From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Nov 14 2004 - 12:04:47 GMT-3
Alsontra,
When using acl's this way to filter routes as shown below, I assume the
host keyword could also be used instead of 0.0.0.0, correct?
Taking some of Brain's example's from below.
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 EQUALS
access-list 100 permit ip host 10.0.0.0 host 255.255.0.0
Matches 10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 EQUALS
access-list 100 permit ip host 10.0.0.0 host 255.255.255.0
Matches10.0.0.0/24 - Only
Also, if you have an acl like this:
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
I think that there's no way to use a prefix-list to do the same thing
because
with this acl, the 3rd octet can be anything and ip prefix-lists can't have
a
discontinuous mask. Is that correct?
TIA, Tim
----- Original Message -----
From: "none" <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Bob Smith'"
<ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
Sent: Saturday, November 13, 2004 1:29 PM
Subject: RE: Prefix-list
> I cannot remember when, but someone once said that using access-lists in
> this way pre-dates prefix-list. Meaning this was how you matched both a
> prefix(s) and its mask before some ultra savvy Cisco engineer invented or
> introduced the IOS to prefix-list.
>
> As to how IOS knows when you're matching a mask as apposed to a
> destination??? I think it just depends on usage. Perhaps one of the list
> elders can shed some light on the topic.... :-)
>
> Brian?Brian?Sccott?Howard??Paul?
>
> Alsontra
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Saturday, November 13, 2004 10:29 AM
> To: none; 'Bob Smith'; ccielab@groupstudy.com
> Subject: Re: Prefix-list
>
> Hi Alsontra,
>
> I've known about this for a while, but I never understood one thing.
Maybe
> you can clear this up.
>
> Consider the first example,
>
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
>
> How does IOS know that the "255.255.0.0 0.0.0.0" portion should be
> interpreted as
>
> <subnet mask> <wildcard mask of subnet mask>
>
> instead of as
>
> <destination prefix> <prefix mask>
>
> Granted, there aren't subnet destinations that begin with 255 since that's
> reserved for broadcast, but remember that number could be any number
instead
> of 255.
>
> Any insight would be greatly appreciated.
>
> TIA, Tim
>
> ----- Original Message -----
> From: "none" <alsontra@hotmail.com>
> To: "'Bob Smith'" <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> Sent: Saturday, November 13, 2004 10:53 AM
> Subject: RE: Prefix-list
>
>
> > Try using an extended access-list - I've also attached a previous post
> from
> > Brian Dennis. If you can't figure it out I'll explain, but working this
> out
> > for your self will do you good. Trust me.
> >
> > <snip>
> > Here is the syntax:
> > access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet
> > mask> <wildcard mask of subnet mask>
> >
> > Here are some examples:
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 Matches
> > 10.0.0.0/16 - Only
> >
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 Matches
> > 10.0.0.0/24 - Only
> >
> > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 Matches
> > 10.1.1.0/24 - Only
> >
> > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
Matches
> > 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> > /24 subnet mask.
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> Matches
> > 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a
/24
> > subnet mask.
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
> > Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> network
> > with a /28 subnet mask.
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
> > Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> octet
> > of the network with a /24 to /32 subnet mask.
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > 0.0.0.127
> > Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> octet
> > of the network with a /25 to /32 subnet mask
> >
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> > </snip>
> >
> > HTH
> > Alsontra
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Bob
> > Smith
> > Sent: Saturday, November 13, 2004 3:11 AM
> > To: ccielab@groupstudy.com
> > Subject: Prefix-list
> >
> > say if i have 5 routes:
> >
> > 192.168.1.0/24
> > 192.168.2.0/24
> > 192.168.3.0/24
> > 192.168.4.0/24
> > 192.168.5.0/24
> >
> > With a prefix-list, is there anyway to permit say only subnet 3 and 4
with
> > one line?
> > Or with a access-list?
> >
> > If so, can you put the solution in steps and break it out in binary, i
> have
> > spent so many hours and reading so many posts, but they seem to be
> > contradicting themselves...just don't know how it can be done....please
> help
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:43 GMT-3