Re: An access-list challenge

From: Christopher Van Heuveln (cvanheuv@xxxxxxxxx)
Date: Mon Aug 28 2000 - 10:14:54 GMT-3

• Next message: Kevin M. Woods: "Re: OSPF E1 vs. E2 external routes"
• Previous message: Kevin M. Woods: "Re: BGP - MED Attribute"
• Maybe in reply to: Simon Baxter: "An access-list challenge"
• Next in thread: abdul_rahim@xxxxxxxxxxxxxx: "Re: An access-list challenge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

Use an extended acl to match an exact subnet by specifying the
subnet mask in the acl, ie tell it to accept 10.0.0.0/16 but
not 10.0.0.0/24, like this:

access-list 100 permit 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 100 deny 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0

The 3rd field is the subnet mask of the route and the 4th
field is a wildcard mask for the subnet mask (in this case
I want an exact match). It's a little confusing but I don't
know an easier way to explain it.

Chris

On Sun, Aug 27, 2000 at 07:52:26PM -0400, John Conzone wrote:
> Guys, someone help me out. I'm all right with class b, class c, and even
> and odd. But the mask thing is confusing me.
> How do you filter a mask in an bgp update? Source of the route okay, the
> destination the route points to okay, but the mask?
> I don't get it and its pissing me off!
> ----- Original Message -----
> From: "Kent" <cciecn@yahoo.com>
> To: "Aaron DuShey" <aaron.dushey@dushey-consulting.com>; "'Simon Baxter'"
> <Simon.Baxter@au.logical.com>; "'CCIE Group Study (E-mail)'"
> <ccielab@groupstudy.com>
> Sent: Sunday, August 27, 2000 7:20 PM
> Subject: RE: An access-list challenge
>
>
> > Mine looks like this:
> >
> > 101 deny ip 128.0.0.0 63.254.255.255 0.0.0.0
> > 255.254.0.0
> >
> > 101 deny ip 192.0.1.0 31.255.254.255 255.255.255.128
> > 0.0.0.127
> >
> > 101 permit any
> >
> > I assume that 135.120.0.0 is a even class B and
> > 192.168.1.0 is odd class C.
> >
> > Thanks
> >
> > Kent
> >
> > --- Aaron DuShey <aaron.dushey@dushey-consulting.com>
> > wrote:
> > > access-list 101 deny ip 129.0.0.0 0.254.255.255
> > > host 255.255.0.0
> > > access-list 101 deny ip 192.168.1.0 0.0.254.255
> > > host 255.255.255.0
> > >
> > > 1st statement-Deny even numbered class B matching
> > > last bit in 2nd octet as
> > > even-host 255.255.0.0 matches class B
> > > 2nd statement-Deny odd(1) numbers class c(host
> > > 255.255.255.0)
> > >
> > > Yes no?
> > > good challenge
> > >
> > > Aaron DuShey
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > > [mailto:nobody@groupstudy.com]On Behalf Of
> > > Simon Baxter
> > > Sent: Saturday, August 26, 2000 5:51 PM
> > > To: CCIE Group Study (E-mail)
> > > Subject: An access-list challenge
> > >
> > >
> > > For anybody up to it..
> > >
> > > not too nasty..
> > >
> > > RTRA
> > > router bgp 100
> > > distribute-list 101 in
> > >
> > >
> > > create access-list 101 so that RTRA doesn't accept
> > > even numbered class B
> > > routes with a mask <16 bits or odd numbered class C
> > > routes with a mask >24
> > > bits.
> > >
> > >
> > >
> > > I hope it didn't take you as long as it did me!!
> > >
> > >

• Next message: Kevin M. Woods: "Re: OSPF E1 vs. E2 external routes"
• Previous message: Kevin M. Woods: "Re: BGP - MED Attribute"
• Maybe in reply to: Simon Baxter: "An access-list challenge"
• Next in thread: abdul_rahim@xxxxxxxxxxxxxx: "Re: An access-list challenge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:31 GMT-3