From: Lupi, Guy (Guy.Lupi@xxxxxxxxxxxxx)
Date: Tue Feb 19 2002 - 13:19:51 GMT-3
So this is kind of a special situation, when the acl is referenced for
filtering? What about in distribute lists, and redistribution? Can you
have a route map that does the following, if I am correct this will only
allow 192.168.1.0/30 routes:
red eigrp 100 route-map redeigrp metric 1500 128 128 128 1500
!
route-map redeigrp permit 10
match ip address 101
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 255.255.255.252
-----Original Message-----
From: Brian McGahan [mailto:brian@cyscoexpert.com]
Sent: Tuesday, February 19, 2002 10:26 AM
To: Wu, Sean; 'Bogus'
Cc: ccielab@groupstudy.com
Subject: Re: Complex Access-list
Sean,
You are correct sir. For filtering routing updates, you can make an
extended access-list behave like a prefix list. The reason you need to
match with an extended list is because with a standard list, you can only
match on the prefix, not the prefix length as well.
Let's say you have 1.2.3.0/24, and are trying to match it with a
standard ACL. You could say:
access-list 1 permit 1.2.3.0 0.0.0.255
However, this matches 1.2.3.0 - 1.2.3.255 with masks ranging from /24 to /32
you could be more specific and say:
access-list 1 permit host 1.2.3.0
But still, this matches 1.2.3.0 with masks of /24 to /32
The workaround with the extended ACL is to say:
access-list 100 permit ip host 1.2.3.0 host 255.255.255.0
which translates to the prefix-list
ip prefix-list 1 permit 1.2.3.0/24
HTH
Brian McGahan
CCIE #8593
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
http://www.cyscoexpert.com
Voice: 847.674.3392
Fax: 847.674.2625
----- Original Message -----
From: "Wu, Sean" <sean.wu@capitalone.com>
To: "'Bogus'" <ccie@cns-hawaii.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, February 19, 2002 8:45 AM
Subject: RE: Complex Access-list
> I have a dumn question here.
>
> In your access-list 100, does 200.0.3.0 0.255.0.255 take care of network
> portion, and 255.255.255.0 0.0.0.128 takes care of mask portion?
>
> This is different from what access-list looks like normally. I thought the
> 2nd portion "255.255.255.0 0.0.0.128" takes care of destination address
> only.
>
> Could anybody clarify this for me
>
> thanks.
>
> Sean Wu
>
> -----Original Message-----
> From: Bogus [mailto:ccie@cns-hawaii.com]
> Sent: Monday, February 18, 2002 12:48 AM
> Cc: ccielab@groupstudy.com
> Subject: RE: Complex Access-list
>
>
> By far, I think your answer is the most accurate of them all, the only
thing
> that I would have done to it is -
>
> access-list 100 permit ip 200.0.3.0 0.255.0.255 255.255.255.0 0.0.0.128
> That way he can get the some of the other subnets in his fourth octect.
>
> Stanford
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian McGahan
> Sent: Sunday, February 17, 2002 6:53 PM
> To: Sandro Ciffali; Carolyn Camarda; Kang BS
> Cc: ccielab@groupstudy.com
> Subject: Re: Complex Access-list
>
>
> if you want to advertise 200.x.3.0, where x is any number, this would
> include 200.6.3.0/25.
>
> If you are trying to match:
> 200.3.3.0/24
> 200.4.3.0/24
> 200.6.3.0/25
>
> your list should read: access-list 100 permit ip 200.0.3.0 0.255.0.0
> 255.255.255.0 0.0.0.128 if you X is any number.
>
> An even more specific match to these 5 networks would be: access-list 100
> permit ip 200.0.3.0 0.7.0.0 255.255.255.0 0.0.0.128
>
> It depends how specific a range you're trying to match though. The above
> list will only allow prefix lengths of /24 and /25
>
> HTH
>
> Brian McGahan
> CCIE #8593
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
> **************************************************************************
> The information transmitted herewith is sensitive information intended
only
> for use by the individual or entity to which it is addressed. If the
reader
> of this message is not the intended recipient, you are hereby notified
that
> any review, retransmission, dissemination, distribution, copying or other
> use of, or taking of any action in reliance upon this information is
> strictly prohibited. If you have received this communication in error,
> please contact the sender and delete the material from your computer.
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:27 GMT-3