From: JP (jenseike@start.no)
Date: Sun Apr 17 2005 - 09:47:50 GMT-3
Hi again ,
Just to wolow up on the last post, here is how to work with special extended
access-list
Okay, lets tackle the 'special' extended access-lists.
These 'special' extened access-lists came about because a normal access-list
cannot specify the subnet mask of a network it is checking. A normal
access-list can ONLY check bits.
So if we had a requirement where we wanted to permit ONLY the 172.82.30.0/24
network, with a normal access list we would do something like this:
access-list 1 permit 172.82.30.0 0.0.0.255
Does this meet the requirements? No! This access-list will check the first
octet to make sure it is 172. It will check the second octet to make sure
that it is 82, and it will check the third octet to make sure it is 30. It
won't care what is in the fourth octet.
Will this permit our 172.82.30.0/24 network? YES. Will it ONLY permit this
network? NO!
172.82.30.1/30
172.82.30.33/28
172.82.30.129/25
and many, many more networks will also be permitted. Why? Because the normal
access-list ONLY checks bits. For the the above examples the first 3 octets
match, and we don't care about the 4th so all of these networks get in.
There is no way to check to make sure that it is 24 bits.
So they came up with these 'special' extended access-lists. Normally these
would be source and destination, but BGP understands these to be source and
mask. I don't think that any other routing protocol understands these
"special" access-lists, and it may confuse them.
So if we wanted to permit our previous example of 172.82.30.0/24 we would
use the following:
access-list 100 permit ip 172.82.30.0 0.0.0.255 host 255.255.255.0
This will check the first three octets to make sure they match. It won't
care about the fourth octet. Then we will make sure that the network is 24
bits. Remember that it is bits checked, then mask.
So for your example we have the two networks:
10.10.10.0/24 and 10.10.11.0/24
The first thing we need to do is figure out what address will summarize them
as precisley as we can. The first two octets are the same, so we will look
at the third octet.
...128643216 8 4 2 1
10 - 0 0 0 0 1 0 1 0
11 - 0 0 0 0 1 0 1 1
So we have 7 common bits in the third octet, which means our summary address
will be 10.10.10.0/23 or 10.10.10.0 255.255.254.0
Our 'special' extended access-list to deny this particular summary would be:
access-list 100 deny ip 10.10.10.0 0.0.1.255 host 255.255.254.0
access-list 100 permit ip any any
I know that you wanted to permit this summary, but this is just an example.
Jens P
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Lee Donald
Sent: 17. april 2005 12:13
To: ccielab@groupstudy.com
Subject: Access-list question - Allowing even and odd numbers in 3rd
octet -
Can anyone put some more logic to this for me, I'm having a bad brain day.
I need to allow all odd numbers in the 3rd octet in via an access-list which
I know is
Access-list 5 permit 0.0.0.0 0.0.252.0
Then I tried to let just the evens in but got confused, and couldn't get my
dough brain round it.
Can anybody remind me of this and the way it works?
Thanks in advance.
Regards
Lee.
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:59 GMT-3