From: neil K (neil_k11@hotmail.com)
Date: Mon May 19 2003 - 01:52:12 GMT-3
The access-list 101 per ip host {source_address} 199.172.1.0 0.0.20.0
doesn't work for me.I am using it to filter eigrp but everything is blocked
but standard ACL with distribute-list works fine.
Comments?
Neil
----- Original Message -----
From: "Jung, Jin" <jin.jung@lmco.com>
To: "'love cisco'" <love_cisco@hotmail.com>; <brian@labforge.com>;
<danielcgs@imc.net.au>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, May 13, 2003 1:00 PM
Subject: RE: More about ACLs
> So why use extended acl for IGP protocols?
>
>
> I do not see any benefit to use extended verse standard.
>
> So, access-list 5 permit 199.172.1.0 0.0.20.0
> Is same as access-list 101 per ip host {source_address} 199.172.1.0
> 0.0.20.0
>
> Both of these does the same, other then defining a source of route.
>
> So why use extended?
>
> Thanks in advance...
>
> -----Original Message-----
> From: love cisco [mailto:love_cisco@hotmail.com]
> Sent: Sunday, May 11, 2003 6:09 PM
> To: brian@labforge.com; danielcgs@imc.net.au
> Cc: ccielab@groupstudy.com
> Subject: RE: More about ACLs
>
>
> I believe it works the same way with IGP protocol (Rip, EIGRP, OSPF,
ISIS).
> I have test it with OSPF.
>
>
> >From: "Brian Dennis" <brian@labforge.com>
> >Reply-To: "Brian Dennis" <brian@labforge.com>
> >To: "'Daniel Cisco Group Study'" <danielcgs@imc.net.au>
> >CC: <ccielab@groupstudy.com>
> >Subject: RE: More about ACLs
> >Date: Sun, 11 May 2003 07:35:31 -0700
> >
> >I just tried an extended ACL real quick with EIGRP and it appears to
> >work the same way as with RIP.
> >
> >Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> >Director of CCIE Training and Development - IPexpert, Inc.
> >Mailto: brian@ipexpert.net
> >Toll Free: 866.225.8064
> >Outside U.S. & Canada: 312.321.6924
> >
> >-----Original Message-----
> >From: Daniel Cisco Group Study [mailto:danielcgs@imc.net.au]
> >Sent: Sunday, May 11, 2003 6:05 AM
> >To: Brian Dennis; jfaure@sztele.com
> >Cc: ccielab@groupstudy.com
> >Subject: RE: More about ACLs
> >
> >Brian,
> >
> >Extremely interesting..... Does this also apply to EIGRP?
> >
> >Daniel
> >
> >
> >-----Original Message-----
> >From: Brian Dennis [mailto:brian@labforge.com]
> >Sent: Sunday, 11 May 2003 15:08
> >To: jfaure@sztele.com
> >Cc: ccielab@groupstudy.com
> >Subject: RE: More about ACLs
> >
> >
> >Extended ACL's don't work for RIP the same way they work for BGP. With
> >RIP the source portion is the source of the update and the destination
> >portion works like a standard ACL.
> >
> >access-list 199 permit ip host 172.16.1.1 10.0.0.0 0.255.255.255
> >
> >This would mean any subnet of the 10 network from 172.16.1.1.
> >
> >Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> >Director of CCIE Training and Development - IPexpert, Inc.
> >Mailto: brian@ipexpert.net
> >Toll Free: 866.225.8064
> >Outside U.S. & Canada: 312.321.6924
> >
> >-----Original Message-----
> >From: jfaure@sztele.com [mailto:jfaure@sztele.com]
> >Sent: Saturday, May 10, 2003 12:09 PM
> >To: Brian Dennis
> >Cc: ccielab@groupstudy.com
> >Subject: RE: More about ACLs
> >
> >
> >Hi Brian:
> >
> >If i'm not wrong, and following your examples and explanations, the
> >extended access list to match these 3 networks (and to match the /24
> >mask
> >too):
> >199.172.1.0/24
> >199.172.5.0/24
> >199.172.21.0/24
> >
> >would be:
> >
> >access-list 199 permit 199.172.1.0 0.0.20.0 255.255.255.0 0.0.0.0
> >
> >But, i'm trying this solution and doesn't work. I have a router talking
> >rip version 2 with another one. I'm aplying this acl as part of a
> >distribute list to filter only the networks i said before, but no luck
> >(no one network passes to me). Anyone can explain why?
> >
> >However, if i use a standar acl like : permit 199.172.1.0 0.0.20.0 ,
> >then there is no problem and only pass the 3 networks. But, as i said
> >you, i would like to be more spefic , because with this second solution
> >if some day a prefix like 199.172.21.0/26 appear, this prefix would be
> >allowed too
> >and i don't want this.
> >
> >Obviously, if you add more lines to the acl and build a prefix list
> >(for
> >example) with the 3 networks and the mask they have, you can do so. I'm
> >looking for a solution with minimum command lines, if possible.
