RE: Extended ACL with distribute list

From: SHARMA,MOHIT (HP-Germany,ex1) (mohit.sharma@hp.com)
Date: Wed Jun 18 2003 - 10:28:18 GMT-3

• Next message: SHARMA,MOHIT (HP-Germany,ex1): "RE: Regular expression"
• Previous message: Tom Young: "see the debug message of remote router"
• Maybe in reply to: SHARMA,MOHIT (HP-Germany,ex1): "Extended ACL with distribute list"
• Next in thread: OhioHondo: "RE: Extended ACL with distribute list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HI Brian and ALL,

THanks for replying.
Sorry for the confusion, but seems that diff. books are always giving you
different picture of the same thing.

Was confirming the same and then I saw another example like this in Sam
Halabi's BGP book, page 314, where he is giving examples of access-lists
matching the aggregate.HE says to send ONLY the aggregate 172.16.0.0/16 you
can use-
 access-list 101 permit 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0

Should not the wildcard bits for the network prefix be all 0's as you
specified in your mail?
Or will this also work, but the question is that we SHOULD ALLOW ""ONLY""
the aggregate.
Which one would you recommend to use?

Thanks again.

Mohit.

-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Wednesday, June 18, 2003 5:12 AM
To: 'SHARMA,MOHIT (HP-Germany,ex1)'; ccielab@groupstudy.com
Subject: RE: Extended ACL with distribute list

In his example he is trying to allow the 172.16.0.0/22 summary so the
ACL would be:
access-list 100 permit ip 172.16.0.0 0.0.0.0 255.255.252.0 0.0.0.0
This ACL permits only 172.16.0.0 with a subnet mask of /22

His ACL is:
access-list 100 permit ip 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0
This ACL permits 172.16.[0-3].[0-255] with a subnet mask of /22

They both will work but the bottom one is "sloppy".

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
SHARMA,MOHIT (HP-Germany,ex1)
Sent: Tuesday, June 17, 2003 2:01 PM
To: ccielab@groupstudy.com
Subject: Extended ACL with distribute list

HI All,

Going thru the PArkhurst BGP book, found an example for the acl while
using
BGP distribute list-
According to the book to match the aggregate 172.16.0.0 255.255.252.0,
you
use-

access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0

IS this really right????????

Can I also use -

access-list 100 permit 172.16.0.0 0.0.0.255 255.255.252.0 0.0.0.0

Why do I need a 0.0.3.255 and not a complete 0.0.0.0 to match the
network??

Also will these work as well-

access-list 100 permit host 172.16.0.0 host 255.255.252.0

or

prefix-list seq 5 permit 172.16.0.0/22.

PLease do help.

Thanks as always.

Smiles,

Mohit.__________________________________________________________________
__

****** _/ ****** | Mohit Sharma
***** _/ ***** | Network Operations Engineer
**** _/_/_/ _/_/_/ **** | HP Operations
**** _/ _/ _/ _/ **** |
**** _/ _/ _/_/_/ **** |
***** _/ ***** |
****** ******* | email: mohit_sharma@hp.com
                              |
 i n v e n t |

• Next message: SHARMA,MOHIT (HP-Germany,ex1): "RE: Regular expression"
• Previous message: Tom Young: "see the debug message of remote router"
• Maybe in reply to: SHARMA,MOHIT (HP-Germany,ex1): "Extended ACL with distribute list"
• Next in thread: OhioHondo: "RE: Extended ACL with distribute list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:00 GMT-3