Prev: How can you get an incomplete ARP?
Next: Vista Smart Security virus (fake program)
From: crzzy1 on 23 Apr 2010 11:27

-------
I have a customer that has the config below.
I would never write it like this, and use a standard ACL or distribute
list instead.
but to my surprise, this is allowing every static route to go be
advertised..
I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
matches and that the explicit deny would deny everything.
But NOOO... the acl is matching everything.

Can someone explain this?


Cisco#
router bgp 65001
redistribute static route-map redist-stat

route-map redist-stat permit 10
match ip address ALLOW-Default

ip access-list extended ALLOW-Default
permit ip host 0.0.0.0 host 0.0.0.0

Thorofare#sh ip route 167.219.88.146
Routing entry for 167.219.88.146/32
Known via "static", distance 1, metric 0
Redistributing via bgp 65001
Advertised by bgp 65001 route-map redist-stat
snip


Thorofare#sh access-l ALLOW-Default
Extended IP access list ALLOW-Default
10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)

Thanks,
Crzzy1
-------
From: crzzy1 on 26 Apr 2010 08:33
On Apr 23, 11:27 am, crzzy1 <cozz...(a)hotmail.com> wrote:
> -------
> I have a customer that has the config below.
> I would never write it like this, and use a standard ACL or distribute
> list instead.
> but to my surprise, this is allowing every static route to go be
> advertised..
> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
> matches and that the explicit deny would deny everything.
> But NOOO... the acl is matching everything.
>
> Can someone explain this?
>
> Cisco#
> router bgp 65001
> redistribute static route-map redist-stat
>
> route-map redist-stat permit 10
>  match ip address ALLOW-Default
>
> ip access-list extended ALLOW-Default
>  permit ip host 0.0.0.0 host 0.0.0.0
>
> Thorofare#sh ip route 167.219.88.146
> Routing entry for 167.219.88.146/32
>   Known via "static", distance 1, metric 0
>   Redistributing via bgp 65001
>   Advertised by bgp 65001 route-map redist-stat
> snip
>
> Thorofare#sh access-l ALLOW-Default
> Extended IP access list ALLOW-Default
>     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
>
> Thanks,Crzzy1
> -------

Would anyone like to take a stab at how I am getting so many matches
on my ACL?

Thanks,
Crzzy1

From: John Agosta on 26 Apr 2010 23:09

"crzzy1" <cozzmo1(a)hotmail.com> wrote in message
news:5d2d47b7-9ee0-43ee-b258-cc004b482f59(a)z11g2000yqz.googlegroups.com...
On Apr 23, 11:27 am, crzzy1 <cozz...(a)hotmail.com> wrote:
> -------
> I have a customer that has the config below.
> I would never write it like this, and use a standard ACL or distribute
> list instead.
> but to my surprise, this is allowing every static route to go be
> advertised..
> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
> matches and that the explicit deny would deny everything.
> But NOOO... the acl is matching everything.
>
> Can someone explain this?
>
> Cisco#
> router bgp 65001
> redistribute static route-map redist-stat
>
> route-map redist-stat permit 10
> match ip address ALLOW-Default
>
> ip access-list extended ALLOW-Default
> permit ip host 0.0.0.0 host 0.0.0.0
>
> Thorofare#sh ip route 167.219.88.146
> Routing entry for 167.219.88.146/32
> Known via "static", distance 1, metric 0
> Redistributing via bgp 65001
> Advertised by bgp 65001 route-map redist-stat
> snip
>
> Thorofare#sh access-l ALLOW-Default
> Extended IP access list ALLOW-Default
> 10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
>
> Thanks,Crzzy1
> -------

Would anyone like to take a stab at how I am getting so many matches
on my ACL?

Thanks,
Crzzy1


Beats me. Almost seems that the matches really coincide
with the implicit deny all at the end.
Don't understand why these host matches get a match, either.

I'd like to see what happens with a "deny" on line 10 instead of a permit,
and a "permit any any" at line 20.......




