RE: ACL's: Even/Odd -- allow EVEN

From: Kumar, Senthil (senthil.kumar@intechnology.co.uk)
Date: Wed Feb 12 2003 - 16:13:12 GMT-3

• Next message: sam: "RE: Inverse Mask versus Network mask"
• Previous message: Stong, Ian C [GMG]: "RE: Pix IOS 6.2 failover"
• Maybe in reply to: CCIE1DAY: "RE: ACL's: Even/Odd -- allow EVEN"
• Next in thread: Bob Usa: "RE: ACL's: Even/Odd -- allow EVEN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

why dont you use standard access-list and keep it simple

access-list 1 permit 198.5.0.0 0.0.254.255 - even routes only

router rip
distribute-list in 1 e0/0
!

you will need extended acl for route filtering only with bgp to check the
prefix and subnet mask..

but did you ever manage to feed a extended-acl in distribute-list, i dont
think it will work.

-----Original Message-----
From: CCIE1DAY
To: Sage Vadi; ccielab@groupstudy.com
Sent: 12/02/2003 10:56
Subject: RE: ACL's: Even/Odd -- allow EVEN

THis is because you are using your extended access list incorrectly.

should be as follows

access-list 101 permit ip <source address of RIP speaker > < inv-mask> <
routes_allowable> < inv mask>

so, in your example

router rip
net xxx
distribute-list 101 in E0 !or whatever!
access-list 101 permit ip any 198.5.0.0 0.0.254.255
!

NOW, if you wanted to resrict not only the accepted routes, but from WHO
you
received them from you could:

access-list 101 pemit ip host 135.1.2.2 198.5.0.0 0.0.254.255
access-list 101 pemit ip host 135.1.2.3 198.5.1.0 0.0.254.255

would accept even subnets from 135.1.2.2 and odds from 135.1.2.3

cheers

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Sage Vadi
Sent: 12 February 2003 10:23
To: ccielab@groupstudy.com
Subject: RE: ACL's: Even/Odd -- allow EVEN

All,

Receive the following RIPv1 routes (ingress).

198.5.51.0 in 1 hops
198.5.52.0 in 1 hops
198.5.53.0 in 1 hops
198.5.54.0 in 1 hops

Want to permit only the EVEN networks. My calculation
as follows:

52 = 00110100
54 = 00110110

Accordingly we have to do an inverse mask that matches
on the LAST bit (even numbers). That is what I have
done and tested on a subnet calculator (it seems to
bring out the correct addresses).

Hence -

permit ip 198.5.0.0 0.0.254.255 any

Would permit ALL even networks (til 254). Which is
fine, I don't care how speficic.

Q) When I apply this inbound on my egress interface
where I'm receiving this routes - it just doesn't
work?!?!

What stupid thing am I doing? I feel like bashing this
monitor...

rgds,
Sage

• Next message: sam: "RE: Inverse Mask versus Network mask"
• Previous message: Stong, Ian C [GMG]: "RE: Pix IOS 6.2 failover"
• Maybe in reply to: CCIE1DAY: "RE: ACL's: Even/Odd -- allow EVEN"
• Next in thread: Bob Usa: "RE: ACL's: Even/Odd -- allow EVEN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:20 GMT-3