BGP Extended Access-List Filtering

Hello Kenneth

In this example here, the access list is being used in conjunction with a distribution list The distribute-list is referencing the access list in the distribute-list 100 in command. In particular, when an extended access list is called by a distribute-list, the actual IP addresses and subnet masks have a different meaning.

In such a scenario, the ACL is not matching source and destination pairs, but addresses and subnet masks. So the following ACL command:

R1(config)#access-list 100 permit ip

when referenced by a distribute list is saying:

  • I want to match exactly as the IP address
  • I want to match exactly as the subnet mask

The “exactly” comes from the If the command was:

R1(config)#access-list 100 permit ip

then what it’s saying is:

  • I want to match any IP address between to
  • that has a subnet mask that matches exactly

When you see the output of the show access-lists 100 command, it uses the ACL syntax of “host” wherever it sees the, and that’s why it can be confusing in the context of a distribute-list.

What that output is actually saying is that it will match exactly as the IP address, and exactly as the subnet mask.

For more info on how extended ACLs and distribute-lists interact, take a look at this link:

I hope this has been helpful!