From: Chua, Parry (Parry.Chua@xxxxxxxxxx)
Date: Mon Apr 22 2002 - 23:44:53 GMT-3
Hi,
This is what I get from my test :-
1. Standard access-list cannot differential any mask for
172.18.120.0 , so it cannot be used.
2. Prefix list is simple.
3. Can we use extended list ?, my answer is yes from the test
Basic setup
------------
lo 172.18.5.5/24-[R5]--eigrp-172.18.54.0/24-[R4]-lo 172.18.4.4/24
static route
redistribute to R5 eigrp
172.18.120.0/21
172.18.120.0/22
172.18.120.0/23
172.18.120.0/24
======================================================
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R5
!
logging buffered 55000 debugging
!
interface Loopback0
ip address 172.18.5.5 255.255.255.0
!
!
interface Ethernet2/0
ip address 172.18.54.5 255.255.255.0
!
!
router eigrp 123
redistribute static metric 999 9 255 1 1500 route-map sub22
network 172.18.5.0 0.0.0.255
network 172.18.54.0 0.0.0.255
no auto-summary
!
!
ip classless
ip route 172.18.120.0 255.255.248.0 172.18.5.248 200
ip route 172.18.120.0 255.255.252.0 172.18.5.252 200
ip route 172.18.120.0 255.255.254.0 172.18.5.254 200
ip route 172.18.120.0 255.255.255.0 172.18.5.250 200
no ip http server
!
!
ip access-list extended only22
permit ip 172.18.120.0 0.0.1.255 host 255.255.254.0
permit ip 172.18.120.0 0.0.7.255 host 255.255.248.0
!
route-map sub22 permit 10
match ip address only22
!
R5#SIR
C 172.18.54.0/24 is directly connected, Ethernet2/0
D 172.18.4.0/24 [90/409600] via 172.18.54.4, 00:41:21, Ethernet2/0
C 172.18.5.0/24 is directly connected, Loopback0
S 172.18.120.0/23 [200/0] via 172.18.5.254
S 172.18.120.0/21 [200/0] via 172.18.5.248
S 172.18.120.0/22 [200/0] via 172.18.5.252
S 172.18.120.0/24 [200/0] via 172.18.5.250
R5#
/////////////////////////////////////////////////
Now you see what is in R4 routing table
When route-map/extended access-list apply at R5
R5#
====
Extended IP access list only22
permit ip 172.18.120.0 0.0.1.255 host 255.255.254.0 (2 matches)
permit ip 172.18.120.0 0.0.7.255 host 255.255.248.0 (1 match)
===============================
R4# sir
Gateway of last resort is not set
172.18.0.0/16 is variably subnetted, 5 subnets, 3 masks
C 172.18.54.0/24 is directly connected, Ethernet0/0
C 172.18.4.0/24 is directly connected, Loopback0
D 172.18.5.0/24 [90/409600] via 172.18.54.5, 00:46:38, Ethernet0/0
D EX 172.18.120.0/21 [170/2590464] via 172.18.54.5, 00:00:04, Ethernet0/0
D EX 172.18.120.0/23 [170/2590464] via 172.18.54.5, 00:02:39, Ethernet0/0
When no access list apply
=================================
R4#sir
Gateway of last resort is not set
172.18.0.0/16 is variably subnetted, 7 subnets, 4 masks
C 172.18.54.0/24 is directly connected, Ethernet0/0
C 172.18.4.0/24 is directly connected, Loopback0
D 172.18.5.0/24 [90/409600] via 172.18.54.5, 00:44:07, Ethernet0/0
D EX 172.18.120.0/24 [170/2590464] via 172.18.54.5, 00:00:07, Ethernet0/0
D EX 172.18.120.0/23 [170/2590464] via 172.18.54.5, 00:00:07, Ethernet0/0
D EX 172.18.120.0/21 [170/2590464] via 172.18.54.5, 00:13:19, Ethernet0/0
D EX 172.18.120.0/22 [170/2590464] via 172.18.54.5, 00:17:09, Ethernet0/0
R4#
> Parry Chua
>
-----Original Message-----
From: Lupi, Guy [mailto:Guy.Lupi@eurekaggn.com]
Sent: Tuesday, April 23, 2002 12:06 AM
To: 'Brian McGahan'; 'Sukhjit Singh'; ccielab@groupstudy.com
Subject: RE: ACL question
Which is perfect, because I must have spent about 9 hours one day trying
different methods with every protocol but BGP. Story of my life, but thank
you for that, I will have to practice that with bgp to make sure I
understand it. Thanks again.
