RE: extended acl with distribute-lists

From: Tony Brown (tbrown@xxxxxxxxxxx)
Date: Tue Oct 09 2001 - 06:21:25 GMT-3

• Next message: Hansang Bae: "RE: need ISDN emulator"
• Previous message: Tony Brown: "RE: extended acl with distribute-lists"
• Maybe in reply to: Cox, Bryan: "extended acl with distribute-lists"
• Next in thread: Andy Nwebube: "Re: extended acl with distribute-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Just realized - did you mean to apply the distribute-list to the
neighbor?

-Tony

-----Original Message-----
From: Cox, Bryan [mailto:bryan.cox@avistacorp.com]
Sent: Tuesday, October 09, 2001 4:23 AM
To: 'ccielab@groupstudy.com'
Subject: extended acl with distribute-lists

Group,

This one is puzzling me and I think I understand it yet it still remains
unresolved...

I am just trying to filter /24 routes from the BGP updates. Thus I
apply
the 102 access-list. However a look at the route table below reveals
that
the /24 routes continue to leak in without being screened.

I also tried to screen out any /24 route with a 137.20.0.0/16 prefix.
This
was easily accomplished with an prefix-list but I have not had success
with
an extended access-list. I tried

access-list 102 deny ip 137.20.0.0 0.0.255.255 255.255.255.0 0.0.0.0
access-list 102 per ip any any

I also tried

access-list 102 deny ip 137.20.0.0 0.0.255.0 255.255.255.0 0.0.0.0
access-list 102 per ip any any

Every time the route table looks the same....

Here are portions of the config:

router bgp 3
 network 160.10.10.0 mask 255.255.255.0
 network 161.10.10.0 mask 255.255.255.0
 network 170.10.10.0 mask 255.255.255.0
 network 172.168.70.0 mask 255.255.255.0
 aggregate-address 160.0.0.0 240.0.0.0
 neighbor 200.200.200.1 remote-as 2
 neighbor 200.200.200.1 ebgp-multihop 2
 neighbor 200.200.200.1 route-map setmed out
 distribute-list 102 in
!
ip classless
ip route 200.200.200.0 255.255.255.0 137.20.10.1
ip bgp-community new-format
!
access-list 1 permit any
access-list 101 permit ip any 200.200.200.0 0.0.0.255
access-list 102 deny ip 0.0.0.0 255.255.255.0 host 255.255.255.0
access-list 102 permit ip any any

An excerpt of the route table follows:

 137.20.0.0/16 is variably subnetted, 17 subnets, 6 masks
B 137.20.200.16/28 [20/969] via 200.200.200.1, 00:06:21
B 137.20.240.1/32 [20/870] via 200.200.200.1, 00:06:21
B 137.20.30.0/24 [20/939] via 200.200.200.1, 00:06:21
B 137.20.25.0/24 [20/0] via 200.200.200.1, 00:06:21
B 137.20.20.0/24 [20/934] via 200.200.200.1, 00:06:21
B 137.20.60.1/32 [20/880] via 200.200.200.1, 00:06:21
B 137.20.40.16/28 [20/969] via 200.200.200.1, 00:06:21
B 137.20.48.0/20 [20/0] via 200.200.200.1, 00:06:22
B 137.20.33.0/26 [20/934] via 200.200.200.1, 00:06:22
B 137.20.90.0/24 [20/0] via 200.200.200.1, 00:06:22
B 137.20.81.0/24 [20/0] via 200.200.200.1, 00:06:22
B 137.20.80.0/20 [20/0] via 200.200.200.1, 00:06:22
B 137.20.80.0/24 [20/0] via 200.200.200.1, 00:06:22
B 137.20.82.0/24 [20/0] via 200.200.200.1, 00:06:22
B 137.20.100.32/27 [20/933] via 200.200.200.1, 00:06:22
B 137.20.64.0/20 [20/879] via 200.200.200.1, 00:06:22
     200.200.100.0/32 is subnetted, 1 subnets
B 200.200.100.1 [20/934] via 200.200.200.1, 00:06:22
     172.168.0.0/24 is subnetted, 2 subnets
B 172.168.80.0 [20/0] via 200.200.200.1, 00:06:22
B* 0.0.0.0/0 [20/0] via 200.200.200.1, 00:06:22
B 160.0.0.0/4 [200/0] via 0.0.0.0, 00:06:22, Null0

Any ideas?

Bryan Cox
San Jose October 25th.

• Next message: Hansang Bae: "RE: need ISDN emulator"
• Previous message: Tony Brown: "RE: extended acl with distribute-lists"
• Maybe in reply to: Cox, Bryan: "extended acl with distribute-lists"
• Next in thread: Andy Nwebube: "Re: extended acl with distribute-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:15 GMT-3