From: Brian McGahan (brian@xxxxxxxxxxxxxxx)
Date: Tue Feb 19 2002 - 14:07:10 GMT-3
Guy,
You're close.
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 255.255.255.252
matches:
192.168.1.0/30
192.168.1.4/30
192.168.1.8/30
...
192.168.1.252/30
To match 192.168.1.0/30 *only*, the list should read
access-list 101 permit ip host 192.168.1.0 host 255.255.255.252
I try to stay away from this type of access-list however. It's much cleaner
to match this in a prefix-list, and you can edit sequentially afterwards.
The only reason I used the access-list in this case was because Kang was
originally trying to match an odd situation. He wanted to match 200.x.3.0,
where X is any number. This can't be matched with a prefix, so I used the
ACL instead. Use this instead:
ip prefix-list 1 permit 192.168.1.0/30
Yes you can apply it to a distribute list or route-map, in both cases.
!
route-map X permit 10
match ip address prefix-list 1
match ip address 101
!
router eigrp 1
distribute list 101 out
distribute list prefix-list 1 out
HTH
Brian McGahan
CCIE #8593
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
http://www.cyscoexpert.com
Voice: 847.674.3392
Fax: 847.674.2625
----- Original Message -----
From: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>
To: "'Brian McGahan'" <brian@cyscoexpert.com>; "Wu, Sean"
<sean.wu@capitalone.com>; "'Bogus'" <ccie@cns-hawaii.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, February 19, 2002 10:19 AM
Subject: RE: Complex Access-list
> So this is kind of a special situation, when the acl is referenced for
> filtering? What about in distribute lists, and redistribution? Can you
> have a route map that does the following, if I am correct this will only
> allow 192.168.1.0/30 routes:
>
> red eigrp 100 route-map redeigrp metric 1500 128 128 128 1500
> !
> route-map redeigrp permit 10
> match ip address 101
> !
> access-list 101 permit ip 192.168.1.0 0.0.0.255 host 255.255.255.252
>
>
>
> -----Original Message-----
> From: Brian McGahan [mailto:brian@cyscoexpert.com]
> Sent: Tuesday, February 19, 2002 10:26 AM
> To: Wu, Sean; 'Bogus'
> Cc: ccielab@groupstudy.com
> Subject: Re: Complex Access-list
>
>
> Sean,
>
> You are correct sir. For filtering routing updates, you can make an
> extended access-list behave like a prefix list. The reason you need to
> match with an extended list is because with a standard list, you can only
> match on the prefix, not the prefix length as well.
>
> Let's say you have 1.2.3.0/24, and are trying to match it with a
> standard ACL. You could say:
>
> access-list 1 permit 1.2.3.0 0.0.0.255
>
> However, this matches 1.2.3.0 - 1.2.3.255 with masks ranging from /24 to
/32
>
> you could be more specific and say:
>
> access-list 1 permit host 1.2.3.0
>
> But still, this matches 1.2.3.0 with masks of /24 to /32
>
> The workaround with the extended ACL is to say:
>
> access-list 100 permit ip host 1.2.3.0 host 255.255.255.0
>
> which translates to the prefix-list
>
> ip prefix-list 1 permit 1.2.3.0/24
>
>
> HTH
>
> Brian McGahan
> CCIE #8593
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
> ----- Original Message -----
> From: "Wu, Sean" <sean.wu@capitalone.com>
> To: "'Bogus'" <ccie@cns-hawaii.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Tuesday, February 19, 2002 8:45 AM
> Subject: RE: Complex Access-list
>
>
> > I have a dumn question here.
> >
> > In your access-list 100, does 200.0.3.0 0.255.0.255 take care of network
> > portion, and 255.255.255.0 0.0.0.128 takes care of mask portion?
> >
> > This is different from what access-list looks like normally. I thought
the
> > 2nd portion "255.255.255.0 0.0.0.128" takes care of destination address
> > only.
> >
> > Could anybody clarify this for me
> >
> > thanks.
> >
> > Sean Wu
> >
> > -----Original Message-----
> > From: Bogus [mailto:ccie@cns-hawaii.com]
> > Sent: Monday, February 18, 2002 12:48 AM
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Complex Access-list
> >
> >
> > By far, I think your answer is the most accurate of them all, the only
> thing
> > that I would have done to it is -
> >
> > access-list 100 permit ip 200.0.3.0 0.255.0.255 255.255.255.0 0.0.0.128
> > That way he can get the some of the other subnets in his fourth octect.
> >
> > Stanford
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Brian McGahan
> > Sent: Sunday, February 17, 2002 6:53 PM
> > To: Sandro Ciffali; Carolyn Camarda; Kang BS
> > Cc: ccielab@groupstudy.com
> > Subject: Re: Complex Access-list
> >
> >
> > if you want to advertise 200.x.3.0, where x is any number, this would
> > include 200.6.3.0/25.
> >
> > If you are trying to match:
> > 200.3.3.0/24
> > 200.4.3.0/24
> > 200.6.3.0/25
> >
> > your list should read: access-list 100 permit ip 200.0.3.0 0.255.0.0
> > 255.255.255.0 0.0.0.128 if you X is any number.
> >
> > An even more specific match to these 5 networks would be: access-list
100
> > permit ip 200.0.3.0 0.7.0.0 255.255.255.0 0.0.0.128
> >
> > It depends how specific a range you're trying to match though. The
above
> > list will only allow prefix lengths of /24 and /25
> >
> > HTH
> >
> > Brian McGahan
> > CCIE #8593
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > http://www.cyscoexpert.com
> > Voice: 847.674.3392
> > Fax: 847.674.2625
> >
> >
**************************************************************************
> > The information transmitted herewith is sensitive information intended
> only
> > for use by the individual or entity to which it is addressed. If the
> reader
> > of this message is not the intended recipient, you are hereby notified
> that
> > any review, retransmission, dissemination, distribution, copying or
other
> > use of, or taking of any action in reliance upon this information is
> > strictly prohibited. If you have received this communication in error,
> > please contact the sender and delete the material from your computer.
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:27 GMT-3