Re: access-lists vs. prefix-lists
From: John Matus (john_matus@hotmail.com)
Date: Thu Mar 17 2005 - 19:18:17 ART
hmmm.......ok, i was always under the impression that the wildcard mask was
checked against the the network address (i.e. - .4, .8, .12...etc for the
.252 wildcard) so that the access-list:
access-list 5 permit 192.168.1.20 0.0.0.252
would only permit .20, .21, .22, and .23.
...but it looks as if that is not the consensus opinion/knowledge so i guess
i've learned something from this.
thanks very much for your input!!!
>From: Carlos G Mendioroz <tron@huapi.ba.ar>
>To: John Matus <john_matus@hotmail.com>
>CC: simon.hart@btinternet.com, ccielab@groupstudy.com
>Subject: Re: access-lists vs. prefix-lists
>Date: Thu, 17 Mar 2005 18:46:24 -0300
>
>Well, nobody seems to pay attention to what I say (: grin :)
>but I also guess nobody will back you on this.
>
>As I said, SACLs (Standard Access Control Lists) don't care about masks.
>
>And the 0.0.0.252 is a "don't care wildcard bits" value (aka mask) that
>implies that all but the last 2 bits in the last byte are not being
>evaluated (i.e. anything will match) and thus Simon is right.
>
>John Matus wrote:
>>i'm not so sure about that. the .252 matches agains the 4th octet in the
>>address, which in this case is 0 (which includes .1, .2, and .3). i
>>think that the .252 wildcard would only match the .4 network in the case
>>that the access-list stated:
>>
>>"access-list 5 permit 192.168.1.4 0.0.0.252"
>>
>>can anyone back me up on this?
>>
>>>From: "simon hart" <simon.hart@btinternet.com>
>>>To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>>>CC: <ccielab@groupstudy.com>
>>>Subject: RE: access-lists vs. prefix-lists
>>>Date: Wed, 16 Mar 2005 20:33:12 -0000
>>>
>>>
>>>Yes there is a difference
>>>
>>>An access-list of
>>>
>>>access-list 5 permit 192.168.1.0 0.0.0.252
>>>
>>>Will let through the following advertised routes
>>>
>>>192.168.1.0, 192.168.1.4, 192.168.1.8, 192.168.1.12 ...........
>>>192.168.1.252
>>>
>>>The prefix list will only let through 192.168.1.0 if it has a subnet mask
>>>of
>>>255.255.255.252
>>>
>>>The key is that the prefix-list is specific
>>>
>>>Simon
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>John Matus
>>>Sent: 16 March 2005 18:40
>>>To: simon.hart@btinternet.com; tron@huapi.ba.ar
>>>Cc: ccielab@groupstudy.com
>>>Subject: RE: access-lists vs. prefix-lists
>>>
>>>
>>>yes, that i'm aware of...........
>>>i guess i was looking for a "best-practice" for specific situations. i
>>>ususally use prefix lists w/ bgp and acl's for redistribution but i just
>>>wanted to clarify that BOTH will work......but i also wanted to verify
>>>that
>>>there is no difference between:
>>>
>>>access-list 5 permit 192.168.1.0 0.0.0.252
>>>
>>>and
>>>
>>>ip prefix-list 5 permit 192.168.1.0/30
>>>
>>> >From: "simon hart" <simon.hart@btinternet.com>
>>> >To: "John Matus" <john_matus@hotmail.com>,<tron@huapi.ba.ar>
>>> >CC: <ccielab@groupstudy.com>
>>> >Subject: RE: access-lists vs. prefix-lists
>>> >Date: Wed, 16 Mar 2005 08:17:11 -0000
>>> >
>>> >John,
>>> >
>>> >You need to remember how an access list wildcard mask works.
>>> >
>>> >192.168.1.0 0.0.0.255
>>> >
>>> >Where you have a 0 bit in the wildcard then the corresponding bit
>>>within
>>> >the
>>> >IP Address must match. So in the example above 192.168.1 must match.
>>> >
>>> >Where you have a 1 bit then the Wildcard mask does not care about the
>>> >corresponding bit within IP address (also known as the 'don't care
>>>bit),
>>> >thus the 255 in the last octect means that the corresponding bit within
>>>the
>>> >IP address can be anything between 1 and 255.
>>> >
>>> >Therefore when matching routes with an access list, the access list
>>>would
>>> >let through 'Prefixes' from:
>>> >
>>> >192.168.1.0 to 192.168.1.255
>>> >
>>> >Obviously within this range there would be no routes that are
>>>advertised as
>>> >routes from a routing protocol (like broadcast), however it does
>>>capture
>>> >everything.
>>> >
>>> >A Prefix list is far more precise 192.168.1.0/24 will only let through
>>> >192.168.1.0, if you wanted the prefix list to act like the access list,
>>>you
>>> >would use the ge and le statements at the end of the prefix.
>>> >
>>> >My advice would be, when dealing with routes, and in particular BGP use
>>>a
>>> >prefix list
>>> >
>>> >Simon
>>> >
>>> >-----Original Message-----
>>> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>> >John Matus
>>> >Sent: 16 March 2005 01:19
>>> >To: tron@huapi.ba.ar
>>> >Cc: ccielab@groupstudy.com
>>> >Subject: Re: access-lists vs. prefix-lists
>>> >
>>> >
>>> >ok, that is where i get confused.............
