanks Peter,

I'm understanding a bit.

Can i request you to explain the concept a bit more, as I'm still not understood the concept fully.

Regards,
Smitesh

Cisco Employee

Re: Need help in understanding ACL

Hi Smitesh,

Alright. Consider the need to filter a set of particular networks, say:

87.197.31.40/29

158.193.139.0/24

These networks are uniquely identified by their IP address and their netmask. A network 87.197.31.40/29 is not the same as the network 87.197.31.40/30, for example. So when filtering networks, you need to match both the address and the netmask of the route to make precise decisions.

ACLs can be used for this matching. However, forget about ACLs filtering packets. ACLs should better be visualized as generic mechanisms that accept a number of numeric inputs and produce a result on whether they found the input in their internal database according to their internal searching rules, and what the result of the lookup is. Normally, we are accustomed to having these inputs in the form of source/destination IP addresses, transport protocol numbers, port numbers, etc., but all these are simply numbers. ACL as a mechanism can accept any number on its input, provided you know what its meaning is, and will tell you if it found the number in its database and whether the lookup provided a permit or deny result.

With this in mind, we want to use an ACL to look for two special values: one of them will be the IP address of a network, the second will be its netmask. Both are 32-bit values, in format identical to IP addresses. Quite naturally, an extended ACL seems to be the proper mechanism as it can take two 4B numbers on its input (apart from other parameters irrelevant for this usage), and tell us whether it found these two 4B numbers in its internal database. We are accustomed to understanding these two 4B numbers as "source IP address" and "destination IP address". Now, however, because our two parameters are the address of the network and its subnet mask, one of them will be input to this ACL as the "source IP" parameter, and the other will be in the position of the "destination IP" parameter. As implemented in the IOS, the network address will be the "source IP" part, the netmask will be the "destination IP" part.

So for an ACL to match the network 87.197.31.40/29, it must look for 87.197.31.40 as the "source", and the /29=255.255.255.248 as the "destination". Note that I do not want to look for any other networks nor netmasks, so the matches should be absolutely exact, hence the wildcard masks in the ACL entry should be 0.0.0.0 (or equivalently, using the host keyword):

access-list 199 permit ip 87.197.31.40 0.0.0.0 255.255.255.248 0.0.0.0

or

access-list 199 permit ip host 87.197.31.40 host 255.255.255.248

Now, if I put together the ACL for both networks I indicated at the beginning, we will get:

access-list 199 permit ip 87.197.31.40 0.0.0.0 255.255.255.248 0.0.0.0

access-list 199 permit ip 158.193.139.0 0.0.0.0 255.255.255.0 0.0.0.0

or

access-list 199 permit ip host 87.197.31.40 host 255.255.255.248

access-list 199 permit ip host 158.193.139.0 host 255.255.255.0

Now, however, think of a slightly more complicated scenario: I want to permit the network 87.197.31.40/29 and all possible subnets of the network 158.193.139.128/26. The network 87.197.31.40/29 is an exact match. However, what is specific about subnets of the 158.193.139.128/26 network? For sure, their prefix is 158.193.139. and the upper two bits from the 4th octet are "10". The mask of all subnets of this network is /26 (the network alone) or higher, i.e. 255.255.255.192 or more. The remaining 6 bits in the address of the network and in the netmask may be different, depending on the subnet. So the ACL should only match the upper 26 bits of both the network address and the netmask, as the subnets will differ in the remaining bits. The ACL would then be written out as follows:

access-list 199 permit ip host 87.197.31.40 host 255.255.255.248

access-list 199 permit ip 158.193.139.128 0.0.0.63 255.255.255.192 0.0.0.63

Note the 158.193.139.128 0.0.0.63 - this means "all addresses with their upper 26 bits being set to values identical in upper 26 bits of the IP address 158.193.139.128, essentially subnets of this range". The 255.255.255.192 0.0.0.63 means "all netmasks with their upper 26 bits set to values identical in upper 26 bits of the netmask 255.255.255.192, essentially longer prefixes".

Quite confusing, isn't it? That's why the prefix lists are more readable for this, e.g. the second example could be rewritten using a prefix list as follows:

ip prefix-list P permit 87.197.31.40/29

ip prefix-list P permit 158.193.139.128/26 le 32

Feel welcome to ask further!

Best regards,

Peter

Need help in understanding ACL

Peter,

Thanks for indepth tutorial.

Regards,
Smitesh

442
Views
10
Helpful
4
Replies
CreatePlease to create content