cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
617
Views
0
Helpful
11
Replies

Question on using ACL's for route filtering

Dean Romanelli
Level 4
Level 4

Hi All,

If I am understanding correctly, the format of an ACL statement changes a bit when used for route filtering.  For example: permit ip host 192.168.1.0 host 255.255.255.0, means "permit only routes in the routing table with a /24 subnet mask for the 192.168.1.x subnet." 

I'm being told that this is done to filter routes in the way that if you were to just specify the traditional permit ip 192.168.1.0 0.0.0.255, it would match anything that falls within that range - /25 /26 /27's /28's /29's /30's that have 192.168.1 as their first 3 octets.

The thing I don't get though is; if I'm entering an ACL statement that says "permit ip 192.168.1.0 0.0.0.255," then my subnet is obviously a /24. If I had smaller subnets on the 192.168.1 subnet, then my subnet wouldn't be a /24.  For example, if I had 192.168.1.0/26, 192.168.1.64/26 & 192.168.1.128/25, then I wouldn't tell my router that I have a /24 for the 192.168.1 subnet because I have two /26's and one /25, not one /24. So I wouldn't enter the ACL statement as a /24, because that's not the correct subnet, unless I wanted to summarize those /26's and the /27 into 1 summary route.  But for argument's sake, let's say I'm already summarizing to one route. Then what's the point of filtering with an ACL if it's already being filtered/condensed by the summarization?

1 Accepted Solution

Accepted Solutions

Dean

I understand the confusion and it is a good question.

I think your question really comes down to how can you have multiple entries in the IP routing table that covers the same subnets and why would you want that.

So imagine a situtation where you had a router connected to a LAN where it received the subnets from the internal L3 switch via an IGP. This router also has a WAN interface with a summary route for the rest of the remote sites reachable across the WAN. This summary route also covers the internal subnets but it doesn't matter because the router will always choose the lonegst match.

Now this router has a third interface connecting to another router and these routers are running a different IGP. So on your router you want to redistribute the summary route only into that IGP ie. no need to redistribute any of the more speciifc subnets.

In this case you would need to do a specific match on the summary route mask otherwise all the other more specific routes would be advertised as well.

Now if the addressing per site was summarisable the above would not apply as there would be no overlap but not all networks can be so easily summarised.

The above may be a bit contrived but it is not that uncommon to find multiple routes in the routing table that overlap.

If i think of any other examples i''ll add them.

Jon

View solution in original post

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

Dean

Imagine you had in your IP routing table a /24 and 2 x 25s for the same network. Now you want to redistribute the /24 into another routing protocol but you didn't want to redistribute the 25s into the routing protocol.

In that case you would need to use the host syntax in your acl to do an exact match or you could use a prefix list instead where again you can be very specific in the subnets you redistribute.

If i haven't answered your question then please clarify.

Jon

Hi Jon,

The part where I get confused is that it doesn't make sense to me that I would have a /24 & two /25's for the same subnet.

If I have 192.168.1.0/24, then that's the full class C, with 254 addresses.  I wouldn't be able to have two /25's on 192.168.1.0, because that subnet is fully committed to being a complete /24 already.

Now if I had 64 /30's on 192.168.1.x, then I could see how that would be burdensome for the routing table, but in that case, I'd just do route summarization.  And if I wanted to redistribute the first two /30 subnets, for example, then why not just call it in the ACL as permit ip 192.168.1.0 0.0.0.3 and permit ip 192.168.1.4 0.0.0.3? 

Dean

I understand the confusion and it is a good question.

I think your question really comes down to how can you have multiple entries in the IP routing table that covers the same subnets and why would you want that.

So imagine a situtation where you had a router connected to a LAN where it received the subnets from the internal L3 switch via an IGP. This router also has a WAN interface with a summary route for the rest of the remote sites reachable across the WAN. This summary route also covers the internal subnets but it doesn't matter because the router will always choose the lonegst match.

Now this router has a third interface connecting to another router and these routers are running a different IGP. So on your router you want to redistribute the summary route only into that IGP ie. no need to redistribute any of the more speciifc subnets.

In this case you would need to do a specific match on the summary route mask otherwise all the other more specific routes would be advertised as well.

Now if the addressing per site was summarisable the above would not apply as there would be no overlap but not all networks can be so easily summarised.

The above may be a bit contrived but it is not that uncommon to find multiple routes in the routing table that overlap.

If i think of any other examples i''ll add them.

Jon

Hi Jon,

OK, I think I get what you're saying. I drew up a quick drawing of your scenario above. I can't get it to attach, so I will just draw it crudely below:

192.168.1.0/29

192.168.1.8/29

192.168.1.16/29------------Layer 3 Switch---------EIGRP Router-------(redistribution)------BGP Router

192.168.1.24/29

192.168.1.32/29

So, in my drawing, we'll say the LAN subnets off of your layer 3 switch are five /29's on 192.168.1.x, each connecting to a respective layer 3 port on the L3-SW, and our EIGRP router redistributes into BGP router. 

