[c-nsp] BGP/route-map/acl question/logic...
Gert Doering
gert at greenie.muc.de
Tue Feb 3 04:02:17 EST 2015
Hi,
On Tue, Feb 03, 2015 at 09:48:35AM +0100, Peter Rathlev wrote:
> On Tue, 2015-02-03 at 09:30 +0100, Gert Doering wrote:
> > It's hard to come up with a really useful example, but given that extended
> > ACLs match both on prefix base and netmask with wildcards bits, this is
> > more flexibility than you'll ever use without your brain blowing up.
> >
> > access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255
> >
> > "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32"
> >
> > do that with a prefix list :-)
>
> On the other hand, almost all people doing this are doing something
> wrong. ;-)
I do have to agree on that - I just wanted to challenge the "more
flexible" statement from Lukas.
And I'm not doing anything like that today ;-)
(OTOH, it depends on your addressing plans... "in every site out there,
.x.5.0/24 is the XX-LAN, while .x.6.0/23 is the YY-LAN, and to ensure
that no more-specifics are learned, take /24 only for .x.5.0/24, and
/23 for .x.6.0/23...")
> And that's _almost_ all of course. Someone very skilled might have a
> legitimate purpose for doing exactly this, but OP (and people like me)
> are not among those.
>
> I'd say stick to prefix-lists and then when you can write route-maps in
> your sleep from arbitrary policy wishes, but still can't solve a given
> problem with prefix-lists _then_ look at using access-lists. :-)
Amen :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20150203/094eac30/attachment.sig>
More information about the cisco-nsp
mailing list