RE: Simple ACL question

From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Sun Jun 22 2003 - 22:16:29 GMT-3

• Next message: Daniel Cisco Group Study: "RE: Simple ACL question"
• Previous message: Shahid Shafi: "RE: Simple ACL question"
• Maybe in reply to: Daniel Cisco Group Study: "Simple ACL question"
• Next in thread: Daniel Cisco Group Study: "RE: Simple ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian,

Thanks for the feedback, however, I didn't actually mention the word "subnet"; I actually did mean "wildcard" masks... I should be more specific...

100% agree with you RE the fact that we can't filter based on the Subnet mask with Standard ACLs...

Thanks for the input,

Daniel

-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Monday, 23 June 2003 12:49
To: Daniel Cisco Group Study; ccielab@groupstudy.com
Subject: RE: Simple ACL question

Those examples do not include the subnet mask.

access-list 1 permit 172.16.30.0 0.0.0.255

This means routes that are 172.16.30.[0-255] with any subnet mask.

access-list 1 permit 192.168.2.64 0.0.0.63

This means routes that are 192.168.2.[64-127] with any subnet mask.

Standard ACL's will not work for filtering based on the subnet mask with
any protocol. Extended ACL's can be used for filtering based on the
subnet mask for BGP. If you need a route filter to include the subnet
mask for other protocols (RIP, EIGRP, etc), use a prefix-list.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Daniel Cisco Group Study
Sent: Sunday, June 22, 2003 5:38 PM
To: ccielab@groupstudy.com
Subject: Simple ACL question

Simple question:

I need to create an ACL to filter / redistribute / (whatever) the two
routes:

172.16.30.0 / 24
192.168.2.64 / 26

I've always used the "lazy", or what I call the efficient method:

access-list 1 permit 172.16.30.0
access-list 1 permit 192.168.2.64

It has always worked for me no problem.

However, every "authority" always specifies the masks:

access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 192.168.2.64 0.0.0.63

In my mind, these masks are simply killing electrons, and taking up my
time.... I know how to use them, but why bother?

The big questions:

(1) Am I wrong in saying that these masks are unnecessary?

(2) In the lab, do we play it safe, and specify the "useless" masks?

(3) Has anyone (knowingly) got away with the first method in the lab?
(without breaking NDA)

I don't mind having to specify the masks, but I'd love to know WHY I
should (apart from losing marks if I don't)........

Daniel

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

• Next message: Daniel Cisco Group Study: "RE: Simple ACL question"
• Previous message: Shahid Shafi: "RE: Simple ACL question"
• Maybe in reply to: Daniel Cisco Group Study: "Simple ACL question"
• Next in thread: Daniel Cisco Group Study: "RE: Simple ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:06 GMT-3