From: Scott Morris (swm@emanon.com)
Date: Sun May 11 2003 - 00:05:09 GMT-3
Use prefix lists.
Distribute-list prefix test1 in serial0/0
Ip prefix-list test1 seq 5 permit 199.172.1.0/24 eq 24
Ip prefix-list test1 seq 10 permit 199.172.5.0/24 eq 24
Ip prefix-list test1 seq 15 permit 199.172.21.0/24 eq 24
Or, with the ACL mentioned before:
Access-list 150 deny ip 199.172.17.0 0.0.0.255
Access-list 150 permit ip 199.172.1.0 0.0.20.0
Using the ".0" in the last octet will at least force all routes to begin
with 0. Whether this allows /25 and /26 (etc) routes would depend on
whether they exist, but it will only allow routes that contain the .0
marking as the last octet.
Just some thoughts....
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cameron, John
Sent: Saturday, May 10, 2003 2:58 PM
To: 'Brian Dennis'; jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
Brian,
Thanks for the examples - If I was running EIGRP or RIP I don't think
extended ACL's work with distribute-lists.
Lets say I've created the following ACL from Juan's problem:
access-list 150 permit ip 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
when I try to use it to filter the specific routes with a distribute
list it doesn't work - it filters everything.
What am I missing and/or how can this be accomplished.
Thanks,
JDC
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Saturday, May 10, 2003 1:45 PM
To: jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
The syntax for using an extended ACL for filtering routes is:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
3rd & 4th octet of the network with a /25 to /32 subnet mask
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
jfaure@sztele.com
Sent: Saturday, May 10, 2003 9:25 AM
To: Cameron, John
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
John:
Your ACL is a bit more specific, because it watches the exact match in
the last octect. But this wasn't my question exactly. The question is
how can you do to ONLY allow the 3 odd networks AND WITH THE MASK /24
TOO. If i understand you, your acl also allows these networks:
199.172.1.0/25
199.172.1.0/26
199.172.5.0/27
...
The kit is to only permit the 3 networks and only with the mask /24
.Then you need an extended ACL i think, but i don't see very well how to
do so.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Cameron,
John" Para: "'jfaure@sztele.com'"
<johcamer@cisc <jfaure@sztele.com>, ccielab@groupstudy.com o.com> cc:
Asunto: RE: More about ACLs
10/05/03 16:23
Juan,
I think this would work better:
access-list 99 permit 199.172.1.0 0.0.20.0
Let me know what ya think.
JDC
-----Original Message----- From: jfaure@sztele.com [mailto:jfaure@sztele.com] Sent: Saturday, May 10, 2003 5:31 AM To: ccielab@groupstudy.com Subject: More about ACLs
Hi all:
I'm having some troubles with acls. Imagine you have these networks:
199.172.1.0/24 199.172.2.0/24 199.172.4.0/24 199.172.5.0/24 199.172.6.0/24 199.172.8.0/24 199.172.21.0/24
And you must filter, with the minimun number of lines in the ACL, and only permit the odd networks (at the third octect, this is ONLY the 1, 5 and 21, not each possible odd subnet). Then you could do so with a standard access list like this:
access-list 99 permit 199.172.1.0 0.0.20.255
However, this access-list also allows networks like 199.172.1.0/25 199.172.1.0/26 , etc. Imagine you want to be more specific and to match the network mask too. Then you'd need an extended acl that only allows /24. But, anyone can suggest how to construct it, if it's possible?
Regards
Juan Faure Ferrer email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC Ingeniero de Integracisn de Redes y Sistemas ------------------------------------------------------------------------ ----
SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3