>>> >if, as in ACL 5 <access-l 5 permit 192.168.1.0 0.0.0.255> i don't see
>>>how
>>> >that would match /24, /25, /26 routes. i would think that you would
>>>need
>>> >to have a wildcard mask of 0.0.0.252, 0.0.0.248, 0.0.0.240. how does
>>>it
>>> >match those routes......hmm ok, slight epiphanie <sp?> is it because
>>>.252,
>>> >.248, and .240 are all subsets of the .255 which means everything under
>>>the
>>> >sun in that octet?
>>> >
>>> >
>>> > >From: Carlos G Mendioroz <tron@huapi.ba.ar>
>>> > >To: John Matus <john_matus@hotmail.com>
>>> > >CC: ccielab@groupstudy.com
>>> > >Subject: Re: access-lists vs. prefix-lists
>>> > >Date: Tue, 15 Mar 2005 21:59:19 -0300
>>> > >
>>> > >John,
>>> > >there are differences, some of wich can be dealt with, but prefix
>>>lists
>>> >are
>>> > >simpler to use when you are trying to deal with routes.
>>> > >
>>> > >In your example with ACL 5, your acl would let go:
>>> > >192.168.1.0/24
>>> > >192.168.1.0/25
>>> > >192.168.1.0/26
>>> > >...
>>> > >192.168.1.128/25
>>> > >192.168.1.128/26
>>> > >...
>>> > >but the prefix list would only let 192.168.1.0/24.
>>> > >
>>> > >Some routing protocols do accept extended ACLs to care about masks,
>>>like
>>> > >
>>> > >access-list 105 permit 192.168.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>>> > >
>>> > >which would be an exact match of the example prefix list.
>>> > >
>>> > >Hope this helps.
>>> > >
>>> > >John Matus wrote:
>>> > >>Prefix-list vs. access-list question
>>> > >>
>>> > >>I�m a bit confused about the functionality of prefix-lists vs.
>>> > >>access-lists. While I�m aware that prefix-lists seem to have some
>>>added
>>> > >>granularity I�m a bit stumped as to when it is best practice to use
>>>one
>>> > >>vs. the other. Here are a few examples of each
>>> > >>
>>> > >>
>>> > >>EXAMPLE 1
>>> > >>Router os 1
>>> > >>Default-information originate route-map conditional
>>> > >>-------------------------------------------
>>> > >>
>>> > >>Route-m conditional permit 10
>>> > >>Match ip address prefix 5
>>> > >>
>>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>>> > >>
>>> > >>OR
>>> > >>Route-m conditional permit 10
>>> > >>Match ip add 5
>>> > >>
>>> > >>Access-list 5 permit 192.168.1.0 0.0.0.255
>>> > >>
>>> > >>EXAMPLE 2
>>> > >>
>>> > >>Router rip
>>> > >>Redistribute ospf 1 metric 1 route-map o2r
>>> > >>-------------------------------------------
>>> > >>
>>> > >>Route-map o2r permit 10
>>> > >>Match ip add prefix-list 5
>>> > >>
>>> > >>Access-list 5 permit 192.168.1.0 0.0.0.0.255
>>> > >>
>>> > >>OR
>>> > >>
>>> > >>Route-map o2r permit 10
>>> > >>Match ip address prefix-list 5
>>> > >>
>>> > >>Ip prefix-list 5 permit 192.168.1.0/24
>>> > >>
>>> > >>Do both methods accomplish exactly the same thing or is the matching
>>> > >>mechanism different in access and prefix lists?
>>> > >>
>>> > >>_________________________________________________________________
>>> > >>Don�t just search. Find. Check out the new MSN Search!
>>> > >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>> > >>
>>> >
>>> >>_______________________________________________________________________
>>> > >>Subscription information may be found at:
>>> > >>http://www.groupstudy.com/list/CCIELab.html
>>> > >>
>>> > >
>>> > >--
>>> > >Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>> >
>>> >_________________________________________________________________
>>> >Is your PC infected? Get a FREE online computer virus scan from McAfee.
>>> >Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>> >
>>> >_______________________________________________________________________
>>> >Subscription information may be found at:
>>> >http://www.groupstudy.com/list/CCIELab.html
>>> >--
>>> >No virus found in this incoming message.
>>> >Checked by AVG Anti-Virus.
>>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>>> >
>>> >--
>>> >No virus found in this outgoing message.
>>> >Checked by AVG Anti-Virus.
>>> >Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 11/03/2005
>>> >
>>>
>>>_________________________________________________________________
>>>Don�t just search. Find. Check out the new MSN Search!
>>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>--
>>>No virus found in this incoming message.
>>>Checked by AVG Anti-Virus.
>>>Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>>
>>>--
>>>No virus found in this outgoing message.
>>>Checked by AVG Anti-Virus.
>>>Version: 7.0.308 / Virus Database: 266.7.3 - Release Date: 15/03/2005
>>>
>>
>>_________________________________________________________________
>>FREE pop-up blocking with the new MSN Toolbar � get it now!
>>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>
>>
>
>--
>Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4
: Fri Nov 16 2007 - 13:11:12 ART