From: William Lijewski (wlijewski@cox.net)
Date: Thu Apr 01 2004 - 03:37:21 GMT-3
Well, if you want to be very specific, neither of those is exact. A
standard access-list cannot check the subnet mask information. Even your
192.168.1.0 0.0.0.0 would allow in more than the /24. A standard
access-list can only check the bits, as long as the bits are 192.168.1.0 ANY
subnet could get through:
192.168.1.0/24
192.168.1.0/25
192.168.1.0/26
192.168.1.0/27
192.168.1.0/28
192.168.1.0/29
etc...
The only real way to permit 'exactly' what is requested is to use a
Prefix-list.
Your Prefix-list would look like this:
ip prefix-list TEST permit 192.168.1.0/24
This will check the first 24 bits to make sure that they match and then
check to make sure that the network has a 24-bit subnet mask. Both the bits
and the subnet mask must match for the route to be permitted. You could
then apply it to your distribute-list:
distribute-list prefix TEST in Serial1/0
I believe that in the lab, as with real world situations, you should be as
precise as possible when it comes to filtering and summarization.
Bill Lijewski
CCIE #8642
Network Learning Inc
5 Day R&S CCIE Bootcamp Instructor
bill@eccie.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Nigel.Johnson@barclayscapital.com
Sent: Thursday, April 01, 2004 4:28 AM
To: ccielab@groupstudy.com
Subject: Route filtering [bcc][faked-from]
Importance: Low
Assume the following scenario:
Router1 is sending Router2 the following networks (routing protocol not
important):
192.168.1.0 /24
172.16.16.0 /24
I now want to only allow the 192.168.1.0 /24 route into Router2. So, I can
do this with a distribute list as follows:
access-list 1 permit 192.168.1.0 0.0.0.255
distribute-list 1 in serial 0
This works fine. However, this distribute list would also allow any subnets
of 192.168.1.0 /24. e.g 192.168.1.32 /27
If I just wanted to allow 192.168.1.0/24 then I would change my access list
to:
access-list 1 permit host 192.168.1.0
So 'Whats your point?' I hear you ask. We'll in the R&S lab, if the question
wants us to filter a route should we use:
(1) My first access list
(2) My seconds access list, or
(3) Either are ok
Obviously if the question is very specific and states that ONLY the major
network 192.168.1.0/24 is to be allowed and no subnets then we would opt for
the second.
The reason I bring this up is because I'm working through the IPEXPERT
workbook and have always used my second style of access list when filtering,
whereas the solutions use the the first, more 'loose' access list.
Thanks
Nigel
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:40 GMT-3