From: Dillon Yang (dillony@gmail.com)
Date: Tue Jul 12 2005 - 13:53:19 GMT-3
George, Brian, Tim:
From the post, I got the usage of extended ACL on restricting route. And
base on CDDOC, we can see this:
<quote>
The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists.
Prefix or mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and
prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
</quote>
But, I still can not understand the meaning of "255.255.0.0 0.0.255.255", for a advertised route, the source pair part "192.108.0.0 0.0.0.0" has already contained the route infomation, who want to check the destination pair part ""255.255.0.0 0.0.255.255", routing protocol? or ACL?
How does it know the pair part is a MASK and not a DESTINATION?
TIA
dillon
----- Original Message -----
From: "George Cassels" <glcassels3@nc.rr.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'" <ccielab@groupstudy.com>
Sent: Sunday, June 05, 2005 10:19 PM
Subject: RE: new ACL usage ???
> All is it safe to assume this must have been a routing protocol like RIP
> or EIGRP that uses the interface IP as the source? So would it be safe
> to assume (not that it is ever safe to assume :>) ) that if it was OSPF
> we would have to use the router ID for the source? Also would be have
> to use the DR as the source since it would be the one sending out the
> update to the all ospf routers multicast address?
>
> Plan to lab this up and test it with all protocols. If no one replies
> will post results.
>
> Sorry for the late post on this one...just catching up.
>
> George
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Thursday, May 12, 2005 1:24 PM
> To: Group Study
> Subject: new ACL usage ???
>
> Hi guys,
>
> Here's the scenario:
>
> rtr-1 rtr-2 (rtr-3 to be added in the future)
> |---------------------|--------------|
> 192.10.1.x/24 .253
>
> Requirement: RTR-1 should only accept route 222.22.2.0 from this new
> router
> at ip addr 192.10.1.253/24 and not from rtr-2.
>
> The Solution is below.
>
> What stands out about this is the first acl entry. I've never seen an
> acl
> used this way. Is this documented anywhere on the Doc-CD?
>
> Will this type of filtering work for other IGP's?
>
> TIA, Tim
>
> rtr-2
> int e0
> ip addr 192.10.1.2 255.255.255.0
>
>
> rtr-1
> int e0
> ip addr 192.10.1.1 255.255.255.0
>
> router rip
> distribute-list 100 in Ethernet0/0
> !
> access-list 100 permit ip host 192.10.1.253 host 222.22.2.0
> access-list 100 deny ip any host 222.22.2.0
> access-list 100 permit ip any any
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3