Route filtering

From: Nigel.Johnson@barclayscapital.com
Date: Thu Apr 01 2004 - 02:59:25 GMT-3

• Next message: C.Sammarcellino@sirtisistemi.it: "Don't buy anything from Testking.com"
• Previous message: Werner Herzog: "Heinz Ulm : Be careful : very poor quality bootcamp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Assume the following scenario:

Router1 is sending Router2 the following networks (routing protocol not
important):

192.168.1.0 /24
172.16.16.0 /24

I now want to only allow the 192.168.1.0 /24 route into Router2. So, I can
do this with a distribute list as follows:

access-list 1 permit 192.168.1.0 0.0.0.255
distribute-list 1 in serial 0

This works fine. However, this distribute list would also allow any subnets
of 192.168.1.0 /24. e.g 192.168.1.32 /27

If I just wanted to allow 192.168.1.0/24 then I would change my access list
to:

access-list 1 permit host 192.168.1.0

So 'Whats your point?' I hear you ask. We'll in the R&S lab, if the question
wants us to filter a route should we use:

(1) My first access list
(2) My seconds access list, or
(3) Either are ok

Obviously if the question is very specific and states that ONLY the major
network 192.168.1.0/24 is to be allowed and no subnets then we would opt for
the second.

The reason I bring this up is because I'm working through the IPEXPERT
workbook and have always used my second style of access list when filtering,
whereas the solutions use the the first, more 'loose' access list.

Thanks
Nigel

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

------------------------------------------------------------------------

• Next message: C.Sammarcellino@sirtisistemi.it: "Don't buy anything from Testking.com"
• Previous message: Werner Herzog: "Heinz Ulm : Be careful : very poor quality bootcamp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:40 GMT-3