From: Rob on 27 Apr 2010 03:40
crzzy1 <cozzmo1(a)hotmail.com> wrote:
> On Apr 23, 11:27 am, crzzy1 <cozz...(a)hotmail.com> wrote:
>> -------
>> I have a customer that has the config below.
>> I would never write it like this, and use a standard ACL or distribute
>> list instead.
>> but to my surprise, this is allowing every static route to go be
>> advertised..
>> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
>> matches and that the explicit deny would deny everything.
>> But NOOO... the acl is matching everything.
>>
>> Can someone explain this?
>>
>> Cisco#
>> router bgp 65001
>> redistribute static route-map redist-stat
>>
>> route-map redist-stat permit 10
>>  match ip address ALLOW-Default
>>
>> ip access-list extended ALLOW-Default
>>  permit ip host 0.0.0.0 host 0.0.0.0
>>
>> Thorofare#sh ip route 167.219.88.146
>> Routing entry for 167.219.88.146/32
>>   Known via "static", distance 1, metric 0
>>   Redistributing via bgp 65001
>>   Advertised by bgp 65001 route-map redist-stat
>> snip
>>
>> Thorofare#sh access-l ALLOW-Default
>> Extended IP access list ALLOW-Default
>>     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
>>
>> Thanks,Crzzy1
>> -------
>
> Would anyone like to take a stab at how I am getting so many matches
> on my ACL?

It could be that "host 0.0.0.0" actually is the internal coding for "any"
in an access list.
Although I would expect that it would come back as "permit ip any any"
on show running-config.
From: bod43 on 27 Apr 2010 07:35
On 27 Apr, 08:40, Rob <nom...(a)example.com> wrote:
> crzzy1 <cozz...(a)hotmail.com> wrote:
> > On Apr 23, 11:27 am, crzzy1 <cozz...(a)hotmail.com> wrote:
> >> -------
> >> I have a customer that has the config below.
> >> I would never write it like this, and use a standard ACL or distribute
> >> list instead.
> >> but to my surprise, this is allowing every static route to go be
> >> advertised..
> >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
> >> matches and that the explicit deny would deny everything.
> >> But NOOO... the acl is matching everything.
>
> >> Can someone explain this?
>
> >> Cisco#
> >> router bgp 65001
> >> redistribute static route-map redist-stat
>
> >> route-map redist-stat permit 10
> >>  match ip address ALLOW-Default
>
> >> ip access-list extended ALLOW-Default
> >>  permit ip host 0.0.0.0 host 0.0.0.0
>
> >> Thorofare#sh ip route 167.219.88.146
> >> Routing entry for 167.219.88.146/32
> >>   Known via "static", distance 1, metric 0
> >>   Redistributing via bgp 65001
> >>   Advertised by bgp 65001 route-map redist-stat
> >> snip
>
> >> Thorofare#sh access-l ALLOW-Default
> >> Extended IP access list ALLOW-Default
> >>     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
>
> >> Thanks,Crzzy1
> >> -------
>
> > Would anyone like to take a stab at how I am getting so many matches
> > on my ACL?
>
> It could be that "host 0.0.0.0" actually is the internal coding for "any"
> in an access list.
> Although I would expect that it would come back as "permit ip any any"
> on show running-config.

Ah wait a minute!!! Surely these should be standard ACLs?
What does ANY extended ACL mean in the context of
route filtering? What is the source, what is the dest.?


I have written the stuff below now so I will leave it in
but I can't see that it is relevant given the above.

Might just be a bug, after all who is going to test
such an ACL?

10 permit ip host 0.0.0.0 host 0.0.0.0
is synonymous with
10 permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ie all zeros IP address with no wildcard bits.

I suppose that the BGP process might interpret that
as a default route or something but that would be a bug.

Surely the answer is to get rid of that line in the ACL and
put in what is required?

Usually all routes would be of course
perm ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

zeros IP address with all bits wildcarded.


 |  Next  |  Last
Pages: 1 2
Prev: How can you get an incomplete ARP?
Next: Vista Smart Security virus (fake program)