RE: access-list subnet mask mask

From: Jack.W.Parks@xxxxxxxxxx
Date: Tue Jun 04 2002 - 23:30:46 GMT-3

   
This link explains and show examples of using extended access-list for
prefix filtering using the "neighbor <ip addr> distribute-list" command

An Excerpt from
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
ip_r/iprprt2/1rdbgp.htm#xtocid41

Standard access lists may be used to filter routing updates. However, in
the case of route filtering when using classless interdomain routing
(CIDR), standard access lists do not provide the level of granularity
that is necessary to configure advanced filtering of network addresses
and masks. Extended access lists, configured with the access-list (IP
extended) command, should be used to configure route filtering when
using CIDR because extended access lists allow the network operator to
use wild card bits to filter the relevant prefixes and masks. Wild card
bits are similar to the bit masks that are used with normal access
lists; prefix and mask bits that correspond to wild card bits that are
set to 0 are used in the comparison of addresses or prefixes and wild
card bits that are set to 1 are ignored during any comparisons. This
function of extended access list configuration can also be used to
filter addresses or prefixes based on the prefix length.

        -----Original Message-----
        From: Treptow, Georg
        Sent: Tue 6/4/2002 8:49 PM
        To: 'Jonathan Natale'; Bruce Williams; Narvaez, Pablo; Roberts,
Larry; Ccielab@Groupstudy. Com
        Cc:
        Subject: RE: access-list subnet mask mask
        
        

        I believe it would = 150.10.0.0 0.0.255.255
        
        Georg
        
        -----Original Message-----
        From: Jonathan Natale [mailto:jonatale@earthlink.net]
        Sent: Tuesday, June 04, 2002 11:17 PM
        To: Bruce Williams; Narvaez, Pablo; Roberts, Larry;
Ccielab@Groupstudy.
        Com
        Subject: RE: access-list subnet mask mask
        
        
        I think "ip prefix-list LIST seq 10 per 150.10.0.0/16" ==
        "access-list 101 permit ip 150.10.0.0 0.0.0.0 255.255.0.0
0.0.0.0"
        right?
        
        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
Behalf Of
        Bruce Williams
        Sent: Friday, May 31, 2002 2:04 PM
        To: Narvaez, Pablo; Roberts, Larry; Ccielab@Groupstudy. Com
        Subject: RE: access-list subnet mask mask
        
        
        Your right I am trying to match the exact mask. I have the
answer. I already
        knew about the prefix list solution, but I wanted to know how to
do it with
        an access-list also.
        
        Here it is.
        
        Two ways to do this.
        
        access-list 101 permit ip 150.10.0.0 0.0.255.255 host
255.255.0.0
        
        or use a prefix list
        ip prefix-list LIST seq 10 per 150.10.0.0/16
        
        
        Bruce Williams
        
        
        
        -----Original Message-----
        From: Narvaez, Pablo [mailto:Pablo.Narvaez@getronics.com]
        Sent: Friday, May 31, 2002 1:05 PM
        To: Roberts, Larry; Bruce Williams; Ccielab@Groupstudy. Com
        Subject: RE: access-list subnet mask mask
        
        
        I think what he is trying to do is to use an ACL to match the
exact mask
        which sometimes you just can't do with "normal"
        ACLs.
        
>It went something like this: access-lsit 101 permit ip
150.10.0.0
>0.0.255.255 mask 255.255.0.0 0.0.255.255
        
        From this example, I think you can configure it like:
        
        access-list 101 permit ip 150.10.0.0 0.0.255.255 host
255.255.0.0
        
        or
        
        access-list 101 permit ip host 150.10.0.0 host 255.255.0.0
        
        
        Please correct me if wrong, and Bruce let us know how it goes.
        
        
        
        Cheers,
        
        hockito
        
        
        
        -----Original Message-----
        From: Roberts, Larry [mailto:Larry.Roberts@expanets.com]
        Sent: Viernes, 31 de Mayo de 2002 11:33 a.m.
        To: 'Bruce Williams'; Ccielab@Groupstudy. Com
        Subject: RE: access-list subnet mask mask
        
        
        Can you tell us what your trying to do.
        Access-lists use wildcard masks, not subnet masks ( unless your
on a PIX,
        that's a whole different story ! )
        
        If you wanted to permit a specific IP ( 150.10.1.2 ) to go
anyplace then you
        would do:
        
        Access-list 101 permit ip host 150.10.1.2 any
        Or
        Access-list 101 permit ip 150.10.1.2 0.0.0.0 any
        Both are the same.
        
        A 1 in the mask means I don't care, a 0 is an exact match.
        The any is the same as saying:
        
        X.x.x.x 255.255.255.255. Since you don't care ( 255 is all 1's )
the first
        octect doesn't matter and will be re-written as
        0.0.0.0 255.255.255.255 or "any"<-- most likely ( depends on
code
        version...)
        
        
        
        Thanks
        
        Larry
        
        -----Original Message-----
        From: Bruce Williams [mailto:bruce@williamsnetworking.com]
        Sent: Friday, May 31, 2002 11:04 AM
        To: Ccielab@Groupstudy. Com
        Subject: access-list subnet mask mask
        
        
        Can someone please tell me how to create an access-list that
will specifiy
        the exact size of the mask. I cannot remember how to do it and I
cant find
        it on CCO. It went something like this: access-lsit 101 permit
ip 150.10.0.0
        0.0.255.255 mask 255.255.0.0 0.0.255.255
        
        Bruce Williams
        

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:24 GMT-3