From: Jung, Jin (jin.jung@lmco.com)
Date: Tue May 13 2003 - 14:00:38 GMT-3
So why use extended acl for IGP protocols?
I do not see any benefit to use extended verse standard.
So, access-list 5 permit 199.172.1.0 0.0.20.0
Is same as access-list 101 per ip host {source_address} 199.172.1.0
0.0.20.0
Both of these does the same, other then defining a source of route.
So why use extended?
Thanks in advance...
-----Original Message-----
From: love cisco [mailto:love_cisco@hotmail.com]
Sent: Sunday, May 11, 2003 6:09 PM
To: brian@labforge.com; danielcgs@imc.net.au
Cc: ccielab@groupstudy.com
Subject: RE: More about ACLs
I believe it works the same way with IGP protocol (Rip, EIGRP, OSPF, ISIS).
I have test it with OSPF.
>From: "Brian Dennis" <brian@labforge.com>
>Reply-To: "Brian Dennis" <brian@labforge.com>
>To: "'Daniel Cisco Group Study'" <danielcgs@imc.net.au>
>CC: <ccielab@groupstudy.com>
>Subject: RE: More about ACLs
>Date: Sun, 11 May 2003 07:35:31 -0700
>
>I just tried an extended ACL real quick with EIGRP and it appears to
>work the same way as with RIP.
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>Director of CCIE Training and Development - IPexpert, Inc.
>Mailto: brian@ipexpert.net
>Toll Free: 866.225.8064
>Outside U.S. & Canada: 312.321.6924
>
>-----Original Message-----
>From: Daniel Cisco Group Study [mailto:danielcgs@imc.net.au]
>Sent: Sunday, May 11, 2003 6:05 AM
>To: Brian Dennis; jfaure@sztele.com
>Cc: ccielab@groupstudy.com
>Subject: RE: More about ACLs
>
>Brian,
>
>Extremely interesting..... Does this also apply to EIGRP?
>
>Daniel
>
>
>-----Original Message-----
>From: Brian Dennis [mailto:brian@labforge.com]
>Sent: Sunday, 11 May 2003 15:08
>To: jfaure@sztele.com
>Cc: ccielab@groupstudy.com
>Subject: RE: More about ACLs
>
>
>Extended ACL's don't work for RIP the same way they work for BGP. With
>RIP the source portion is the source of the update and the destination
>portion works like a standard ACL.
>
>access-list 199 permit ip host 172.16.1.1 10.0.0.0 0.255.255.255
>
>This would mean any subnet of the 10 network from 172.16.1.1.
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>Director of CCIE Training and Development - IPexpert, Inc.
>Mailto: brian@ipexpert.net
>Toll Free: 866.225.8064
>Outside U.S. & Canada: 312.321.6924
>
>-----Original Message-----
>From: jfaure@sztele.com [mailto:jfaure@sztele.com]
>Sent: Saturday, May 10, 2003 12:09 PM
>To: Brian Dennis
>Cc: ccielab@groupstudy.com
>Subject: RE: More about ACLs
>
>
>Hi Brian:
>
>If i'm not wrong, and following your examples and explanations, the
>extended access list to match these 3 networks (and to match the /24
>mask
>too):
>199.172.1.0/24
>199.172.5.0/24
>199.172.21.0/24
>
>would be:
>
>access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
>
>But, i'm trying this solution and doesn't work. I have a router talking
>rip version 2 with another one. I'm aplying this acl as part of a
>distribute list to filter only the networks i said before, but no luck
>(no one network passes to me). Anyone can explain why?
>
>However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 ,
>then there is no problem and only pass the 3 networks. But, as i said
>you, i would like to be more spefic , because with this second solution
>if some day a prefix like 199.172.21.0/26 appear, this prefix would be
>allowed too
>and i don't want this.
>
>Obviously, if you add more lines to the acl and build a prefix list
>(for
>example) with the 3 networks and the mask they have, you can do so. I'm
>looking for a solution with minimum command lines, if possible.
