From: Brian Dennis (brian@labforge.com)
Date: Fri Apr 25 2003 - 18:19:06 GMT-3
If the user is trying to match the subnet mask an extended ACL still
will not work. The wildcard mask is of the network and is not the subnet
mask of the route. Of course RIPv1 updates don't include the subnet mask
anyways.
I believe that this solution has been posted on this list a couple times
in the past.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: Tim Fletcher [mailto:tim@fletchmail.net]
Sent: Friday, April 25, 2003 1:11 PM
To: Brian Dennis; 'Niksa Tomulic'; ccielab@groupstudy.com
Subject: RE: Distribute list with IGPs/BGP
Actually extended ACLs do work with RIP, but not the way you might
think.
Instead of matching the network and mask, the way they do with BGP, they
match the source and network. So
access-list 100 permit ip host 172.16.0.1 192.168.0.0 0.0.0.255
would permit 192.168.0.0/24, but only from 172.16.0.1.
I can't find it anywhere in the docs, and I can't remember where I
learned
this, but I just tested it again to make sure.
-Tim Fletcher #11406
At 06:37 PM 4/24/2003 -0700, Brian Dennis wrote:
>Niksa,
>If you want to use an ACL for filtering RIP routes use a standard ACL.
>Extended ACL's do not work with RIP.
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>Director of CCIE Training and Development - IPexpert, Inc.
>Mailto: brian@ipexpert.net
>Toll Free: 866.225.8064
>Outside U.S. & Canada: 312.321.6924
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Niksa Tomulic
>Sent: Thursday, April 24, 2003 5:17 PM
>To: ccielab@groupstudy.com
>Subject: Distribute list with IGPs/BGP
>
>Last topic for tonight I really need help with
>So, purpose of my tests were to find out how to solve simple task like
>"there is a backobone running rip/ospf/bgp..whatever... and I was
trying
>to permit just class A, class B or class C addresses.. With prefix
lists
>and with access lists, just with 1 line. OK, with prefix-lists I can
>improvize something, but ACLs are getting nasty (in a case I can't use
>prefix-list??)
>
>So, here is a simple test with 2 routers connected via FastEthernet
>
>CASE 1: they are running BGP, and one router is advertising several
>networks, just for testing. This is recieving router config:
>
>ACL with the purpose to allow just 10.0.0.0/8 - exact match, filter
>others
>
>access-list 105 permit ip 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
>IOS converts it to:
>access-list 105 permit ip host 10.0.0.0 host 255.0.0.0
>!
>router bgp 2
> neighbor 20.0.0.6 remote-as 1
> neighbor 20.0.0.6 distribute-list 105 in
>!
>!
>
>r9#sh ip rout
>C 20.0.0.0/8 is directly connected, FastEthernet0/0
>B 10.0.0.0/8 [20/0] via 20.0.0.6, 00:00:24 >>>>>>>----------- HERE
>IS MY ROUTE
>C 90.0.0.0/8 is directly connected, Loopback0
>
>Everything is fine, my route is here.
>---------------------------------------------------
>CASE 2:
>Now RIP, same ACL at the recieving router:
>
>access-list 105 permit ip host 10.0.0.0 host 255.0.0.0
>
>router rip
> network 20.0.0.0
> network 90.0.0.0
> distribute-list 105 in FastEthernet0/0
>
>r9#sh ip route
>C 20.0.0.0/8 is directly connected, FastEthernet0/0
>C 90.0.0.0/8 is directly connected, Loopback0
>r9#
>
>NO ROUTE
>
>Where is my route?
>???
>
>r9#debug ip rip
>RIP protocol debugging is on
>r9#
>11:18:32: RIP: received v1 update from 20.0.0.6 on FastEthernet0/0
>11:18:32: 10.0.0.0 in 1 hops >>>>>>>----------- HERE IS MY
ROUTE
>11:18:32: 11.0.0.0 in 1 hops
>11:18:32: 150.10.0.0 in 1 hops
>11:18:32: 170.10.0.0 in 1 hops
>11:18:32: 200.10.0.0 in 1 hops
>11:18:32: 210.10.0.0 in 1 hops
>
>Route is coming to the box, but it's filtered. Same ACL, same logic,
but
>doesn't work like I would like to.
>Can someone explain what is going on?
>
>I guess this doesn't relate to IGPs then?
>The syntax for using an extended ACL for filtering routes is:
>access-list <ACL #> permit ip <network> <wildcard mask of network>
><subnet mask> <wildcard mask of subnet mask>
>
>And at the end, how to filter A,B,C classes with ACLs to IGPs? I
haven't
>tried with other IGP protocols yet, but this makes me worried enough
>Thanks
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:07 GMT-3