From: jfaure@sztele.com
Date: Sat May 10 2003 - 16:08:36 GMT-3
Hi Brian:
If i'm not wrong, and following your examples and explanations, the
extended access list to match these 3 networks (and to match the /24 mask
too):
199.172.1.0/24
199.172.5.0/24
199.172.21.0/24
would be:
access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
But, i'm trying this solution and doesn't work. I have a router talking rip
version 2 with another one. I'm aplying this acl as part of a distribute
list to filter only the networks i said before, but no luck (no one
network passes to me). Anyone can explain why?
However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 , then
there is no problem and only pass the 3 networks. But, as i said you, i
would like to be more spefic , because with this second solution if some
day a prefix like 199.172.21.0/26 appear, this prefix would be allowed too
and i don't want this.
Obviously, if you add more lines to the acl and build a prefix list (for
example) with the 3 networks and the mask they have, you can do so. I'm
looking for a solution with minimum command lines, if possible.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
----------------------------------------------------------------------------
SOLUZIONA TELECOMUNICACIONES
Servicios Profesionales de UNION FENOSA
Jerez, 3
28016 MADRID
tel 91 579 30 00 fax 91 350 72 83
---------------------------------------------------------------------------
"Brian Dennis"
<brian@labforg Para: <jfaure@sztele.com>
e.com> cc: <ccielab@groupstudy.com>
Asunto: RE: More about ACLs
10/05/03 19:45
The syntax for using an extended ACL for filtering routes is:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
3rd & 4th octet of the network with a /25 to /32 subnet mask
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
jfaure@sztele.com
Sent: Saturday, May 10, 2003 9:25 AM
To: Cameron, John
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
John:
Your ACL is a bit more specific, because it watches the exact match in
the
last octect. But this wasn't my question exactly. The question is how
can
you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
understand you, your acl also allows these networks:
199.172.1.0/25
199.172.1.0/26
199.172.5.0/27
...
The kit is to only permit the 3 networks and only with the mask /24
.Then
you need an extended ACL i think, but i don't see very well how to do
so.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Cameron,
John" Para: "'jfaure@sztele.com'"
<johcamer@cisc <jfaure@sztele.com>, ccielab@groupstudy.com o.com> cc:
Asunto: RE: More about ACLs
10/05/03 16:23
Juan,
I think this would work better:
access-list 99 permit 199.172.1.0 0.0.20.0
Let me know what ya think.
JDC
-----Original Message----- From: jfaure@sztele.com [mailto:jfaure@sztele.com] Sent: Saturday, May 10, 2003 5:31 AM To: ccielab@groupstudy.com Subject: More about ACLs
Hi all:
I'm having some troubles with acls. Imagine you have these networks:
199.172.1.0/24 199.172.2.0/24 199.172.4.0/24 199.172.5.0/24 199.172.6.0/24 199.172.8.0/24 199.172.21.0/24
And you must filter, with the minimun number of lines in the ACL, and only permit the odd networks (at the third octect, this is ONLY the 1, 5 and 21, not each possible odd subnet). Then you could do so with a standard access list like this:
access-list 99 permit 199.172.1.0 0.0.20.255
However, this access-list also allows networks like 199.172.1.0/25 199.172.1.0/26 , etc. Imagine you want to be more specific and to match the network mask too. Then you'd need an extended acl that only allows /24. But, anyone can suggest how to construct it, if it's possible?
Regards
Juan Faure Ferrer email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC Ingeniero de Integracisn de Redes y Sistemas ------------------------------------------------------------------------ ----
SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3