Packets from net 10 (no, not the lyrics)

Alec H. Peterson ahp at hilander.com
Tue Sep 23 20:49:25 UTC 1997


On Tue, Sep 23, 1997 at 04:43:16PM -0400, Todd R. Stroup wrote:
> 
> I disagree.. how about this: 
> 
> access-list 50 deny 0.0.0.0 0.0.0.31 
> 
> or for those brave folk:  
> 
> access-list 50 deny 0.0.0.0 0.0.0.255
> 
> The extended access-list is used in the classic "FROM ip" and "TO
> ip" application.  My point was to use the standard access-list
> applied to a BGP session.  The only thing I can think of that you
> would need a FROM/TO senerio in would be peering with Route Servers,
> although in this case I use route-maps filtering on path and by
> address.  I don't even think an extended access-list will apply to a
> bgp session, but I could be wrong.

Uhm, your example wouldn't work too well if one wanted to selectively
filter longer prefixes (like all longer than /19 in 206->223).  That
is what many people are doing, and IMO what more should do.

> 
> Your BGP peer config is going to look something like this with a standard 
> access-list : 
> 
> router bgp 7171
>  neighbor 198.32.69.69 remote-as 6969    ; sorry about your luck N2K Inc.
>  neighbor 198.32.69.69 version 4
>  neighbor 198.32.69.69 distribute-list 50 in
>  neighbor 198.32.69.69 route-map as-customers out
> 
> access-list 50 deny   0.0.0.0 0.0.0.0
> access-list 50 deny   0.0.0.0 0.0.0.31
> access-list 50 deny   127.0.0.0 0.255.255.255
> access-list 50 deny   10.0.0.0 0.255.255.255  
> etc...

Yes yes, but this really limits what you can do.

How would you do:

access-list 101 permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0
 
with a standard access list?

Alec

-- 
+------------------------------------+--------------------------------------+
|Alec Peterson - ahp at hilander.com    | Erols Internet Services, INC.        |
|Network Engineer                    | Springfield, VA.                     |
+------------------------------------+--------------------------------------+



More information about the NANOG mailing list