From: Rick Burts (burts@xxxxxxxxxxxxxx)
Date: Wed Feb 21 2001 - 10:15:01 GMT-3
While a simple one line access list would solve the immediate problem of
allowing one connected subnet to be advertised and not the other, it
might have unintended consequences including deny of any learned routes
being advertised. I believe that the most satisfactory solution is
an access list that denys the particular subnet and permits any.
The original post used an extended access list which is not optimal.
A better (and more common) solution is a standard access list.
Rick
Rick Burts, CCSI CCIE 4615 burts@mentortech.com
Mentor Technologies 240-568-6500 ext 6652
133 National Business Parkway 240-568-6515 fax
Annapolis Junction, Md 20701
Chesapeake Network Solutions has now become Mentor Technologies.
Mentor Technologies is a certified Cisco Training Partner and also
a Cisco Professional Services partner.
We offer most of the Cisco training courses.
We also offer training in Checkpoint Firewall software and
Fore Systems (now Marconi) and MicroMuse.
We also provide network consulting services including
design, management, and problem solving.
We have 22 CCIEs on our staff.
We offer the breakthrough VLAB remote access technology for
access to pratice configuration on real equipment.
On Tue, 20 Feb 2001, Mask Of Zorro wrote:
>
> Of course you are correct David, but I just wanted to point out that there
> is no performance penalty for using one line as opposed to 2. With
> access-lists, I tend to prefer those that are clear and easy to read and
> understand over those that might be more "efficient".
>
> Even with an access-list that spans dozens of lines, shaving of 6 or 10
> really doesn't impact your performance and if it makes the function of the
> list less clear it should be avoided.
>
> Just my opinion...
>
> Z
>
> >From: "David Wolsefer" <dwolsefer@wams.com>
> >Reply-To: "David Wolsefer" <dwolsefer@wams.com>
> >To: "Hebert, Cory J \(cory.hebert@wcom.com\)" <cory.hebert-eds@eds.com>
> >CC: <ccielab@groupstudy.com>
> >Subject: RE: how do I stop connected routes from being injected?
> >Date: Tue, 20 Feb 2001 11:21:27 -0800
> >
> >Look at the access-list. You specified:
> >
> >access-list 100 deny ip host 201.112.97.192 host 255.255.255.224
> >access-list 100 permit ip any any
> >
> >201.112.97.192 is the network. You can't use the host keyword because there
> >is no host 201.112.97.192. Look at it in binary.
> >
> >192 = 1100 0000, the first three bits are network as seen by the
> >255.255.255.224 mask. Redo your access-list to deny that network subnet.
> >Why
> >not redo the access-list to permit only the network you want, this way you
> >can do it in a single line instead of two. Remember the implicit deny. You
> >also need to use inverse masks with access-lists, not regular subnet masks.
> >You should be using 0.0.0.31, not 255.255.255.224.
> >
> >Regards,
> >
> >David Wolsefer, CCIE #5858
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> >Hebert, Cory J (cory.hebert@wcom.com)
> >Sent: Tuesday, February 20, 2001 11:00 AM
> >To: 'Tracy Blackmore'
> >Cc: 'ccielab@groupstudy.com'
> >Subject: RE: how do I stop connected routes from being injected?
> >
> >
> >Here's my config. Any clues why I can't stop S0's subnet from being
> >advertised to downstream neighbors?
> >
> >interface Serial0
> > ip address 201.112.97.194 255.255.255.224
> > no fair-queue
> >!
> >interface TokenRing0
> > ip address 201.112.97.17 255.255.255.248
> > ring-speed 16
> >!
> >router eigrp 1
> > passive-interface Serial0
> > network 201.112.97.0
> > distribute-list 100 out connected
> > no auto-summary
> >!
> >access-list 100 deny ip host 201.112.97.192 host 255.255.255.224
> >access-list 100 permit ip any any
> >!
> >
> >
> >-----Original Message-----
> >From: Tracy Blackmore [mailto:TracyB@TSLAD.com]
> >Sent: Tuesday, February 20, 2001 12:49 PM
> >To: Hebert, Cory J (cory.hebert@wcom.com)
> >Subject: RE: how do I stop connected routes from being injected?
> >
> >
> >Try removing the connected from the distribute-list out command. A general
> >distribute-list out should keep EIGRP from advertising the routes specified
> >in the list.
> >
> >Tracy W. Blackmore
> >T.S. Lad Consulting
> >1026 E Stanford Ave.
> >Gilbert, AZ., 85234
> >(480)558-0472
> >
> > -----Original Message-----
> >From: Hebert, Cory J (cory.hebert@wcom.com)
> >[mailto:cory.hebert-eds@eds.com]
> >Sent: Tuesday, February 20, 2001 11:42 AM
> >To: 'Amyn Naran'; Pablo Thoma; 'ccielab@groupstudy.com'
> >Subject: RE: how do I stop connected routes from being injected?
> >
> >Thanks for the help guys. But, I guess I should have mentioned that I
> >already have passive-interfaces defined, and that still does not help. I
> >thought that 'distriblute-list x out conneected' would have done it, but
> >that didn't help either.
> >
> >Cory
> >
> >
> >-----Original Message-----
> >From: Amyn Naran [mailto:amyn_naran@yahoo.com]
> >Sent: Tuesday, February 20, 2001 12:14 PM
> >To: Pablo Thoma; Hebert, Cory J (cory.hebert@wcom.com)
> >Subject: Re: how do I stop connected routes from being injected?
> >
> >
> >
> >remember the intent of the passive intf - to NOT advertise but listen.
> >
> >--- Pablo Thoma <pthoma@employees.org> wrote:
> > > try
> > >
> > > passive-interface
> > >
> > > for those that you wish not to be included.
> > >
> > > Cheers,
> > >
> > > Pablo
> > >
> > > "Hebert, Cory J (cory.hebert@wcom.com)" wrote:
> > >
> > > > Hi all,
> > > >
> > > > I have simple question for you guys. I have a router running
> > > eigrp, and all
> > > > interfaces on the router have subnets of the same major classful
> > > network.
> > > > Well, obviously, I put the classful network statement under eigrp.
> > > Well, as
> > > > soon as eigrp sees that it has an interface belonging to the same
> > > classful
> > > > network defined under the eigrp process, it injects the connected
> > > route into
> > > > the process.
> > > >
> > > > I've tried 'no redistribute connected', 'distribute-list x out
> > > connected',
> > > > nothing works. Can someone help me to stop this connected route
> > > from being
> > > > injected into eigrp, so that the downstream router doesn't learn
> > > it?
> > > >
> > > > Thanks!
> > > >
> > > > Cory
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:55 GMT-3