RE: distribute-list with Extended ACL ....

From: Dustin.Yates@xxxxxxxxxxxx
Date: Wed Jul 03 2002 - 11:57:29 GMT-3

• Next message: David Luu: "Re: Netbios name filter"
• Previous message: Tom Young: "PPPoE's IP address"
• Maybe in reply to: Hunt Lee: "distribute-list with Extended ACL ...."
• Next in thread: Oliver Boehmer: "Re: distribute-list with Extended ACL ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I'd clean it up a little more... but the result would have been the same
based on your "subnet" portion of the statement:

access-list 101 permit ip 172.16.0.0 0.0.3.0 255.255.255.0 0.0.0.

Now, the issue here is do you want just the 4 networks you listed or any /24
in the 172.16.0.0 network? It is all /24s that are permitted by:

ip prefix-list TEST permit 172.16.0.0/22 ge 24 le 24

To answer your next question, yes the following are the same:

ip prefix-list TEST permit 172.16.0.0/22
access-list 101 permit ip 172.16.0.0 0.0.0.0 255.255.252.0 0.0.0.0
access-list 101 permit ip host 172.16.0.0 host 255.255.252.0

I think their point with the second line is just to show the use of the
extended ACL, but you are correct the deny all would have blocked those as
well.

dy

-----Original Message-----
From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
Sent: Wednesday, July 03, 2002 9:20 AM
To: ccielab@groupstudy.com
Subject: distribute-list with Extended ACL ....

Assume that I've 4 BGP networks:

ip prefix-list TEST permit 172.16.0.0/24
ip prefix-list TEST permit 172.16.1.0/24
ip prefix-list TEST permit 172.16.2.0/24
ip prefix-list TEST permit 172.16.3.0/24

OR

ip prefix-list TEST permit 172.16.0.0/22 ge 24 le 24

And if I want to do this in Distribute-list with Extended ACL:

access-list 101 permit ip 172.16.0.0 0.0.3.255 255.255.255.0 0.0.0.0

Is this equal to the prefix-list statements??

Assume now that I have an extra aggregate 172.16.0.0/22 together with
the other 4 routes, but I want to permit only this aggregate, while
denying all the other more specific routes:-

ip prefix-list TEST permit 172.16.0.0/22

Is this the same as:-

access-list 101 permit ip 172.16.0.0 0.0.0.0 255.255.252.0 0.0.0.0

Also, I found an example on CCO that I'm a bit confused abt.

The example states that it will permit route 131.108.0/24, but deny
131.108.x.x/16 & all other subnets of 131.108.0.0

access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0
0.0.255.255

So the 1st line will permit the 131.108.0.0/24 subnet, but what's the
point of the 2nd line?? Isn't it true that anything else will be
implicitly deny?

Thanks!

H.

http://www.sold.com.au - SOLD.com.au
- Find yourself a bargain!

• Next message: David Luu: "Re: Netbios name filter"
• Previous message: Tom Young: "PPPoE's IP address"
• Maybe in reply to: Hunt Lee: "distribute-list with Extended ACL ...."
• Next in thread: Oliver Boehmer: "Re: distribute-list with Extended ACL ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:17 GMT-3