RE: More about ACLs

From: Brian Dennis (brian@labforge.com)
Date: Sun May 11 2003 - 02:19:17 GMT-3

• Next message: Brian Dennis: "RE: More about ACLs"
• Previous message: Fanglo MA: "lo0->OSPF->BGP, missing lo0 in BGP table??"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Brian Dennis: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Resending this as it never hit the list this morning when I sent it.

<resend>
Extended ACL's don't work for RIP the same way they work for BGP. With
RIP the source portion is the source of the update and the destination
portion works like a standard ACL.

access-list 199 permit ip host 172.16.1.1 10.0.0.0 0.255.255.255

This would match any subnet of the 10 network from 172.16.1.1.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
</resend>

-----Original Message-----
From: jfaure@sztele.com [mailto:jfaure@sztele.com]
Sent: Saturday, May 10, 2003 12:09 PM
To: Brian Dennis
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs

Hi Brian:

If i'm not wrong, and following your examples and explanations, the
extended access list to match these 3 networks (and to match the /24
mask
too):
199.172.1.0/24
199.172.5.0/24
199.172.21.0/24

would be:

access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0

But, i'm trying this solution and doesn't work. I have a router talking
rip
version 2 with another one. I'm aplying this acl as part of a distribute
list to filter only the networks i said before, but no luck (no one
network passes to me). Anyone can explain why?

However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 ,
then
there is no problem and only pass the 3 networks. But, as i said you, i
would like to be more spefic , because with this second solution if some
day a prefix like 199.172.21.0/26 appear, this prefix would be allowed
too
and i don't want this.

Obviously, if you add more lines to the acl and build a prefix list (for
example) with the 3 networks and the mask they have, you can do so. I'm
looking for a solution with minimum command lines, if possible.

Regards

Juan Faure Ferrer
email: jfaure@sztele.com

Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------

----
SOLUZIONA TELECOMUNICACIONES
Servicios Profesionales de UNION FENOSA
Jerez, 3
28016 MADRID
tel 91 579 30 00 fax 91 350 72 83
------------------------------------------------------------------------
---
 
                    "Brian Dennis"
                    <brian@labforg       Para:   <jfaure@sztele.com>
                    e.com>               cc:
<ccielab@groupstudy.com>              
                                         Asunto: RE: More about ACLs
                    10/05/03 19:45
 
 
The syntax for using an extended ACL for filtering routes is:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
3rd & 4th octet of the network with a /25 to /32 subnet mask
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
jfaure@sztele.com
Sent: Saturday, May 10, 2003 9:25 AM
To: Cameron, John
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
John:
Your ACL is  a bit more specific, because it watches the exact match in
the
last octect. But this wasn't my question exactly. The question is how
can
you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
understand you, your acl also allows these networks:
199.172.1.0/25
199.172.1.0/26
199.172.5.0/27
...
The kit is to only permit the 3 networks and only with the mask /24
.Then
you need an extended ACL i think, but i don't see very well how to do
so.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----
SOLUZIONA TELECOMUNICACIONES
Servicios Profesionales de UNION FENOSA
Jerez, 3
28016 MADRID
tel 91 579 30 00 fax 91 350 72 83
------------------------------------------------------------------------
---
                    "Cameron,
                    John"                Para:   "'jfaure@sztele.com'"
                    <johcamer@cisc        <jfaure@sztele.com>,
ccielab@groupstudy.com
                    o.com>               cc:
                                         Asunto: RE: More about ACLs
                    10/05/03 16:23
Juan,
I think this would work better:
access-list 99 permit  199.172.1.0 0.0.20.0
Let me know what ya think.
JDC
-----Original Message-----
From: jfaure@sztele.com [mailto:jfaure@sztele.com]
Sent: Saturday, May 10, 2003 5:31 AM
To: ccielab@groupstudy.com
Subject: More about ACLs
Hi all:
I'm having some troubles with acls. Imagine you have these networks:
199.172.1.0/24
199.172.2.0/24
199.172.4.0/24
199.172.5.0/24
199.172.6.0/24
199.172.8.0/24
199.172.21.0/24
And you must filter, with the minimun number of lines in the ACL, and
only
permit the odd networks (at the third octect, this is ONLY  the 1, 5 and
21, not each possible odd subnet). Then you could do so with a standard
access list like this:
access-list 99 permit  199.172.1.0 0.0.20.255
However, this access-list also allows networks like 199.172.1.0/25
199.172.1.0/26 , etc. Imagine you want to be more specific and to match
the
network mask too. Then you'd need an extended acl that only allows /24.
But, anyone can suggest how to construct it, if it's possible?
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----
SOLUZIONA TELECOMUNICACIONES
Servicios Profesionales de UNION FENOSA
Jerez, 3
28016 MADRID
tel 91 579 30 00 fax 91 350 72 83
------------------------------------------------------------------------
---

• Next message: Brian Dennis: "RE: More about ACLs"
• Previous message: Fanglo MA: "lo0->OSPF->BGP, missing lo0 in BGP table??"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Brian Dennis: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3