RE: RIP filtering /27 prefix

From: Jonathan V Hays (jhays@jtan.com)
Date: Mon Nov 03 2003 - 10:05:33 GMT-3

Alec,

You are probably thinking about the normal "source-prefix source-mask
destination-prefix destination-mask" form of the extended ACL.

However, I think that Brian was not referring to this but to the special
"prefix and prefix-length pair matching" function that can be
implemented (only in BGP) using an extended ACL.

There's a good example here:

http://www.cisco.com/warp/public/459/22.html#acclists

--------
QUOTE:

To permit only supernet 10.10.0.0/19, we use an extended access list,
such as access-list 101 permit ip 10.10.0.0 0.0.0.0 255.255.224.0
0.0.0.0. The format of the extended access-list command is as follows:

access-list <access-list-number> {deny|permit}
protocol source source-wildcard mask mask-wildcard

In our example, the source is 10.10.0.0 and the source-wildcard of
0.0.0.0 is configured for an exact match of source. A mask of
255.255.224.0, and a mask-wildcard of 0.0.0.0 is configured for an exact
match of source mask. If any one of them(source or mask) does not have a
exact match. Access-list denies it.

This allows the extended access-list command to permit an exact match of
source network number 10.10.0.0 with mask 255.255.224.0 (i.e.,
10.10.0.0/19).

END QUOTE:
----------
HTH,

Jonathan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
a9605355
Sent: Monday, November 03, 2003 4:55 AM
To: Brian McGahan; ccielab@groupstudy.com; Alec
Subject: RE: RIP filtering /27 prefix

Hi Brian,

I've read some Cisco document to use extended ACL to filter routes based
on
subnet mask information. I've also successfully use extended ACL to
filter
routes, so as far as I know, it's functionality should be similar to
prefix-list.

Would you please explain more about this method and why is it different
from
prefix-list ? thanks

regards,
alec

>===== Original Message From "Brian McGahan"
<bmcgahan@internetworkexpert.com>
=====
>Alec,
>
> The extended access-list syntax cannot be used in this manner.
>The prefix and prefix-length pair matching with an extended ACL can
only
>be applied to BGP. For other applications of this matching, simply use
>a prefix-list.
>
>HTH,
>
>Brian McGahan, CCIE #8593
>bmcgahan@internetworkexpert.com
>
>Internetwork Expert, Inc.
>http://www.InternetworkExpert.com
>Toll Free: 877-224-8987
>Direct: 708-362-1418 (Outside the US and Canada)
>
>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>Of
>> Alec
>> Sent: Sunday, November 02, 2003 3:03 AM
>> To: ccielab@groupstudy.com
>> Subject: RIP filtering /27 prefix
>>
>> If I am asked to ONLY ALLOW all RIP-learned routes with /27 prefix,
>what's
>> the difference between the two ? I expect both of them should achieve
>the
>> same result but unfortunately only the 2nd one works :
>>
>> router rip
>> distribute-list 101 in Ethernet0/0/0.909
>>
>> router rip
>> distribute-list prefix TEST in Ethernet0/0/0.909
>>
>> access-list 101 permit ip any host 255.255.255.224
>> ip prefix-list TEST seq 5 permit 0.0.0.0/0 ge 27 le 27
>>
>> regards,
>> alec
>>
>>
>_______________________________________________________________________
>> Please help support GroupStudy by purchasing your study materials
>from:
>> http://shop.groupstudy.com
>>
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:07 GMT-3