Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

standard access-list migration to prefix-list

Hello all.

I have the following access-list configured on one of the device here to filter the bgp update

router bgp <bla>

neighbor CORE distribute-list <x>

!

ip access-list standard <x>

deny "output omitted"

deny 155.195.64.0 0.0.0.255

deny "output omitted"

permit any

and I want to migrate this towards an ip prefix-list while keeping the exact same behavior.

My problem is I have small subsets of the 155.195.64.0/24 who will soon be residing on the other part of my network (dont ask me why) .155.195.64.32/28-155.195.64.0/29-155.195.64.8/29 and I need to allow those subnets to get through while disregarding the 155.195.64.0/24

The problem is access-list are processed as an exact match when the le or ge keyword is not entered.

So I am not sure about the correct configuration to use . So far I came up with this :

ip prefix-list <x> deny 155.195.64.0/24 le 27

!

ip prefix-list <x> permit 155.195.64.32/28

ip prefix-list <x> permit 155.195.64.0/29

ip prefix-list <x> permit 155.195.64.8/29

!

ip prefix-list <x> permit 0.0.0.0/0 le 32

Any ligh welcome !

Thanks

D.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: standard access-list migration to prefix-list

A remark:

The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:

ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32

So the solution looks like this:

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

ip prefix-list deny 155.195.64.0/24 le 32

ip prefix-list permit 0.0.0.0/0 le 32

Hope this helps! Please use the rating system.

Regards, Martin

7 REPLIES
Hall of Fame Super Bronze

Re: standard access-list migration to prefix-list

You need to allow those subnets, then do a deny on /24 with a permit any any at the end.

!Permit your subnets

!

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

!

!Deny the major network

!

ip prefix-list deny 155.195.64.0/24

!

!Permit any any

!

ip prefix-list permit 0.0.0.0/0 le 32

HTH,

__

Edison.

Community Member

Re: standard access-list migration to prefix-list

Thanks Edison, that is what I was thinking as well .

Rgds.

D.

Community Member

Re: standard access-list migration to prefix-list

One more thing to add here , a standard access list Ie

"access-list 1 permit 10.10.0.0 0.0.31.255" will permit the /19 aggregate as well as the more specific /24 networks.

In my case "deny 155.195.128.0 0.0.0.255" is denying /24 as well as the more specific networks.

If I replace deny 155.195.128.0 0.0.0.255 by ip prefix-list deny 155.195.128.0/24 , then I will "only" match on the /24 subnets and not on the more specific networks anymore ...............

Don't forget A standard access list looks at the network address only and can not check the length of the network mask.

So I was thinking of using:

ip prefix-list deny 155.195.128.0/25

!

ip prefix-list deny 155.195.128.0/25 ge 26 (deny all masks with a length greater than 26 bits routes with a prefix of 155.195.128.0/25)

What do you think ?

Rgds.

D.

Community Member

Re: standard access-list migration to prefix-list

No one ?????

Thanks.

D.

Re: standard access-list migration to prefix-list

If you want the same effect as that access-list statement, you can do

ip prefix-list deny 155.195.128.0/24 le 32

That would deny 155.195.128/24 and any of its more specific subnets, i.e. with any prefix length between 24 and 32 inclusive.

As for those subnets you want to allow, as long as they appear as "permits" in the prefix-list above the deny, then they will be allowed.

Kevin Dorrell

Luxembourg

Re: standard access-list migration to prefix-list

--- Please disregard ---

Note to myself:

"It is sometimes wiser to keep your mouth shut and risk that someone thinks you a fool, than to open it and remove all doubt."

Cisco Employee

Re: standard access-list migration to prefix-list

A remark:

The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:

ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32

So the solution looks like this:

ip prefix-list permit 155.195.64.32/28

ip prefix-list permit 155.195.64.0/29

ip prefix-list permit 155.195.64.8/29

ip prefix-list deny 155.195.64.0/24 le 32

ip prefix-list permit 0.0.0.0/0 le 32

Hope this helps! Please use the rating system.

Regards, Martin

286
Views
0
Helpful
7
Replies
CreatePlease to create content