From: Olivier Martin (omartin@xxxxxxxx)
Date: Fri Sep 14 2001 - 13:02:55 GMT-3
You are right..
Thanks !
Olivier
-----Message d'origine-----
De : Roger Dellaca [mailto:rdellaca@bpopca.com]
Envoyi : 14 septembre, 2001 11:58
@ : omartin@genia.ca; ccielab@groupstudy.com; WILLIAMSG@PANASONIC.COM
Objet : RE: Access list
this is a good idea, but I believe the access-list needs to be different
(because it's an inverse mask):
! Class A networks - allow 0 thru 127 - last 3 octets are 0
access-list 100 permit ip 0.0.0.0 127.0.0.0 host 255.0.0.0
! Class B networks - allow 128.0 thru 191.255 - last 2 octets are 0
access-list 100 permit ip 128.0.0.0 63.255.0.0 host 255.255.0.0
! Class C networks - allow 192.0.0 thru 223.255.255 - last octet is 0
access-list 100 permit ip 192.0.0.0 31.255.255.0 host 255.255.255.0
>>> Olivier Martin <omartin@genia.ca> 09/14 8:28 AM >>>
I guess so. it's the equivalent of
access-list 100 permit ip any host 255.255.255.0
So the net part corresponds to 'any' and the mask, to /24. But if you want
ALL classful networks to go in, you would need to be more specific. Nice
way to replace a prefix-list if you are not, for any reason, allowed to use
it in a given scenario.
! Class A networks
access-list 100 permit ip 0.0.0.0 128.0.0.0 host 255.0.0.0
! Class B networks
access-list 100 permit ip 0.0.0.0 192.0.0.0 host 255.255.0.0
! Class C networks
access-list 100 permit ip 0.0.0.0 224.0.0.0 host 255.255.255.0
Because :
128.0.0.0 = 1000 0000.0000 0000.0000 0000.0000 0000
192.0.0.0 = 1100 0000.0000 0000.0000 0000.0000 0000
224.0.0.0 = 1110 0000.0000 0000.0000 0000.0000 0000
Means precisely that the host part has to satisfy the first two ip addresses
in the statement (0.0.0.0 and 128.0.0.0). This way, any networks that has a
1 or a 0 as the first digit has to have 0 in position 1,2,3,4,5,6 and 7 in
order to pass the access-list. And so satisfies the classful requirement.
Following the same logic, the others would include class B networks and
class C networks. I'm pretty sure this would work in a BGP filtering
scenario. From OSPF to EIGRP or other protocols, I guess it would work too.
Don't forget that the "no ip classless" statement could help you out there
too.
Please someone correct me if I'm wrong.
-----Message d'origine-----
De : Williams, Glenn [mailto:WILLIAMSG@PANASONIC.COM]
Envoyi : 14 septembre, 2001 10:50
@ : 'Olivier Martin'
Objet : RE: Access list
Now that I can think, wouldn't :
access-list 100 permit 0.0.0.0 255.255.255.255 host 255.255.255.0 only allow
pure class 'c' routes in?
Thanks
God Bless America
GW
-----Original Message-----
From: Olivier Martin [mailto:omartin@genia.ca]
Sent: Friday, September 14, 2001 9:23 AM
To: Williams, Glenn
Subject: RE: Access list
Yes. If you would want this network to kick in, you would need :
acces-list 100 permit 10.1.128.0 0.0.15.255 255.255.240.0 0.0.0.0
if you only want the 10.1.128.0/20 network to pass. If you want any
10.1.0.0/20 to pass, you would rather use :
access-list 100 permit ip 10.1.0.0 0.0.255.255 255.255.240.0 0.0.0.0
or
access-list 100 permit ip 10.1.0.0 0.0.255.255 host 255.255.240.0
Remember that this allows only the /20 network to pass. If you want the
/20, /21, etc. to pass, you might use a regular access-list :
access-list 10 permit 10.1.0.0 0.0.15.255..
Should work.
Olivier
-----Message d'origine-----
De : Williams, Glenn [mailto:WILLIAMSG@PANASONIC.COM]
Envoyi : 14 septembre, 2001 10:09
@ : 'Olivier Martin'
Objet : RE: Access list
Thank you. It is taking some time to sink in. So is the part "host
255.255.0.0" locking in, so to speak, a 16 bit class 'b' network? In other
words, for example, if the network 10.1.128.0 255.255.240.0 tried to get in,
it would be dropped?
Thanks
God Bless America
GW
-----Original Message-----
From: Olivier Martin [mailto:omartin@genia.ca]
Sent: Friday, September 14, 2001 8:48 AM
To: Williams, Glenn
Subject: RE: Access list
In this particular case (route filtering), my understanding is that the
first part of the extended access-list is for the network part and the
second to control the mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.0.0 0.0.0.0
or
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 255.255.0.0
means the same.
this would allow anything in the 10.1.0.0/16, 10.2.0.0/16, etc.. networks.
The first part is the network number, then the "ones" in the mask part
represent the don't care part of the network number.
The same logic applies to the mask part. The first part is the mask you
want and the second part, the don't care bits of the mask. For example :
10.0.0.0
00001010.00000000.00000000.00000000
combined bitwise mask part
0.255.255.255 = 255.0.0.0 -> 10.0.0.0 AND 255.0.0.0 = 10.0.0.0
11111111.00000000.00000000.00000000
yeilds :
00001010.00000000.00000000.00000000 = 10.0.0.0
Now, go with the mask part...
255.255.0.0
11111111.11111111.00000000.00000000
logical AND with the opposite of the bitwise mask (don't care bits)
0.0.0.0 = 255.255.255.255
11111111.11111111.11111111.11111111
means that the net mask is :
255.255.0.0
I'm not sure I'm very clear on this one.. ask for help if in doubt.
Olivier
-----Message d'origine-----
De : Williams, Glenn [mailto:WILLIAMSG@PANASONIC.COM]
Envoyi : 14 septembre, 2001 09:24
@ : 'ccielab@groupstudy.com'
Objet : Access list
Hi all,
Access lists are still difficult for me. A lab asks to allow only classful
routes in. The following solution was purposed, I guess to allow only one
particular class 'C' route? Anyway, the use of the extended access list
here has me confused. Can anyone explain why this would be used and how it
works?
router bgp 101
no synchronization
neighbor 170.1.1.254 route-map classfull in
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 host 255.255.255.0
route-map classfull permit 10
match ip address 101
!
Thanks
God Bless America
GW
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:18 GMT-3