From: Brian Dennis (brian@labforge.com)
Date: Thu Apr 24 2003 - 22:37:55 GMT-3
Niksa,
If you want to use an ACL for filtering RIP routes use a standard ACL.
Extended ACL's do not work with RIP.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Niksa Tomulic
Sent: Thursday, April 24, 2003 5:17 PM
To: ccielab@groupstudy.com
Subject: Distribute list with IGPs/BGP
Last topic for tonight I really need help with
So, purpose of my tests were to find out how to solve simple task like
"there is a backobone running rip/ospf/bgp..whatever... and I was trying
to permit just class A, class B or class C addresses.. With prefix lists
and with access lists, just with 1 line. OK, with prefix-lists I can
improvize something, but ACLs are getting nasty (in a case I can't use
prefix-list??)
So, here is a simple test with 2 routers connected via FastEthernet
CASE 1: they are running BGP, and one router is advertising several
networks, just for testing. This is recieving router config:
ACL with the purpose to allow just 10.0.0.0/8 - exact match, filter
others
access-list 105 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
IOS converts it to:
access-list 105 permit ip host 10.0.0.0 host 255.0.0.0
!
router bgp 2
neighbor 20.0.0.6 remote-as 1
neighbor 20.0.0.6 distribute-list 105 in
!
!
r9#sh ip rout
C 20.0.0.0/8 is directly connected, FastEthernet0/0
B 10.0.0.0/8 [20/0] via 20.0.0.6, 00:00:24 >>>>>>>----------- HERE
IS MY ROUTE
C 90.0.0.0/8 is directly connected, Loopback0
Everything is fine, my route is here.
---------------------------------------------------
CASE 2:
Now RIP, same ACL at the recieving router:
access-list 105 permit ip host 10.0.0.0 host 255.0.0.0
router rip
network 20.0.0.0
network 90.0.0.0
distribute-list 105 in FastEthernet0/0
r9#sh ip route
C 20.0.0.0/8 is directly connected, FastEthernet0/0
C 90.0.0.0/8 is directly connected, Loopback0
r9#
NO ROUTE
Where is my route?
???
r9#debug ip rip
RIP protocol debugging is on
r9#
11:18:32: RIP: received v1 update from 20.0.0.6 on FastEthernet0/0
11:18:32: 10.0.0.0 in 1 hops >>>>>>>----------- HERE IS MY ROUTE
11:18:32: 11.0.0.0 in 1 hops
11:18:32: 150.10.0.0 in 1 hops
11:18:32: 170.10.0.0 in 1 hops
11:18:32: 200.10.0.0 in 1 hops
11:18:32: 210.10.0.0 in 1 hops
Route is coming to the box, but it's filtered. Same ACL, same logic, but
doesn't work like I would like to.
Can someone explain what is going on?
I guess this doesn't relate to IGPs then?
The syntax for using an extended ACL for filtering routes is:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
And at the end, how to filter A,B,C classes with ACLs to IGPs? I haven't
tried with other IGP protocols yet, but this makes me worried enough
Thanks
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:05 GMT-3