05-12-2008 07:43 AM - edited 03-03-2019 09:55 PM
Hello all.
I have the following access-list configured on one of the device here to filter the bgp update
router bgp <bla>
neighbor CORE distribute-list <x>
!
ip access-list standard <x>
deny "output omitted"
deny 155.195.64.0 0.0.0.255
deny "output omitted"
permit any
and I want to migrate this towards an ip prefix-list while keeping the exact same behavior.
My problem is I have small subsets of the 155.195.64.0/24 who will soon be residing on the other part of my network (dont ask me why) .155.195.64.32/28-155.195.64.0/29-155.195.64.8/29 and I need to allow those subnets to get through while disregarding the 155.195.64.0/24
The problem is access-list are processed as an exact match when the le or ge keyword is not entered.
So I am not sure about the correct configuration to use . So far I came up with this :
ip prefix-list <x> deny 155.195.64.0/24 le 27
!
ip prefix-list <x> permit 155.195.64.32/28
ip prefix-list <x> permit 155.195.64.0/29
ip prefix-list <x> permit 155.195.64.8/29
!
ip prefix-list <x> permit 0.0.0.0/0 le 32
Any ligh welcome !
Thanks
D.
Solved! Go to Solution.
05-14-2008 04:07 AM
A remark:
The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:
ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32
So the solution looks like this:
ip prefix-list
ip prefix-list
ip prefix-list
ip prefix-list
ip prefix-list
Hope this helps! Please use the rating system.
Regards, Martin
05-12-2008 09:44 AM
You need to allow those subnets, then do a deny on /24 with a permit any any at the end.
!Permit your subnets
!
ip prefix-list
ip prefix-list
ip prefix-list
!
!Deny the major network
!
ip prefix-list
!
!Permit any any
!
ip prefix-list
HTH,
__
Edison.
05-13-2008 01:21 AM
Thanks Edison, that is what I was thinking as well .
Rgds.
D.
05-13-2008 04:55 AM
One more thing to add here , a standard access list Ie
"access-list 1 permit 10.10.0.0 0.0.31.255" will permit the /19 aggregate as well as the more specific /24 networks.
In my case "deny 155.195.128.0 0.0.0.255" is denying /24 as well as the more specific networks.
If I replace deny 155.195.128.0 0.0.0.255 by ip prefix-list deny 155.195.128.0/24 , then I will "only" match on the /24 subnets and not on the more specific networks anymore ...............
Don't forget A standard access list looks at the network address only and can not check the length of the network mask.
So I was thinking of using:
ip prefix-list
!
ip prefix-list
What do you think ?
Rgds.
D.
05-14-2008 01:28 AM
No one ?????
Thanks.
D.
05-14-2008 04:04 AM
If you want the same effect as that access-list statement, you can do
ip prefix-list
That would deny 155.195.128/24 and any of its more specific subnets, i.e. with any prefix length between 24 and 32 inclusive.
As for those subnets you want to allow, as long as they appear as "permits" in the prefix-list above the deny, then they will be allowed.
Kevin Dorrell
Luxembourg
05-14-2008 03:46 AM
--- Please disregard ---
Note to myself:
"It is sometimes wiser to keep your mouth shut and risk that someone thinks you a fool, than to open it and remove all doubt."
05-14-2008 04:07 AM
A remark:
The ACL statement "deny 155.195.64.0 0.0.0.255" will deny 155.195.64.0/24 AND any subnet of it. This translates to the prefix-list:
ip prefix-list Example seq 5 deny 155.195.64.0/24 le 32
So the solution looks like this:
ip prefix-list
ip prefix-list
ip prefix-list
ip prefix-list
ip prefix-list
Hope this helps! Please use the rating system.
Regards, Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide