This is probably ugly and difficult to read.
It also can be trimmed, but has been left overly-long and
overly-paranoid for readability when using "show access-list
112" and because the IOS 10.3 distribute-list caching
doesn't seem to mind the extra deny clauses all that much.
Sean.
- --
! list 112 - deny more specifics of some prefixes
!
! IMPORTANT-TO-REMEMBER SYNTAX FOR BGP distribute-list!
! access-list <#> <permit|deny> ip <prefix> <don't care bits> <mask> <don't care bits>
!
! clear old list
!
no access-list 112
!
! this was originally ordered A, B, C and side-effects, but
! what we really want to do is put the permit clauses up front
! starting with the swamp, as this will match the most prefixes
!
!!!!! START
!
!!!! PERMITs
!
!!! C space
!! permit /24s in 192/8-205/8.
! (192==1100 0000, 205==1100 1101)
!
! allow M =< /24 in 1100 xx0x *
! (allow mask bits in first three octets)
! 1100xx0x == {192,193,196,197,200,201,204,205}
!
access-list 112 permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0
!
!
! allow M =< /24 in 1100 {0010,0011,0110,0111,1010,1011}
! (which really means 1100 {001x,011x,101x},
! which in turn is really 1110 {x01x,011x}}
! 1100x01x == {194,195,202,203}
! 1100011x == {198,199}
!
access-list 112 permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0
access-list 112 permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0
!
!
!! hack - allow M =< /19 in 206/8
!
access-list 112 permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0
!
! allow M =< /18 in 206/8-239/8 (1100 111x *, 1110 xxxx *)
! (allow mask bits in first 18 bits)
! 1100111x == {206,207}
! 1110xxxx == {208-239}
!
access-list 112 permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0
access-list 112 permit ip 239.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0
!
!
!!! B space
!! permit /16s in old B-space
! 10xx xxxx *
! (we don't care what bits are in the first two octets
! of the mask; the second two octets must be 0)
!
access-list 112 permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0
!
!
!!! A space
!! permit /8s and shorter prefixes in old A-space
! 0xxx xxxx * would be simple but unsafe from 0/8 POV, so
! we make sure that there is at least one 1 bit in the first
! octet's last seven bits, and that the first bit is 0;
! we don't care what bits are set in the mask, because
! we assume IOS won't present us with a prefix with
! bits set in the prefix's first octet but not in the mask,
! unless it's a long mask...
!
! 126=01111110 (IOW, CddddddC C==CARE, d=don't care)
! 125=01111101
! ...
! 95=01011111
! 63=00111111
!
access-list 112 permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0
access-list 112 permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0
!
!
!! permit 9.20.0.0/18 and 9.2/16 by exact match
! (both IBM early birds wrt subnets of As)
!
access-list 112 permit ip 9.2.0.0 0.0.255.255 255.255.0.0 0.0.0.0
access-list 112 permit ip 9.20.0.0 0.0.255.255 255.255.192.0 0.0.0.0
!
!! permit exp39 /24s and shorter prefixes only
! (no ones set in the fourth octet)
!
access-list 112 permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0
!
!
!!!! DENYs
!
! This is super paranoia. At this point we have permitted
! all valid unicast prefixes and masks.
! In theory, we could end right here with a
!
! access-list 112 deny ip any any
!
! but this section below offers some degree of clarity
! policy-wise... (at least to me, but I'm weird -- smd)
!
! we also could have done a quick deny after each permit
! to catch any prefixes which didn't pass the permit filters,
! however, as noted below, I am superparanoid about
! funny, noncontiguous masks and other weirdnesses, and
! would like to be able to see them being caught, if
! they ever get as far as the access-list.
!
!!! A space
!! deny 0/(9-15) - 127/(9-15)
! deny subnets in old-style class A space, first octet
! (if any bit set in bit 8-15 (second octet), deny)
!
! this is a paranoid way of writing this out;
! less paranoia would let us write:
!
! ... deny ip 0.0.0.0 127.0.0.0 0.0.0.0 255.128.0.0
!
! because we believe in contiguous netmasks; so we would
! never have a /18 if we block /17.
!
! However, better safe than sorry... ?
!
! 0xxx xxxx *
!
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255
!
!!! B space
!! deny 0-127/16, 0-(17-23) - 191/(17-23)
! deny subnets in old-style class-B space
! and second octet of class A space.
! (first two bits will be 00 or 10; so x0xx xxxx; 191==10111111)
! (if any bit set in 16-23, deny)
! we also need to zap 0xxx xxxx * /16
!
access-list 112 deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255
!
!
!!! C space
!! deny 206/(19-23) - 239/(19-23)
! block prefixes longer than /18 in 207/8-239/8
! no < /18 in 1100 1110 *, 1100 1111 *, 1110 xxxx *
!
! we block all M => /24 below and we did /17-/23 for 0/8-191/8 above,
! so we only need to worry about 19-23 for 207/8-239/8
!
! first, in 1100 111x (206/8, 207/8)
! (if mask has 1 bits in third octet (bits 18-23), deny)
!
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255
!
! next in 1101 xxxx (208/8-239/8)
! (if mask has 1 bits in third octet (bits 18-23), deny)
!
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255
access-list 112 deny ip 239.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255
!
!!! all UNICAST space
!! deny ANY/24, ANY/(25-32)
! now we block the final octet for 0/8-239/8
! (because we specifically allowed /24s in 192/8-205/8, we can
! just block everything in xxxx xxxx * that has any 1 bits in 4th octet)
!
access-list 112 deny ip 0.0.0.0 255.255.255.255 255.255.255.0 0.0.0.0
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.128 255.255.255.127
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.64 255.255.255.191
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.32 255.255.255.223
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.16 255.255.255.239
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.8 255.255.255.247
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.4 255.255.255.251
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.2 255.255.255.253
access-list 112 deny ip 0.0.0.0 255.255.255.255 0.0.0.1 255.255.255.252
!
!!! all IP space
!! deny 240/(4-32), 0/(8-32)
! finally, we get rid of any announcements that are bogons
! 240/8-255/8 and 0/8
! 1111 xxxx * and 0000 0000 * (any mask)
! we can leave this last as it's likely almost never to happen
!
access-list 112 deny ip 255.0.0.0 15.255.255.255 0.0.0.0 255.255.255.255
access-list 112 deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
!
!!!!! END
end