Quick tip: Matching default route in a standard ACL

I've got the following question from Matthew: »how would one go about matching the default route for filtering using standard ACLs?«

In all routing protocols but EIGRP (which can carry the »default candidate« flag on any IP prefix), the default route has IP address 0.0.0.0 and subnet mask 0.0.0.0.

To match the default route with a standard ACL, use access-list x permit 0.0.0.0. To match it with an extended ACL (which matches the IP address and the subnet mask portions), you have to use access-list y permit ip host 0.0.0.0 host 0.0.0.0. And finally, to match the default route in a prefix list, use ip prefix-list z permit 0.0.0.0/0.

This article is part of You've asked for it series.

Recent posts in the same categories

4 comments:

  1. Anonymous 09 June 2009 09:42
    I have never quite understood why cisco IOS allows prefix or route matching using ACLs. This should purely be the function of prefix lists. ACLs should only be used to match IP header fields. In case Cisco decided to keep it to extend legacy support, they should deprecate this capability asap as it only ends up complicating things
  2. Ivan Pepelnjak 09 June 2009 22:36
    Route filters were implemented very early in IOS' history when the designers tried to reuse existing mechanisms (ACLs) instead of creating zillion of new commands and configuration modes.

    Sometimes they've got it right, sometimes they've tried to use a hammer on a bolt :) IP prefix lists should be used whenever possible and the only viable reason to use ACLs for route filters is to pass the CCIE lab exam.
  3. Test 02 December 2010 07:17
    I don't understand this. I have been told to reference a default route using an ACL you would type in the following:

    access-list 100 permit ip any host 0.0.0.0

    doesn't this translate into access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 ?

    Is this not correct?
  4. Ivan Pepelnjak 02 December 2010 11:52
    Your ACL match ANY IP prefix with a /0 mask. There could only be one (0.0.0.0/0), so it also works, but if you want to match other things (like 10.0.0.0/8), you have to be more careful.

    Anyway, prefix lists are the way to go.
Add comment
Home
Sidebar