>
>Regards
>
>
>
>
>
>Juan Faure Ferrer
>email: jfaure@sztele.com
>
>Lmnea de Negocio de Telematica y CC
>Ingeniero de Integracisn de Redes y Sistemas
>-----------------------------------------------------------------------
>-
>----
>
>SOLUZIONA TELECOMUNICACIONES
>Servicios Profesionales de UNION FENOSA
>Jerez, 3
>28016 MADRID
>tel 91 579 30 00 fax 91 350 72 83
>-----------------------------------------------------------------------
>-
>---
>
>
>
>
>
> "Brian Dennis"
>
> <brian@labforg Para: <jfaure@sztele.com>
>
> e.com> cc:
><ccielab@groupstudy.com>
> Asunto: RE: More about ACLs
>
> 10/05/03 19:45
>
>
>
>
>
>
>
>
>
>The syntax for using an extended ACL for filtering routes is:
>access-list <ACL #> permit ip <network> <wildcard mask of network>
><subnet mask> <wildcard mask of subnet mask>
>
>Here are some examples:
>access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
>10.0.0.0/16 - Only
>
>access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
>matches 10.0.0.0/24 - Only
>
>access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
>matches 10.1.1.0/24 - Only
>
>access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
>matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
>/24 subnet mask
>
>access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
>matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
>with a /24 subnet mask
>
>access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
>0.0.0.0 matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of
>the network with a /28 subnet mask
>
>access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
>0.0.0.255 matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd,
>3rd & 4th octet of the network with a /24 to /32 subnet mask
>
>access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
>0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
>3rd & 4th octet of the network with a /25 to /32 subnet mask
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>Director of CCIE Training and Development - IPexpert, Inc.
>Mailto: brian@ipexpert.net
>Toll Free: 866.225.8064
>Outside U.S. & Canada: 312.321.6924
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>jfaure@sztele.com
>Sent: Saturday, May 10, 2003 9:25 AM
>To: Cameron, John
>Cc: ccielab@groupstudy.com
>Subject: RE: More about ACLs
>
>John:
>
>Your ACL is a bit more specific, because it watches the exact match in
>the last octect. But this wasn't my question exactly. The question is
>how can
>you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
>understand you, your acl also allows these networks:
>
>199.172.1.0/25
>199.172.1.0/26
>199.172.5.0/27
>...
>
>The kit is to only permit the 3 networks and only with the mask /24
>.Then you need an extended ACL i think, but i don't see very well how
>to do so.
>
>Regards
>
>Juan Faure Ferrer
>email: jfaure@sztele.com
>
>Lmnea de Negocio de Telematica y CC
>Ingeniero de Integracisn de Redes y Sistemas
>-----------------------------------------------------------------------
>-
>----
>
>SOLUZIONA TELECOMUNICACIONES
>Servicios Profesionales de UNION FENOSA
>Jerez, 3
>28016 MADRID
>tel 91 579 30 00 fax 91 350 72 83
>-----------------------------------------------------------------------
>-
>---
>
>
>
> "Cameron,
>
> John" Para: "'jfaure@sztele.com'"
>
> <johcamer@cisc <jfaure@sztele.com>,
>ccielab@groupstudy.com
> o.com> cc:
>
> Asunto: RE: More about ACLs
>
> 10/05/03 16:23
>
>
>
>
>
>
>
>
>
>Juan,
>
>I think this would work better:
>
>access-list 99 permit 199.172.1.0 0.0.20.0
>
>Let me know what ya think.
>
>JDC
>
>
>-----Original Message-----
>From: jfaure@sztele.com [mailto:jfaure@sztele.com]
>Sent: Saturday, May 10, 2003 5:31 AM
>To: ccielab@groupstudy.com
>Subject: More about ACLs
>
>
>Hi all:
>
>I'm having some troubles with acls. Imagine you have these networks:
>
>199.172.1.0/24
>199.172.2.0/24
>199.172.4.0/24
>199.172.5.0/24
>199.172.6.0/24
>199.172.8.0/24
>199.172.21.0/24
>
>And you must filter, with the minimun number of lines in the ACL, and
>only permit the odd networks (at the third octect, this is ONLY the 1,
>5 and 21, not each possible odd subnet). Then you could do so with a
>standard access list like this:
>
>access-list 99 permit 199.172.1.0 0.0.20.255
>
>However, this access-list also allows networks like 199.172.1.0/25
>199.172.1.0/26 , etc. Imagine you want to be more specific and to match
>the network mask too. Then you'd need an extended acl that only allows
>/24. But, anyone can suggest how to construct it, if it's possible?
>
>Regards
>
>Juan Faure Ferrer
>email: jfaure@sztele.com
>
>Lmnea de Negocio de Telematica y CC
>Ingeniero de Integracisn de Redes y Sistemas
>-----------------------------------------------------------------------
>-
>----
>
>
>SOLUZIONA TELECOMUNICACIONES
>Servicios Profesionales de UNION FENOSA
>Jerez, 3
>28016 MADRID
>tel 91 579 30 00 fax 91 350 72 83
>-----------------------------------------------------------------------
>-
>---
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager. This footnote also confirms that this email message
>has been swept by MIMEsweeper for the presence of computer viruses.
>www.mimesweeper.com
>**********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:41 GMT-3