RE: ACL question

From: Sukhjit Singh (ssukhjit@xxxxxxxxx)
Date: Mon Apr 22 2002 - 17:24:22 GMT-3

• Next message: Robert Miller: "RE: Demand Circuit flapping"
• Previous message: Davis, David: "RE: May 23rd lab"
• Maybe in reply to: Sukhjit Singh: "ACL question"
• Next in thread: Chua, Parry: "RE: ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Guys,

Objective was to allow summary route 10.1.120.0/22
(suppress specifics within this range) & other
specific routes of 10.1.0.0/16 etc. coming from eigrp
to ospf AS. I could test it successfully in 3 ways as
below using route-map -

1.
access-list 102 deny ip 10.1.120.0 0.0.0.255
255.255.255.0 0.0.0.0
access-list 102 deny ip 10.1.121.0 0.0.0.255
255.255.255.0 0.0.0.0
access-list 102 deny ip 10.1.122.0 0.0.0.255
255.255.255.0 0.0.0.0
access-list 102 deny ip 10.1.123.0 0.0.0.255
255.255.255.0 0.0.0.0
access-list 102 permit ip 10.1.120.0 0.0.3.255
255.255.252.0 0.0.0.0
access-list 102 permit ip any any

2.
prefix-list
ip prefix-list 34 seq 4 permit 10.1.120.0/22
ip prefix-list 34 seq 5 deny 10.1.120.0/22 le 24
ip prefix-list 34 seq 15 permit 0.0.0.0/0 ge 8

3.
access-list 101 deny ip host 10.1.120.0 host
255.255.255.0
access-list 101 deny ip host 10.1.121.0 host
255.255.255.0
access-list 101 deny ip host 10.1.122.0 host
255.255.255.0
access-list 101 deny ip host 10.1.123.0 host
255.255.255.0
access-list 101 permit ip host 10.1.120.0 host
255.255.252.0
access-list 101 permit ip any any

first & 3rd is actually just a different way of
writing acl. So extended acl does not only work for
bgp, Its also works for other routing protocols.
Thanks for the inputs.
Sukhs,

--- Brian McGahan <brian@cyscoexpert.com> wrote:
> Guy,
>
> Route filtering using extended access-list syntax
> can only be
> applied with BGP. The routes mentioned were as
> follows:
>
> 10.1.120.0 /24
> 10.1.120.0 /22
>
> If you are trying to filter these routes in the
> context of BGP, the
> following access-list would work:
>
> Access-list 100 permit host 10.1.120.0 host
> 255.255.252.0
>
> Instead of source destination pairs, this list (only
> in the context of
> BGP remember) reads as a prefix & prefix-length
> pair. This access-list
> translates to the following prefix-list:
>
> Ip prefix-list 1 permit 10.1.120.0/22
>
> If you want to do exact prefix & prefix-length
> matches with other
> protocols besides BGP, then you have to use the
> prefix-list. And yes,
> you can apply the prefix to a distribute-list with
> the 'distribute-list
> prefix' command. To match it in a route-map, use
> the syntax 'match ip
> address prefix-list'. A prefix-list can also be
> applied to a BGP
> neighbor directly with the command 'neighbor x.x.x.x
> prefix-list
> [in/out]'.
>
> HTH
>
> Brian McGahan
> CCIE #8593
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Lupi, Guy
> Sent: Monday, April 22, 2002 10:36 AM
> To: 'Sukhjit Singh'; ccielab@groupstudy.com
> Subject: RE: ACL question
>
> I would like to know another way also, but I have
> yet to find solid
> documentation on complex route filtering using
> extended access lists. I
> have seen an example here and there, and I have made
> it work before, but
> it
> doesn't work all the time. I am sure I am doing
> something wrong, but I
> can't find a good documentation piece that explains
> the process in
> detail.
> Anyone have a link or some other resource for this?
>
> ~-----Original Message-----
> ~From: Sukhjit Singh [mailto:ssukhjit@yahoo.com]
> ~Sent: Monday, April 22, 2002 11:40 AM
> ~To: Lupi, Guy; ccielab@groupstudy.com
> ~Subject: RE: ACL question
> ~
> ~
> ~Lupi,
> ~
> ~You are right, prefix-list worked,
> ~
> ~ip prefix-list 34 seq 5 deny 10.1.120.0/24
> ~ip prefix-list 34 seq 15 permit 10.0.0.0/8 le 23
> ~ip prefix-list 34 seq 20 permit 10.1.124.0/24
> ~
> ~However still i am keen to know another way, if
> ~possible using acl, Thanks,
> ~Sukhs,
> ~
> ~--- "Lupi, Guy" <Guy.Lupi@eurekaggn.com> wrote:
> ~> I don't know what it would be as far as an
> extended
> ~> access list, but you
> ~> could use a "distribute-list prefix" to call a
> ~> prefix list instead of an
> ~> access list, that way you could define exactly
> what
> ~> you want to be
> ~> redistributed.
> ~>
> ~> ~-----Original Message-----
> ~> ~From: Sukhjit Singh [mailto:ssukhjit@yahoo.com]
> ~> ~Sent: Monday, April 22, 2002 10:22 AM
> ~> ~To: ccielab@groupstudy.com
> ~> ~Subject: ACL question
> ~> ~
> ~> ~
> ~> ~ACL Experts,
> ~> ~
> ~> ~I have two routes in my R1 routing table,
> ~> ~10.1.120.0 /24
> ~> ~And 10.1.120.0 /22 (Summary route)
> ~> ~
> ~> ~I want to filter the /24 route & want to only
> pass
> ~> /22
> ~> ~summary route to other routers. I am using
> ~> ~distribute-list command with route-map.
> ~> ~
> ~> ~It passes both of these routes, I am not sure
> what
> ~> ~will be the right wildcard combination which can
> ~> ~differnciate b/w these 2 routes.
> ~> ~
> ~> ~Any suggestions please,
> ~> ~
> ~> ~regards,
> ~> ~Sukhs,
> ~> ~
> ~>

• Next message: Robert Miller: "RE: Demand Circuit flapping"
• Previous message: Davis, David: "RE: May 23rd lab"
• Maybe in reply to: Sukhjit Singh: "ACL question"
• Next in thread: Chua, Parry: "RE: ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:17 GMT-3