[c-nsp] Leaking specific routes from a VRF

Victor Cappuccio vcappucc at cisco.com
Mon Sep 7 05:28:06 EDT 2009


Hi Luisi, 

while I am not aware of the complete thread, I see that you are trying to
match VRF route information, using prefix-list or access-list:

For question A:

Basically the le parameter in the prefix list you show us, "ip prefix-list
FTP_NET seq 1 permit 10.53.0.224/29 le 32"
For me it means: to check the first 29 bits of the prefix 10.53.0.224 and
make sure that they match, 
Then it will check to make sure that the subnet mask is LESS THAN or EQUAL
to 32, the subnet mask can't be any lower than the bits we are checking. So
the valid range of subnet masks for this one would be 32 bits down to 29
bits (24,25,26,27-- and so on).
Please check out this article
https://cisco.hosted.jivesoftware.com/.../How%20do%20prefix%20list%20work.pd
f


And For question B:

A normal access-list CANNOT check the subnet mask of a network. It can only
check bits to make sure they match, nothing more. A prefix-list has an
advantage over an access-list in that it CAN check BOTH bits and subnet mask
- both would have to match for the network to be either permitted or denied.
Off course you can use extended access-list to filter route, and make them
behave just like a prefix-list, please take a look at the following link
http://tcpmag.com/qanda/article.asp?EditorialsID=358


Thanks

Victor Cappuccio.-
vcappucc at cisco.com
CCIE(R/S) #20657
STAC Support Engineer
Cisco Small Business Support.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
Sent: lunes, 07 de septiembre de 2009 11:17
To: Tomas Caslavsky
Cc: ivan.diaz at raxon.es; cisco-nsp at puck.nether.net; Daniska Tomas
Subject: Re: [c-nsp] Leaking specific routes from a VRF

Hi all,

We are doing some tests here with the code provided by Tomas.
We have several questions that we were not able to find a proper answer
over internet that we would like to share with you to see if we can
understand everything correctly:

a) "ip prefix-list" has a parameter called "le" so we can create the
rule like this: 

ip prefix-list FTP_NET seq 1 permit 10.53.0.224/29 le 32

Why is the reason to use "le" parameter? we saw it in several examples
over internet but we don't understand it yet.
What is the impact if we don't use it?

b) Is there any difference if we use a normal ACL instead a prefix-list
in the route-map? we also saw several configurations using ACLs and it
seems to do the same.

Regards and thanks in advance.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list