In the event I wanted to only advertise 1 subnet for these five /29's, and not the five /29's into the BGP redistribution, I would need to set the ACL statement to "permit ip host 192.168.1.0 host 255.255.255.0" so that the router advertises only the route specifically with the /24 subnet mask called in the routing table as, "192.168.1.0/24 is variably subnetted...etc..."  If I were to specify "permit ip 192.168.1.0 0.0.0.255," then the router is going to advertise every subnet from /24 - /32 on 192.168.1.x, which in this case would be the /24 and five /29's instead of just the /24, correct?

Now, we are saying that, if summarization is used, then the routing table will only have 1 entry for the route and that makes the above problem a non-concern, and there would be no problem issuing "permit ip 192.168.1.0 0.0.0.255," correct?  But if we were working on a discontiguous network, for example, where summarization could not be used, then our routing table would look like this:

192.168.1.0/24 is variably subnetted, 5 subnets, 1 mask

S       192.168.1.0/29 [1/0] via xxx.xxx.xxx.xxx

S       192.168.1.8/29 [1/0] via xxx.xxx.xxx.xxx

S       192.168.1.16/29 [1/0] via xxx.xxx.xxx.xxx

S       192.168.1.24/29 [1/0] via xxx.xxx.xxx.xxx

S       192.168.1.32/29 [1/0] via xxx.xxx.xxx.xxx

If I am correct so far, then let me ask this:  The statement in the routing table says "192.168.1.0/24 is variably subnetted, 5 subnets, 1 mask."  Doesn't this mean that I would need to set the ACL filter statement as:

permit ip host 192.168.1.0 host 255.255.255.0  - since the routing table says /24 is variably.... ?

In other words, I wouldn't be able to do "permit ip host 192.168.1.0 host 255.255.255.224," because the routing table doesn't have a match for a /27, it has a match for the /24 in the "192.168.1.0/24 is variably subnetted, 5 subnets, 1 mask."  So in this case, even though a /27 is the smallest possible subnet that could encompass all of the /29's, we would still set it as a /24 because that's what shows up in the routing table, right?

Hi,

You only have /29 static routes. /24 is the classful mask

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Dean

In answer to your last question yes, when you do a specific match using the "host " syntax there must be an exact match in your routing table so if the routing table was a /24 it would have to be "host 255.255.255.0".

Your example is fine except you would probably be receiving the 192.168.1.0/24 route advertisement via another interface on your EIGRP router ie. if it was received from the L3 switch then no need to receive the more specific subnets and if you only received the /24 you would only have the one entry in your EIGRP router's IP routing table. So there would be no need to use the "host " syntax.

But yes, i think you have understood the concept.

Jon

jon.marshall wrote:

if it was received from the L3 switch then no need to receive the more specific subnets and if you only received the /24 you would only have the one entry in your EIGRP router's IP routing table.


Jon,

Would this be case even if summarization was disabled?  The case being that the EIGRP router will receive one /24 for 192.168.1.0 from the L3-SW, rather than each individual /29?

Dean

Not sure i understand. If there is no summarisation then the EIGRP router would receive all routes but it wouldn't get a /24 because you are not summarising that anywhere.

Note also if you used the "ip summary-address eigrp ..." command then it would suppress the more specific routes and only send the summary address.

The key point to what we have been discussing is where a router (the EIGRP router) receives both the more specific and the summarised. Usually this would be via different interfaces ie. if you were summarising from the L3 switch then why send more specifics as they are all reachable via the same interface.

If you are not summarising then you would only get the more specific subnets.

If i have misunderstood then please clarify.

Jon

Jon,

If summarization was disabled for reason of the design not accommodating it, and the EIGRP router was receiving all five /29 routes, I was under the impression that, if I wanted to redistribute those routes to BGP router, for example, I could use the "permit ip host 192.168.1.0 host 255.255.255.0" command, because the EIGRP router's routes would show:

192.168.1.0/24 is variably subnetted, 5 subnets, 1 mask

      192.168.1.0/29 [1/0] via xxx.xxx.xxx.xxx

       192.168.1.8/29 [1/0] via xxx.xxx.xxx.xxx

       192.168.1.16/29 [1/0] via xxx.xxx.xxx.xxx

       192.168.1.24/29 [1/0] via xxx.xxx.xxx.xxx

       192.168.1.32/29 [1/0] via xxx.xxx.xxx.xxx

My reasoning for this is the bolded section above: 192.168.1.0/24, particularly the /24 part.

Since that /24 is in the routing table, couldn't I issue "permit ip host 192.168.1.0 host 255.255.255.0" and effectively redistribute the five routes as one single route to the BGP router, even if summarization was disabled?  Or is the "192.168.1.0/24 is variably subnetted...etc" part not considered to be an actual table entry?

Dean

Since that /24 is in the routing table, couldn't I issue "permit ip host 192.168.1.0 host 255.255.255.0" and effectively redistribute the five routes as one single route to the BGP router, even if summarization was disabled?

Yes, you are right you can do this and only the /24 would be redistributed into BGP.

I think i was confusing the issue by saying that it was unlikely to have the /24 plus subnets within that in the routing table if all those routes were received from the same router.

So apologies for that, what you say is spot on.

Jon

Jon,

Very cool, and no problem at all.  I really appreciate your help on this one.  This thread will be going in my reference notes for sure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco