Re: Prefix-list

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Nov 14 2004 - 14:02:55 GMT-3

• Next message: Brian McGahan: "RE: IE Solution Guide Page 15 "Pitfall" and ISDN Layer 3 to 2"
• Previous message: Bob Sinclair: "Re: MQC QoS - map class or service-policy"
• Maybe in reply to: Bob Smith: "Prefix-list"
• Next in thread: ccie2be: "Re: Prefix-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for the confirmation.

Maybe this doesn't happen to you, but I think many of us, myself included,
get to a certain high level of skill and sometimes overlook the basics -
stuff like acl's. So, I'm trying to fight that "take it granted attitude"
that I know acl's "well enough".

What good is it in the lab if you can do the most difficult scenario's but
still screw up with acl's?

Thanks again.
----- Original Message -----
From: "none" <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Bob Smith'"
<ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
Sent: Sunday, November 14, 2004 11:44 AM
Subject: RE: Prefix-list

> I agree, with ISIS route leaking I see the host key word used quite often
in
> CCO examples. -Also in the IE workbook, I think. As I understand it,
either
> way works as long as you are matching on the correct bits.
>
> As to your last example, I see no way to duplicate that access-list with a
> prefix list.
>
>
> Al
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Sunday, November 14, 2004 9:05 AM
> To: none; 'Bob Smith'; ccielab@groupstudy.com
> Subject: Re: Prefix-list
>
> Alsontra,
>
> When using acl's this way to filter routes as shown below, I assume the
> host keyword could also be used instead of 0.0.0.0, correct?
>
> Taking some of Brain's example's from below.
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 EQUALS
>
> access-list 100 permit ip host 10.0.0.0 host 255.255.0.0
>
> Matches 10.0.0.0/16 - Only
>
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 EQUALS
>
> access-list 100 permit ip host 10.0.0.0 host 255.255.255.0
>
> Matches10.0.0.0/24 - Only
>
> Also, if you have an acl like this:
>
>
>
> access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
>
>
>
> I think that there's no way to use a prefix-list to do the same thing
> because
>
> with this acl, the 3rd octet can be anything and ip prefix-lists can't
have
> a
>
> discontinuous mask. Is that correct?
>
>
>
>
>
> TIA, Tim
>
>
>
> ----- Original Message -----
> From: "none" <alsontra@hotmail.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Bob Smith'"
> <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> Sent: Saturday, November 13, 2004 1:29 PM
> Subject: RE: Prefix-list
>
>
> > I cannot remember when, but someone once said that using access-lists in
> > this way pre-dates prefix-list. Meaning this was how you matched both a
> > prefix(s) and its mask before some ultra savvy Cisco engineer invented
or
> > introduced the IOS to prefix-list.
> >
> > As to how IOS knows when you're matching a mask as apposed to a
> > destination??? I think it just depends on usage. Perhaps one of the list
> > elders can shed some light on the topic.... :-)
> >
> > Brian?Brian?Sccott?Howard??Paul?
> >
> > Alsontra
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Saturday, November 13, 2004 10:29 AM
> > To: none; 'Bob Smith'; ccielab@groupstudy.com
> > Subject: Re: Prefix-list
> >
> > Hi Alsontra,
> >
> > I've known about this for a while, but I never understood one thing.
> Maybe
> > you can clear this up.
> >
> > Consider the first example,
> >
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> >
> > How does IOS know that the "255.255.0.0 0.0.0.0" portion should be
> > interpreted as
> >
> > <subnet mask> <wildcard mask of subnet mask>
> >
> > instead of as
> >
> > <destination prefix> <prefix mask>
> >
> > Granted, there aren't subnet destinations that begin with 255 since
that's
> > reserved for broadcast, but remember that number could be any number
> instead
> > of 255.
> >
> > Any insight would be greatly appreciated.
> >
> > TIA, Tim
> >
> > ----- Original Message -----
> > From: "none" <alsontra@hotmail.com>
> > To: "'Bob Smith'" <ccnet101@nmccentral.com>; <ccielab@groupstudy.com>
> > Sent: Saturday, November 13, 2004 10:53 AM
> > Subject: RE: Prefix-list
> >
> >
> > > Try using an extended access-list - I've also attached a previous post
> > from
> > > Brian Dennis. If you can't figure it out I'll explain, but working
this
> > out
> > > for your self will do you good. Trust me.
> > >
> > > <snip>
> > > Here is the syntax:
> > > access-list <ACL #> permit ip <network> <wildcard mask of network>
> <subnet
> > > mask> <wildcard mask of subnet mask>
> > >
> > > Here are some examples:
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 Matches
> > > 10.0.0.0/16 - Only
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches
> > > 10.0.0.0/24 - Only
> > >
> > > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches
> > > 10.1.1.0/24 - Only
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> Matches
> > > 10.0.X.0/24 - Any number in the 3rd octet of the network with a
> > > /24 subnet mask.
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> > Matches
> > > 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a
> /24
> > > subnet mask.
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
0.0.0.0
> > > Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> > network
> > > with a /28 subnet mask.
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
0.0.0.255
> > > Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> > octet
> > > of the network with a /24 to /32 subnet mask.
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > > 0.0.0.127
> > > Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> > octet
> > > of the network with a /25 to /32 subnet mask
> > >
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > > bdennis@internetworkexpert.com Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > > </snip>
> > >
> > > HTH
> > > Alsontra
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Bob
> > > Smith
> > > Sent: Saturday, November 13, 2004 3:11 AM
> > > To: ccielab@groupstudy.com
> > > Subject: Prefix-list
> > >
> > > say if i have 5 routes:
> > >
> > > 192.168.1.0/24
> > > 192.168.2.0/24
> > > 192.168.3.0/24
> > > 192.168.4.0/24
> > > 192.168.5.0/24
> > >
> > > With a prefix-list, is there anyway to permit say only subnet 3 and 4
> with
> > > one line?
> > > Or with a access-list?
> > >
> > > If so, can you put the solution in steps and break it out in binary, i
> > have
> > > spent so many hours and reading so many posts, but they seem to be
> > > contradicting themselves...just don't know how it can be
done....please
> > help
> > >
> > >

• Next message: Brian McGahan: "RE: IE Solution Guide Page 15 "Pitfall" and ISDN Layer 3 to 2"
• Previous message: Bob Sinclair: "Re: MQC QoS - map class or service-policy"
• Maybe in reply to: Bob Smith: "Prefix-list"
• Next in thread: ccie2be: "Re: Prefix-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:45 GMT-3