From: Brian Dennis (brian@labforge.com)
Date: Sun May 11 2003 - 11:35:31 GMT-3
I just tried an extended ACL real quick with EIGRP and it appears to
work the same way as with RIP.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: Daniel Cisco Group Study [mailto:danielcgs@imc.net.au]
Sent: Sunday, May 11, 2003 6:05 AM
To: Brian Dennis; jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
Brian,
Extremely interesting..... Does this also apply to EIGRP?
Daniel
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Sunday, 11 May 2003 15:08
To: jfaure@sztele.com
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
Extended ACL's don't work for RIP the same way they work for BGP. With
RIP the source portion is the source of the update and the destination
portion works like a standard ACL.
access-list 199 permit ip host 172.16.1.1 10.0.0.0 0.255.255.255
This would mean any subnet of the 10 network from 172.16.1.1.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: jfaure@sztele.com [mailto:jfaure@sztele.com]
Sent: Saturday, May 10, 2003 12:09 PM
To: Brian Dennis
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
Hi Brian:
If i'm not wrong, and following your examples and explanations, the
extended access list to match these 3 networks (and to match the /24
mask
too):
199.172.1.0/24
199.172.5.0/24
199.172.21.0/24
would be:
access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
But, i'm trying this solution and doesn't work. I have a router talking
rip
version 2 with another one. I'm aplying this acl as part of a distribute
list to filter only the networks i said before, but no luck (no one
network passes to me). Anyone can explain why?
However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 ,
then
there is no problem and only pass the 3 networks. But, as i said you, i
would like to be more spefic , because with this second solution if some
day a prefix like 199.172.21.0/26 appear, this prefix would be allowed
too
and i don't want this.
Obviously, if you add more lines to the acl and build a prefix list (for
example) with the 3 networks and the mask they have, you can do so. I'm
looking for a solution with minimum command lines, if possible.
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Brian Dennis"
<brian@labforg Para: <jfaure@sztele.com>
e.com> cc: <ccielab@groupstudy.com> Asunto: RE: More about ACLs
10/05/03 19:45
The syntax for using an extended ACL for filtering routes is: access-list <ACL #> permit ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask>
Here are some examples: access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches 10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 matches 10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 matches 10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0 matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0 matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a /24 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0 matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the network with a /28 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255 matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /24 to /32 subnet mask
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /25 to /32 subnet mask
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security) Director of CCIE Training and Development - IPexpert, Inc. Mailto: brian@ipexpert.net Toll Free: 866.225.8064 Outside U.S. & Canada: 312.321.6924
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of jfaure@sztele.com Sent: Saturday, May 10, 2003 9:25 AM To: Cameron, John Cc: ccielab@groupstudy.com Subject: RE: More about ACLs
John:
Your ACL is a bit more specific, because it watches the exact match in the last octect. But this wasn't my question exactly. The question is how can you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i understand you, your acl also allows these networks:
199.172.1.0/25 199.172.1.0/26 199.172.5.0/27 ...
The kit is to only permit the 3 networks and only with the mask /24 .Then you need an extended ACL i think, but i don't see very well how to do so.
Regards
Juan Faure Ferrer email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC Ingeniero de Integracisn de Redes y Sistemas ------------------------------------------------------------------------ ----
SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Cameron,
John" Para: "'jfaure@sztele.com'"
<johcamer@cisc <jfaure@sztele.com>, ccielab@groupstudy.com o.com> cc:
Asunto: RE: More about ACLs
10/05/03 16:23
Juan,
I think this would work better:
access-list 99 permit 199.172.1.0 0.0.20.0
Let me know what ya think.
JDC
-----Original Message----- From: jfaure@sztele.com [mailto:jfaure@sztele.com] Sent: Saturday, May 10, 2003 5:31 AM To: ccielab@groupstudy.com Subject: More about ACLs
Hi all:
I'm having some troubles with acls. Imagine you have these networks:
199.172.1.0/24 199.172.2.0/24 199.172.4.0/24 199.172.5.0/24 199.172.6.0/24 199.172.8.0/24 199.172.21.0/24
And you must filter, with the minimun number of lines in the ACL, and only permit the odd networks (at the third octect, this is ONLY the 1, 5 and 21, not each possible odd subnet). Then you could do so with a standard access list like this:
access-list 99 permit 199.172.1.0 0.0.20.255
However, this access-list also allows networks like 199.172.1.0/25 199.172.1.0/26 , etc. Imagine you want to be more specific and to match the network mask too. Then you'd need an extended acl that only allows /24. But, anyone can suggest how to construct it, if it's possible?
Regards
Juan Faure Ferrer email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC Ingeniero de Integracisn de Redes y Sistemas ------------------------------------------------------------------------ ----
SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3