CCNP Route Simplified and ACLs

joetest

Finally got some free time to complete my CCNP yeeh(jinxed it)
I'm reading ROUTE Simplified, and I'm at the section "ACCESS LISTS AND IP PREFIX LISTS FUNDAMENTALS" and I'm a bit confused.
Dude says it's important to understand the difference between standard and extended acls and I agree. But then he gives an example saying:

access-list 1 permit 172.16.1.0 0.0.0.255
That's gonna permit 172.16.1.0/24 and anything more specific(172.16.1.0/25, 172.16.1.128/25 etc) - yeps all good so far.

Then he says: "If the desired intention is to permit specifically only the 172.16.1.0/24 subnet, this configuration will produce unexpected results, as it denies other subnets that should otherwise be permitted." (think route filtering or redistribution) - Yeps it's gonna block everything in that /24 range.

He then says to use extended:
access-list 100 permit ip host 172.16.1.0 host 255.255.255.0
will only permit the 172.16.1.0/24 subnet meaning i.e. not 172.16.1.128/25.

I get the source-part being it's for route filtering so you would only the need subnet itself but what's the explanation for the destination address/32?

If I'd have to guess I would say that if it was:
access-list 100 permit ip host 172.16.1.0 host 255.255.255.128
That would mean it's only 172.16.1.0/25 that's permitted and not 172.16.1.0/26 but the love of... I can't wrap my head around why..

late_collision

joetest wrote: »

I get the source-part being it's for route filtering so you would only the need subnet itself but what's the explanation for the destination address/32?


If I'd have to guess I would say that if it was:
access-list 100 permit ip host 172.16.1.0 host 255.255.255.128
That would mean it's only 172.16.1.0/25 that's permitted and not 172.16.1.0/26 but the love of... I can't wrap my head around why..

I think access-lists go a bit deeper than I am currently comfortable with, but in this case, you are specifying a network with the first host statement and then a prefix range with the second. You dont have to use a /32 on the destination, and you cant if you want to specify a range of prefixes. Here is an example.




Let's say we only want to match /26 - /29 prefixes within the 192.168.0.0/24 network.


Prefix-List:
192.168.0.0/24 ge 26 le 29


Extended ACL:
access-list 100 deny ip 192.168.0.0 0.0.0.255 255.255.255.0 0.0.0.128
access-list 100 permit ip 192.168.0.0 0.0.0.255 255.255.255.0 0.0.0.248
access-list 100 deny ip any any


The Extended ACL is not nearly as readable and takes twice as many lines as a prefix-list (technically, we dont need the 3rd line).


Line 1. Do Not match prefixes in the 192.168.0.0/24 network whose mask is /24 - /25
Line 2. Match prefixes in the 192.168.0.0/24 network whose mask is /24 - /29*


*Don't forget about ACL's order of operation. Since we disregarded /24 - /25 in the first line, we are really only matching /26 - 29 on the second line.