Quick tip: Matching default route in a standard ACL

I've got the following question from Matthew: »how would one go about matching the default route for filtering using standard ACLs?«

In all routing protocols but EIGRP (which can carry the »default candidate« flag on any IP prefix), the default route has IP address 0.0.0.0 and subnet mask 0.0.0.0.

To match the default route with a standard ACL, use access-list x permit 0.0.0.0. To match it with an extended ACL (which matches the IP address and the subnet mask portions), you have to use access-list y permit ip host 0.0.0.0 host 0.0.0.0. And finally, to match the default route in a prefix list, use ip prefix-list z permit 0.0.0.0/0.

This article is part of You've asked for it series.

4 comments:

  1. I have never quite understood why cisco IOS allows prefix or route matching using ACLs. This should purely be the function of prefix lists. ACLs should only be used to match IP header fields. In case Cisco decided to keep it to extend legacy support, they should deprecate this capability asap as it only ends up complicating things

    ReplyDelete
  2. Route filters were implemented very early in IOS' history when the designers tried to reuse existing mechanisms (ACLs) instead of creating zillion of new commands and configuration modes.

    Sometimes they've got it right, sometimes they've tried to use a hammer on a bolt :) IP prefix lists should be used whenever possible and the only viable reason to use ACLs for route filters is to pass the CCIE lab exam.

    ReplyDelete
  3. I don't understand this. I have been told to reference a default route using an ACL you would type in the following:

    access-list 100 permit ip any host 0.0.0.0

    doesn't this translate into access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 ?

    Is this not correct?

    ReplyDelete
  4. Your ACL match ANY IP prefix with a /0 mask. There could only be one (0.0.0.0/0), so it also works, but if you want to match other things (like 10.0.0.0/8), you have to be more careful.

    Anyway, prefix lists are the way to go.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.