From: Brian Dennis (brian@labforge.com)
Date: Sun May 11 2003 - 02:35:12 GMT-3
Extended ACL's do work for RIP but just not the same way they work with
BGP. With RIP you can't match on the subnet mask. The source portion of
the extended ACL matches on the source of the RIP update and the
destination portion matches on the network. There isn't a way to match
on the subnet mask using extended ACL's with RIP.
As for his original problem now that we know he's running RIP he could
"summarize" the networks to their classful boundaries and then use an
ACL to permit/deny the networks he wants. Of course a prefix list is
also an option.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cameron, John
Sent: Saturday, May 10, 2003 11:58 AM
To: 'Brian Dennis'; jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
Brian,
Thanks for the examples - If I was running EIGRP or RIP I don't think
extended ACL's work with distribute-lists.
Lets say I've created the following ACL from Juan's problem:
access-list 150 permit ip 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
when I try to use it to filter the specific routes with a distribute
list it doesn't work - it filters everything.
What am I missing and/or how can this be accomplished.
Thanks,
JDC
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Saturday, May 10, 2003 1:45 PM
To: jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
The syntax for using an extended ACL for filtering routes is:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches
10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
3rd & 4th octet of the network with a /25 to /32 subnet mask
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
jfaure@sztele.com
Sent: Saturday, May 10, 2003 9:25 AM
To: Cameron, John
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
John:
Your ACL is a bit more specific, because it watches the exact match in
the
last octect. But this wasn't my question exactly. The question is how
can
you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
understand you, your acl also allows these networks:
199.172.1.0/25
199.172.1.0/26
199.172.5.0/27
...
The kit is to only permit the 3 networks and only with the mask /24
.Then
you need an extended ACL i think, but i don't see very well how to do
so.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Cameron,
John" Para: "'jfaure@sztele.com'"
<johcamer@cisc <jfaure@sztele.com>, ccielab@groupstudy.com o.com> cc:
Asunto: RE: More about ACLs
10/05/03 16:23
Juan,
I think this would work better:
access-list 99 permit 199.172.1.0 0.0.20.0
Let me know what ya think.
JDC
-----Original Message----- From: jfaure@sztele.com [mailto:jfaure@sztele.com] Sent: Saturday, May 10, 2003 5:31 AM To: ccielab@groupstudy.com Subject: More about ACLs
Hi all:
I'm having some troubles with acls. Imagine you have these networks:
199.172.1.0/24 199.172.2.0/24 199.172.4.0/24 199.172.5.0/24 199.172.6.0/24 199.172.8.0/24 199.172.21.0/24
And you must filter, with the minimun number of lines in the ACL, and only permit the odd networks (at the third octect, this is ONLY the 1, 5 and 21, not each possible odd subnet). Then you could do so with a standard access list like this:
access-list 99 permit 199.172.1.0 0.0.20.255
However, this access-list also allows networks like 199.172.1.0/25 199.172.1.0/26 , etc. Imagine you want to be more specific and to match the network mask too. Then you'd need an extended acl that only allows /24. But, anyone can suggest how to construct it, if it's possible?
Regards
Juan Faure Ferrer email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC Ingeniero de Integracisn de Redes y Sistemas ------------------------------------------------------------------------ ----
SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3