~-----Original Message-----
~From: Brian McGahan [mailto:brian@cyscoexpert.com]
~Sent: Monday, April 22, 2002 12:02 PM
~To: Lupi, Guy; 'Sukhjit Singh'; ccielab@groupstudy.com
~Subject: RE: ACL question
~
~
~Guy,
~
~ Route filtering using extended access-list syntax can only be
~applied with BGP. The routes mentioned were as follows:
~
~10.1.120.0 /24
~10.1.120.0 /22
~
~If you are trying to filter these routes in the context of BGP, the
~following access-list would work:
~
~Access-list 100 permit host 10.1.120.0 host 255.255.252.0
~
~Instead of source destination pairs, this list (only in the context of
~BGP remember) reads as a prefix & prefix-length pair. This access-list
~translates to the following prefix-list:
~
~Ip prefix-list 1 permit 10.1.120.0/22
~
~If you want to do exact prefix & prefix-length matches with other
~protocols besides BGP, then you have to use the prefix-list. And yes,
~you can apply the prefix to a distribute-list with the 'distribute-list
~prefix' command. To match it in a route-map, use the syntax 'match ip
~address prefix-list'. A prefix-list can also be applied to a BGP
~neighbor directly with the command 'neighbor x.x.x.x prefix-list
~[in/out]'.
~
~HTH
~
~Brian McGahan
~CCIE #8593
~brian@cyscoexpert.com
~
~CyscoExpert Corporation
~Internetwork Consulting & Training
~http://www.cyscoexpert.com
~Voice: 847.674.3392
~Fax: 847.674.2625
~
~
~-----Original Message-----
~From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
~Lupi, Guy
~Sent: Monday, April 22, 2002 10:36 AM
~To: 'Sukhjit Singh'; ccielab@groupstudy.com
~Subject: RE: ACL question
~
~I would like to know another way also, but I have yet to find solid
~documentation on complex route filtering using extended access
~lists. I
~have seen an example here and there, and I have made it work
~before, but
~it
~doesn't work all the time. I am sure I am doing something wrong, but I
~can't find a good documentation piece that explains the process in
~detail.
~Anyone have a link or some other resource for this?
~
~~-----Original Message-----
~~From: Sukhjit Singh [mailto:ssukhjit@yahoo.com]
~~Sent: Monday, April 22, 2002 11:40 AM
~~To: Lupi, Guy; ccielab@groupstudy.com
~~Subject: RE: ACL question
~~
~~
~~Lupi,
~~
~~You are right, prefix-list worked,
~~
~~ip prefix-list 34 seq 5 deny 10.1.120.0/24
~~ip prefix-list 34 seq 15 permit 10.0.0.0/8 le 23
~~ip prefix-list 34 seq 20 permit 10.1.124.0/24
~~
~~However still i am keen to know another way, if
~~possible using acl, Thanks,
~~Sukhs,
~~
~~--- "Lupi, Guy" <Guy.Lupi@eurekaggn.com> wrote:
~~> I don't know what it would be as far as an extended
~~> access list, but you
~~> could use a "distribute-list prefix" to call a
~~> prefix list instead of an
~~> access list, that way you could define exactly what
~~> you want to be
~~> redistributed.
~~>
~~> ~-----Original Message-----
~~> ~From: Sukhjit Singh [mailto:ssukhjit@yahoo.com]
~~> ~Sent: Monday, April 22, 2002 10:22 AM
~~> ~To: ccielab@groupstudy.com
~~> ~Subject: ACL question
~~> ~
~~> ~
~~> ~ACL Experts,
~~> ~
~~> ~I have two routes in my R1 routing table,
~~> ~10.1.120.0 /24
~~> ~And 10.1.120.0 /22 (Summary route)
~~> ~
~~> ~I want to filter the /24 route & want to only pass
~~> /22
~~> ~summary route to other routers. I am using
~~> ~distribute-list command with route-map.
~~> ~
~~> ~It passes both of these routes, I am not sure what
~~> ~will be the right wildcard combination which can
~~> ~differnciate b/w these 2 routes.
~~> ~
~~> ~Any suggestions please,
~~> ~
~~> ~regards,
~~> ~Sukhs,
~~> ~
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:17 GMT-3