Fw: More about ACLs

From: Erling Bjontegard (erli-b@online.no)
Date: Sat May 10 2003 - 18:14:30 GMT-3

• Next message: Jim Brown: "RE: Eigrp over F/R"
• Previous message: ccie2be: "IOS Upgrade problem"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Cameron, John: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I thought using extended acl for filtering was only applicable for BGP.

Regards
Erling Bjontegard

----- Original Message -----
From: <jfaure@sztele.com>
To: "Brian Dennis" <brian@labforge.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, May 10, 2003 9:08 PM
Subject: RE: More about ACLs

> Hi Brian:
>
> If i'm not wrong, and following your examples and explanations, the
> extended access list to match these 3 networks (and to match the /24 mask
> too):
> 199.172.1.0/24
> 199.172.5.0/24
> 199.172.21.0/24
>
> would be:
>
> access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
>
> But, i'm trying this solution and doesn't work. I have a router talking rip
> version 2 with another one. I'm aplying this acl as part of a distribute
> list to filter only the networks i said before, but no luck (no one
> network passes to me). Anyone can explain why?
>
> However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 , then
> there is no problem and only pass the 3 networks. But, as i said you, i
> would like to be more spefic , because with this second solution if some
> day a prefix like 199.172.21.0/26 appear, this prefix would be allowed too
> and i don't want this.
>
> Obviously, if you add more lines to the acl and build a prefix list (for
> example) with the 3 networks and the mask they have, you can do so. I'm
> looking for a solution with minimum command lines, if possible.
>
> Regards
>
>
>
>
>
> Juan Faure Ferrer
> email: jfaure@sztele.com
>
> Lmnea de Negocio de Telematica y CC
> Ingeniero de Integracisn de Redes y Sistemas
> ----------------------------------------------------------------------------
>
> SOLUZIONA TELECOMUNICACIONES
> Servicios Profesionales de UNION FENOSA
> Jerez, 3
> 28016 MADRID
> tel 91 579 30 00 fax 91 350 72 83
> ---------------------------------------------------------------------------
>
>
>
>
> "Brian Dennis"
> <brian@labforg Para: <jfaure@sztele.com>
> e.com> cc: <ccielab@groupstudy.com>
> Asunto: RE: More about ACLs
> 10/05/03 19:45
>
>
>
>
>
>
> The syntax for using an extended ACL for filtering routes is:
> access-list <ACL #> permit ip <network> <wildcard mask of network>
> <subnet mask> <wildcard mask of subnet mask>
>
> Here are some examples:
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
> 10.0.0.0/16 - Only
>
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
> 10.0.0.0/24 - Only
>
> access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
> 10.1.1.0/24 - Only
>
> access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> /24 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
> with a /24 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
> matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> network with a /28 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
> matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> octet of the network with a /24 to /32 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> 0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
> 3rd & 4th octet of the network with a /25 to /32 subnet mask
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> Director of CCIE Training and Development - IPexpert, Inc.
> Mailto: brian@ipexpert.net
> Toll Free: 866.225.8064
> Outside U.S. & Canada: 312.321.6924
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> jfaure@sztele.com
> Sent: Saturday, May 10, 2003 9:25 AM
> To: Cameron, John
> Cc: ccielab@groupstudy.com
> Subject: RE: More about ACLs
>
> John:
>
> Your ACL is a bit more specific, because it watches the exact match in
> the
> last octect. But this wasn't my question exactly. The question is how
> can
> you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
> understand you, your acl also allows these networks:
>
> 199.172.1.0/25
> 199.172.1.0/26
> 199.172.5.0/27
> ...
>
> The kit is to only permit the 3 networks and only with the mask /24
> .Then
> you need an extended ACL i think, but i don't see very well how to do
> so.
>
> Regards
>
> Juan Faure Ferrer
> email: jfaure@sztele.com
>
> Lmnea de Negocio de Telematica y CC
> Ingeniero de Integracisn de Redes y Sistemas
> ------------------------------------------------------------------------
> ----
>
> SOLUZIONA TELECOMUNICACIONES
> Servicios Profesionales de UNION FENOSA
> Jerez, 3
> 28016 MADRID
> tel 91 579 30 00 fax 91 350 72 83
> ------------------------------------------------------------------------
> ---
>
>
>
> "Cameron,
>
> John" Para: "'jfaure@sztele.com'"
>
> <johcamer@cisc <jfaure@sztele.com>,
> ccielab@groupstudy.com
> o.com> cc:
>
> Asunto: RE: More about ACLs
>
> 10/05/03 16:23
>
>
>
>
>
>
>
>
>
> Juan,
>
> I think this would work better:
>
> access-list 99 permit 199.172.1.0 0.0.20.0
>
> Let me know what ya think.
>
> JDC
>
>
> -----Original Message-----
> From: jfaure@sztele.com [mailto:jfaure@sztele.com]
> Sent: Saturday, May 10, 2003 5:31 AM
> To: ccielab@groupstudy.com
> Subject: More about ACLs
>
>
> Hi all:
>
> I'm having some troubles with acls. Imagine you have these networks:
>
> 199.172.1.0/24
> 199.172.2.0/24
> 199.172.4.0/24
> 199.172.5.0/24
> 199.172.6.0/24
> 199.172.8.0/24
> 199.172.21.0/24
>
> And you must filter, with the minimun number of lines in the ACL, and
> only
> permit the odd networks (at the third octect, this is ONLY the 1, 5 and
> 21, not each possible odd subnet). Then you could do so with a standard
> access list like this:
>
> access-list 99 permit 199.172.1.0 0.0.20.255
>
> However, this access-list also allows networks like 199.172.1.0/25
> 199.172.1.0/26 , etc. Imagine you want to be more specific and to match
> the
> network mask too. Then you'd need an extended acl that only allows /24.
> But, anyone can suggest how to construct it, if it's possible?
>
> Regards
>
> Juan Faure Ferrer
> email: jfaure@sztele.com
>
> Lmnea de Negocio de Telematica y CC
> Ingeniero de Integracisn de Redes y Sistemas
> ------------------------------------------------------------------------
> ----
>
>
> SOLUZIONA TELECOMUNICACIONES
> Servicios Profesionales de UNION FENOSA
> Jerez, 3
> 28016 MADRID
> tel 91 579 30 00 fax 91 350 72 83
> ------------------------------------------------------------------------
> ---

• Next message: Jim Brown: "RE: Eigrp over F/R"
• Previous message: ccie2be: "IOS Upgrade problem"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Cameron, John: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3