> >
> >Regards
> >
> >
> >
> >
> >
> >Juan Faure Ferrer
> >email: jfaure@sztele.com
> >
> >Lmnea de Negocio de Telematica y CC
> >Ingeniero de Integracisn de Redes y Sistemas
> >-----------------------------------------------------------------------
> >-
> >----
> >
> >SOLUZIONA TELECOMUNICACIONES
> >Servicios Profesionales de UNION FENOSA
> >Jerez, 3
> >28016 MADRID
> >tel 91 579 30 00 fax 91 350 72 83
> >-----------------------------------------------------------------------
> >-
> >---
> >
> >
> >
> >
> >
> > "Brian Dennis"
> >
> > <brian@labforg Para: <jfaure@sztele.com>
> >
> > e.com> cc:
> ><ccielab@groupstudy.com>
> > Asunto: RE: More about ACLs
> >
> > 10/05/03 19:45
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >The syntax for using an extended ACL for filtering routes is:
> >access-list <ACL #> permit ip <network> <wildcard mask of network>
> ><subnet mask> <wildcard mask of subnet mask>
> >
> >Here are some examples:
> >access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 matches
> >10.0.0.0/16 - Only
> >
> >access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> >matches 10.0.0.0/24 - Only
> >
> >access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> >matches 10.1.1.0/24 - Only
> >
> >access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> >matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> >/24 subnet mask
> >
> >access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> >matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
> >with a /24 subnet mask
> >
> >access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
> >0.0.0.0 matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of
> >the network with a /28 subnet mask
> >
> >access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
> >0.0.0.255 matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd,
> >3rd & 4th octet of the network with a /24 to /32 subnet mask
> >
> >access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> >0.0.0.127 matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd,
> >3rd & 4th octet of the network with a /25 to /32 subnet mask
> >
> >Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> >Director of CCIE Training and Development - IPexpert, Inc.
> >Mailto: brian@ipexpert.net
> >Toll Free: 866.225.8064
> >Outside U.S. & Canada: 312.321.6924
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >jfaure@sztele.com
> >Sent: Saturday, May 10, 2003 9:25 AM
> >To: Cameron, John
> >Cc: ccielab@groupstudy.com
> >Subject: RE: More about ACLs
> >
> >John:
> >
> >Your ACL is a bit more specific, because it watches the exact match in
> >the last octect. But this wasn't my question exactly. The question is
> >how can
> >you do to ONLY allow the 3 odd networks AND WITH THE MASK /24 TOO. If i
> >understand you, your acl also allows these networks:
> >
> >199.172.1.0/25
> >199.172.1.0/26
> >199.172.5.0/27
> >...
> >
> >The kit is to only permit the 3 networks and only with the mask /24
> >.Then you need an extended ACL i think, but i don't see very well how
> >to do so.
> >
> >Regards
> >
> >Juan Faure Ferrer
> >email: jfaure@sztele.com
> >
> >Lmnea de Negocio de Telematica y CC
> >Ingeniero de Integracisn de Redes y Sistemas
> >-----------------------------------------------------------------------
> >-
> >----
> >
> >SOLUZIONA TELECOMUNICACIONES
> >Servicios Profesionales de UNION FENOSA
> >Jerez, 3
> >28016 MADRID
> >tel 91 579 30 00 fax 91 350 72 83
> >-----------------------------------------------------------------------
> >-
> >---
> >
> >
> >
> > "Cameron,
> >
> > John" Para: "'jfaure@sztele.com'"
> >
> > <johcamer@cisc <jfaure@sztele.com>,
> >ccielab@groupstudy.com
> > o.com> cc:
> >
> > Asunto: RE: More about ACLs
> >
> > 10/05/03 16:23
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Juan,
> >
> >I think this would work better:
> >
> >access-list 99 permit 199.172.1.0 0.0.20.0
> >
> >Let me know what ya think.
> >
> >JDC
> >
> >
> >-----Original Message-----
> >From: jfaure@sztele.com [mailto:jfaure@sztele.com]
> >Sent: Saturday, May 10, 2003 5:31 AM
> >To: ccielab@groupstudy.com
> >Subject: More about ACLs
> >
> >
> >Hi all:
> >
> >I'm having some troubles with acls. Imagine you have these networks:
> >
> >199.172.1.0/24
> >199.172.2.0/24
> >199.172.4.0/24
> >199.172.5.0/24
> >199.172.6.0/24
> >199.172.8.0/24
> >199.172.21.0/24
> >
> >And you must filter, with the minimun number of lines in the ACL, and
> >only permit the odd networks (at the third octect, this is ONLY the 1,
> >5 and 21, not each possible odd subnet). Then you could do so with a
> >standard access list like this:
> >
> >access-list 99 permit 199.172.1.0 0.0.20.255
> >
> >However, this access-list also allows networks like 199.172.1.0/25
> >199.172.1.0/26 , etc. Imagine you want to be more specific and to match
> >the network mask too. Then you'd need an extended acl that only allows
> >/24. But, anyone can suggest how to construct it, if it's possible?
> >
> >Regards
> >
> >Juan Faure Ferrer
> >email: jfaure@sztele.com
> >
> >Lmnea de Negocio de Telematica y CC
> >Ingeniero de Integracisn de Redes y Sistemas
> >-----------------------------------------------------------------------
> >-
> >----
> >
> >
> >SOLUZIONA TELECOMUNICACIONES
> >Servicios Profesionales de UNION FENOSA
> >Jerez, 3
> >28016 MADRID
> >tel 91 579 30 00 fax 91 350 72 83
> >-----------------------------------------------------------------------
> >-
> >---
> >
> >
> >**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom they
> >are addressed. If you have received this email in error please notify
> >the system manager. This footnote also confirms that this email message
> >has been swept by MIMEsweeper for the presence of computer viruses.
> >www.mimesweeper.com
> >**********************************************************************
>
> _________________________________________________________________
> Cb7QOBTX MSN Explorer: http://explorer.msn.com/lccn/
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:45 GMT-3