From: steven.j.nelson@xxxxxx
Date: Mon Apr 22 2002 - 14:37:23 GMT-3
Louis et al.
I have just tried this at home, here are my results
I have 2 routers R1 and R2, I realise that the 24 bit subnets in R2's
routing table are not the same as the ones listed by Sukhjit but I couldn't
be bothered to hook up another router to get the 10.1.120.0 / 24 into ospf
(If you try to use R1 and a loop you get an overlapping subnet error).
Anyway my point is that R2 has 3 routes in it's table 2 x /24 and 1 x /22 I
have filtered the /22 with a standard access list (access-list 1) and then
removed the distribute list and the route re appears.
So as for not being able to filer the /22 masked route with a standard ACL
it is possible.
Remember the router works in binary so if it can match a address / mask with
an acl / inverse mask it will.
Here are my configs.
!
hostname R1
!
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Loopback10
ip address 10.1.120.1 255.255.252.0
ip ospf network point-to-point
!
interface Loopback20
ip address 10.1.1.1 255.255.255.0
!
interface Loopback30
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.23.100.1 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
redistribute rip subnets
network 10.1.120.0 0.0.3.255 area 1
network 172.23.100.0 0.0.0.255 area 0
!
router rip
network 10.0.0.0
!
ip classless
ip http server
!
!
line con 0
line aux 0
line vty 0 4
!
end
!
hostname R2
!
!
!
!
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0/0
ip address 172.23.100.2 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 172.23.100.0 0.0.0.255 area 0
distribute-list 1 in Ethernet0/0
!
ip classless
ip http server
!
access-list 1 deny 10.1.120.0 0.0.3.255 log
access-list 1 permit any
!
line con 0
line aux 0
line vty 0 4
!
end
R2#
R2#
R2#sho ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.23.0.0/24 is subnetted, 1 subnets
C 172.23.100.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
O E2 10.1.2.0 [110/20] via 172.23.100.1, 00:01:26, Ethernet0/0
O E2 10.1.1.0 [110/20] via 172.23.100.1, 00:01:26, Ethernet0/0
R2#
R2#
R2#sho acc
R2#sho acce
R2#sho access-l
R2#sho access-lists 1
Standard IP access list 1
deny 10.1.120.0, wildcard bits 0.0.3.255 log (1 match) check=3
permit any (3 matches)
R2#
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#no distribute-list 1 in e0/0
R2(config-router)#
R2#clear ip route *
00:32:46: %SYS-5-CONFIG_I: Configured from console by console
R2#
R2#
R2#sho ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.23.0.0/24 is subnetted, 1 subnets
C 172.23.100.0 is directly connected, Ethernet0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2 10.1.2.0/24 [110/20] via 172.23.100.1, 00:00:02, Ethernet0/0
O E2 10.1.1.0/24 [110/20] via 172.23.100.1, 00:00:02, Ethernet0/0
O IA 10.1.120.0/22 [110/11] via 172.23.100.1, 00:00:02, Ethernet0/0
R2#
R2#
-----Original Message-----
From: Krucker, Louis [mailto:louis.krucker@sunrise.net]
Sent: 22 April 2002 16:50
To: Nelson,SJ,Steven,IVNH25 C; 'ssukhjit@yahoo.com ';
'ccielab@groupstudy.com '
Subject: RE: ACL question
Sorry but i cant agree, you cant filter the subnet mask with
standart access-lists. ( Halabi P.348 )
But may i dont get the task:-))
Regards
Louis
-----Original Message-----
From: steven.j.nelson@bt.com
To: ssukhjit@yahoo.com; ccielab@groupstudy.com
Sent: 22.04.2002 17:08
Subject: RE: ACL question
Sukhjit
To block the / 24 use
access-list 1 deny 10.1.120.0 0.0.0.255
access-list 1 permit any
To block the 22 use
access-list 1 deny 10.1.120.0 0.0.3.255
access-list 1 permit any
I think !!!!
Steve
-----Original Message-----
From: Sukhjit Singh [mailto:ssukhjit@yahoo.com]
Sent: 22 April 2002 15:22
To: ccielab@groupstudy.com
Subject: ACL question
ACL Experts,
I have two routes in my R1 routing table,
10.1.120.0 /24
And 10.1.120.0 /22 (Summary route)
I want to filter the /24 route & want to only pass /22
summary route to other routers. I am using
distribute-list command with route-map.
It passes both of these routes, I am not sure what
will be the right wildcard combination which can
differnciate b/w these 2 routes.
Any suggestions please,
regards,
Sukhs,
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:16 GMT-3