Re: classfull routes with an access list

From: Marvin Greenlee (marvingreenlee@yahoo.com)
Date: Thu Jan 08 2004 - 22:45:10 GMT-3

• Next message: Marvin Greenlee: "Re: classfull routes with an access list"
• Previous message: Kaiser Anwar: "classfull routes with an access list"
• Maybe in reply to: Kaiser Anwar: "classfull routes with an access list"
• Next in thread: Marvin Greenlee: "Re: classfull routes with an access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"...Filtering Using distribute-list with an Extended
Access List
Using a standard access list to filter supernets can
be trickier. Assume Router 200 announces these
networks: 10.10.1.0/24 through 10.10.31.0/24, and its
aggregate, 10.10.0.0/19. Router 100 wishes to receive
only the aggregate network, 10.10.0.0/19, and to
filter out all specific networks.

A standard access list, such as access-list 1 permit
10.10.0.0 0.0.31.255, will not work because it permits
more networks than desired. The standard access list
looks at the source IP address only and cannot check
the length of the network mask. The access-list 1
command above will permit 10.10.1.0/24, 10.10.2.0/24,
and other specific networks.

To permit only supernet 10.10.0.0/19, we use an
extended access list, such as access-list 101 permit
ip 10.10.0.0 0.0.0.0 255.255.224.0 0.0.0.0. The format
of the extended access-list command is as follows:

access-list <access-list-number> {deny|permit}
protocol source source-wildcard mask mask-wildcard
In our example, the source is 10.10.0.0 and the
source-wildcard of 0.0.0.0 is configured for an exact
match of source. A mask of 255.255.224.0, and a
mask-wildcard of 0.0.0.0 is configured for an exact
match of source mask. If any one of them(source or
mask) does not have a exact match. Access-list denies
it.

This allows the extended access-list command to permit
an exact match of source network number 10.10.0.0 with
mask 255.255.224.0 (i.e., 10.10.0.0/19).

access-list 101 permit ip 10.10.0.0 0.0.0.0
255.255.224.0 0.0.0.0"
....

Reference - Cisco - BGP - How to block one or more
networks from a BGP peer-
http://www.cisco.com/en/US/tech/tk365/tk80/technologies_tech_note09186a00801310cb.shtml

Sincerely
Marvin Greenlee, CCIE #12237
Network Learning, Inc

--- Kaiser Anwar <kaiseranwar@sbcglobal.net> wrote:
> Hi,
> I was wondering that would it be possible to permit
> or block classfull routes
> with access-list.I know it is done with prefix list.
>
> Thanks
>
>
> Sincerely,
> Kaiser Anwar
> (847) 409-7261
> CCNA, CCNP
> CCSA, MCSE
>
>

• Next message: Marvin Greenlee: "Re: classfull routes with an access list"
• Previous message: Kaiser Anwar: "classfull routes with an access list"
• Maybe in reply to: Kaiser Anwar: "classfull routes with an access list"
• Next in thread: Marvin Greenlee: "Re: classfull routes with an access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3