RE: IP route filtering question

From: Liu Jianxin-qch1927 (Jianxin.Liu@xxxxxxxxxxx)
Date: Tue Dec 04 2001 - 02:35:31 GMT-3

• Next message: sparkest pig: "~~~ CCIE still needs a job~~~"
• Previous message: Asiainfo SH : "OT: Lab Swap @ BJ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Yes, you are right!
I tried this on my router. It works!

router ospf 1
router-id 135.3.7.7
log-adjacency-changes
redistribute static subnets route-map specific
network 2.2.2.2 0.0.0.0 area 0
network 3.3.3.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 1

ip route 192.168.10.0 255.255.254.0 Null0
ip route 192.168.10.0 255.255.255.0 Null0 (to be denied)
ip route 192.168.10.0 255.255.255.192 Null0
ip route 192.168.10.64 255.255.255.192 Null0
ip route 192.168.10.128 255.255.255.128 Null0
no ip http server
!
!
ip access-list extended specific
permit ip host 192.168.10.0 host 255.255.255.0

route-map specific deny 10
 match ip address specific
!
route-map specific permit 20

-----Original Message-----
From: SFeldberg@edeltacom.com [mailto:SFeldberg@edeltacom.com]
Sent: Saturday, December 01, 2001 4:24 AM
To: Waters, Kivas (UK72)
Cc: Basel Tashkandi; ccielab@groupstudy.com; nobody@groupstudy.com
Subject: RE: IP route filtering question

Try this variation while using a route-map

!
route-map ospf2eigrp
 match ip address 117
!
access-list 117 deny ip host 192.168.10.0 host 255.255.255.0
access-list 117 deny ip host 172.16.0.0 host 255.240.0.0
access-list 117 ip permit any any

Steve

                    "Waters, Kivas

                    (UK72)" To: Basel Tashkandi <basel@tas
hkandi.com>, ccielab@groupstudy.com
                    <Kivas.Waters@Hone cc:

                    ywell.com> Subject: RE: IP route filterin
g question
                    Sent by:

                    nobody@groupstudy.

                    com

                    11/30/2001 05:21

                    AM

                    Please respond to

                    "Waters, Kivas

                    (UK72)"

Uummmm, Yep, appologies for the stupid "permit" etc but I guess you got the
gist of what I was asking. Here is the example written with a clear head
at
10am.

The problem I have with not specifying the specific mask for the route to
be
filtered is that if I configured, for example "access-list 117 deny ip
192.168.10.0 0.0.0.255" then the filter would deny the specific route and
all it's subnets from being filtered. 192.168.10.128/28 would also be
denyed!! The question asks you to deny ONLY 192.168.10.0/24. I know that
in a lab scenario, configuring the ACL's listed below under b) as you
suggest will result in the expected outcome but it is not 100% accurate.
Does anyone have any idea's?

Lets say that I wanted to deny the following specific routes from being
learned by a routing process : 192.168.10.0/24 and 172.16.0.0/12

I suspect that answer c) is most correct but what do you IP routing guru's
think?

a)
access-list 7 deny 192.168.10.0
access-list 7 deny 172.16.0.0

b)
access-list 7 deny 192.168.10.0 0.0.0.255
access-list 7 deny 172.16.0.0 0.15.255.255

c)
access-list 117 deny ip 192.168.10.0 0.0.0.255 255.255.255.0 0.0.0.0
access-list 117 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.0.0.0

regards

Ki

-----Original Message-----
From: Basel Tashkandi [mailto:basel@tashkandi.com]
Sent: 30 November 2001 09:43
To: Waters, Kivas (UK72)
Cc: ccielab@groupstudy.com
Subject: Re: IP route filtering question

Hi Ki,
As you suspected C is the right one but you don't need the mask for the
mask
it would be enough to only say
192.168.10.0 0.0.0.255
of course with deny not permit :)
At 23:09 29/11/2001 +0100, Waters, Kivas (UK72) wrote:
>Configuring very specific route filters for route redistribution, split
>horizon issues and general route filtering is important and I want to make
>sure that I get it right in the lab. There appears to be a number of ways
>of implimenting the route filters but what I'm interrested is the ACL's
>defining the routes to be filtered. The question is, what type of route
>filters should be used in which circumstances?
>
>Here is an example ...
>
>Lets say that I wanted to deny the following specific routes from being
>learned by a routing process : 192.168.10.0/24 and 172.16.0.0/12
>
>I suspect that answer c) is most correct but what do you IP routing guru's
>think?
>
>a)
>access-list 7 permit 192.168.10.0
>access-list 7 permit 172.16.0.0
>
>b)
>access-list 7 permit 192.168.10.0 0.0.0.255
>access-list 7 permit 172.16.0.0 0.15.255.255
>
>c)
>access-list 117 permit 192.168.10.0 0.0.0.255 255.255.255.0 0.0.0.0
>access-list 117 permit 172.16.0.0 0.15.255.255 255.240.0.0 0.0.0.0
>
>best regards
>
>Ki

• Next message: sparkest pig: "~~~ CCIE still needs a job~~~"
• Previous message: Asiainfo SH : "OT: Lab Swap @ BJ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:37 GMT-3