RE: new ACL usage ???

From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu May 12 2005 - 15:51:01 GMT-3

• Next message: Brian Dennis: "RE: new ACL usage ???"
• Previous message: Steven Hutnic: "hi"
• Maybe in reply to: ccie2be: "new ACL usage ???"
• Next in thread: Brian Dennis: "RE: new ACL usage ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Brian,

I did like that question and if it's a question like this that might be
applicable in the lab, I like it even more.

I have your all your earlier posts which even include examples of using
acl's for filtering but in these examples the first pair of ip addresses
represented the network address, not the ip addr of the source, while the
second pair represented the netmask, not the route being filtered.

If you have that post, could you re-send it or tell me when you posted it.
I keep all your posts but don't have this one.

BTW, any chance you can tell me how to verify fragment filtering is working
properly in the lab where I won't have access to a traffic generator or
sniffer?

That would be very much appreciated.

Thanks, Tim

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Thursday, May 12, 2005 2:37 PM
To: ccie2be; Group Study
Subject: RE: new ACL usage ???

Tim,
        You like that question? Brian McGahan thought I was being mean
when I wrote it ;-)

        I've answered this before in regards to using extended ACLs for
filtering with IGP protocols. Search the archives. But yes it does
work for other IGPs and is not documented. It has a lot of real world
uses.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Thursday, May 12, 2005 11:24 AM
To: Group Study
Subject: new ACL usage ???

Hi guys,
 
Here's the scenario:
 
rtr-1 rtr-2 (rtr-3 to be added in the future)
  |---------------------|--------------|
   192.10.1.x/24 .253
 
Requirement: RTR-1 should only accept route 222.22.2.0 from this new
router
at ip addr 192.10.1.253/24 and not from rtr-2.
 
The Solution is below.
 
What stands out about this is the first acl entry. I've never seen an
acl
used this way. Is this documented anywhere on the Doc-CD?
 
Will this type of filtering work for other IGP's?
 
TIA, Tim
 
rtr-2
int e0
ip addr 192.10.1.2 255.255.255.0
 
 
rtr-1
int e0
ip addr 192.10.1.1 255.255.255.0
 
router rip
distribute-list 100 in Ethernet0/0
!
access-list 100 permit ip host 192.10.1.253 host 222.22.2.0
access-list 100 deny ip any host 222.22.2.0
access-list 100 permit ip any any

• Next message: Brian Dennis: "RE: new ACL usage ???"
• Previous message: Steven Hutnic: "hi"
• Maybe in reply to: ccie2be: "new ACL usage ???"
• Next in thread: Brian Dennis: "RE: new ACL usage ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3