RE: Extended ACL & EXACT match

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sun Jul 17 2005 - 15:46:51 GMT-3

Yes the wild card mask can be used to permit or deny more than one
network.

Example:

This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16,
10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24,
10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24,
10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

You can also use the wild card mask on the host:

This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16,
10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 

-----Original Message-----
From: Spyros Kranis [mailto:skranis@algosystems.gr]
Sent: Sunday, July 17, 2005 11:04 AM
To: Brian Dennis; 'Schulz, Dave'; 'Edwards, Andrew M ';
nobody@groupstudy.com; 'Dillon Yang '; 'Group Study '
Subject: RE: Extended ACL & EXACT match

Thanks a lot Brian
I labbed it up and it worked.

I labbed the following....

R6-----R9

ROUTER 9

interface Loopback3
 ip address 9.9.7.1 255.255.255.248
 ipv6 address 2001:9:9:9::3/128
 ipv6 rip w enable
!
interface Loopback999
 ip address 9.9.7.9 255.255.255.248

router eigrp 1
 network 0.0.0.0
 no auto-summary

ROUTER 6
!
router eigrp 1
 network 0.0.0.0
 distribute-list 100 in
 no auto-summary
!
access-list 100 permit ip host 69.69.69.9 9.9.7.0 0.0.0.15

R6#sh ip ro ei
     9.0.0.0/29 is subnetted, 2 subnets
D 9.9.7.0 [90/46354176] via 69.69.69.9, 00:05:58, Dialer1
D 9.9.7.8 [90/46354176] via 69.69.69.9, 00:05:58, Dialer1
R6#

So I understand that in the destination portion of the access-list
(where
the network is specified) , the wildcard mask specifies the subnet or
subnets that are permitted through my connection.

Thanks again for your help!

Skra

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Sunday, July 17, 2005 7:38 PM
To: Spyros Kranis; Schulz, Dave; Edwards, Andrew M ;
nobody@groupstudy.com;
Dillon Yang ; Group Study
Subject: RE: Extended ACL & EXACT match

Skra,
        It works with IGP protocols but you can not match on the subnet
mask portion of the route. Extended ACL's are used with IGP protocols
to match the network portion of the route and the IP address of the
router that sent you the update. This usage for extended ACL's is not
likely to show up on the exam but we do cover it in our new Volume II
workbook. Here is an example of its usage:

Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2)
and R3 (10.0.0.3). We will use ACL 100 and a distribute-list inbound so
that R1 only uses the 172.16.0.0/16 route that is being advertised by
R2.

Rack2R1#sho ip rout rip
R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
                   [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
                    [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
Rack2R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
Rack2R1(config)#access-list 100 per ip any any
Rack2R1(config)#router rip
Rack2R1(config-router)#distribute-list 100 in e0/0

Rack2R1(config-router)#^Z
Rack2R1#
Rack2R1#clear ip rout *
Rack2R1#sho ip rout rip
R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
                    [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
Rack2R1#

        A good real world usage for this is to control who the router
will accept a default route from.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Spyros Kranis
Sent: Sunday, July 17, 2005 8:26 AM
To: 'Schulz, Dave'; 'Edwards, Andrew M '; nobody@groupstudy.com; 'Dillon
Yang '; 'Group Study '
Subject: RE: Extended ACL & EXACT match

Hi group,
I labbed it up regarding filtering prefixes with an extended acl.
This is only working with bgp protocol, neither rip nor eigrp.
Am I correct?

TIA
Skra

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Schulz, Dave
Sent: Saturday, July 16, 2005 3:31 AM
To: Edwards, Andrew M ; nobody@groupstudy.com; Dillon Yang ; Group Study

Subject: RE: Extended ACL & EXACT match

Gottcha. Thanks for clearing that up, Andy.

Dave

-----Original Message-----
From: Edwards, Andrew M
To: Schulz, Dave; nobody@groupstudy.com; Dillon Yang ; Group Study
Sent: 7/15/2005 8:21 PM
Subject: RE: Extended ACL & EXACT match

Dave,

your syntax will produce an error where the "len < ge <= le"

IOW, the bit match length must be less than the 'ge' value. Further,
the 'le' value must be greater than or equal to the 'ge'.

So, to permit only the /24 route use:

ip prefix-list test permit 1.1.1.0/24

If you want to specify bitmask lengths to match on, use the ge and le
options. As an example, match on all subnet masks for the 1.1.1.0/24
subnet:

ip prefix-list test permit 1.1.1.0/24 le 32 (e.g. match 24 high order
bits with a mask from /32 down to a /24 )

HTH,

andy

-----Original Message-----
From: Schulz, Dave [mailto:DSchulz@dpsciences.com]
Sent: Friday, July 15, 2005 4:46 AM
To: Edwards, Andrew M; nobody@groupstudy.com; Dillon Yang ; Group Study
Subject: RE: Extended ACL & EXACT match

Andrew -

If I use the prefix list that you say here (Ip prefix-list test
192.168.1.0/24 le 32)....will match any mask. However, if I want to
match exactly the 24 bit mask, shouldn't I use.....

Ip prefix-list test 192.168.1.0/24 le 24 ge 24

Just wondering.

Dave

-----Original Message-----
From: nobody@groupstudy.com
To: Dillon Yang; Group Study
Sent: 7/14/2005 11:46 PM
Subject: RE: Extended ACL & EXACT match

Dillon,

This is the old way of using an extended ACL to match on a routes
netmask. The new way is with prefix-lists.

You can tell because the destination address has a wildcard mask of
0.0.0.0 and, as you noted, a strange match destination address.

Another way of looking at this is:

Access-list 100 permit ip <match address> <match bits as wildcard mask>
<match netmask> <netmask wildcard bits>

So:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.0

Says match route prefix 192.168.1.X with a /24 netmask.

Or

Ip prefix-list test 192.168.1.0/24

Another way is:

Access-list 100 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.255

Says match route prefix 192.168.1.X with any netmask less than /32 down
to a /24 bitmask.

Or

Ip prefix-list test 192.168.1.0/24 le 32

Give it a whirl now that you know and see what happens.

HTH,

Andy
-----Original Message-----
From: Dillon Yang [mailto:dillony@gmail.com <mailto:dillony@gmail.com> ]
Sent: Thursday, July 14, 2005 8:12 PM
To: Group Study
Subject: Extended ACL & EXACT match

hi, group:

base on CDDOC, we can see this:
<quote>

extended access-list command

The following examples show how wildcard bits are used to indicate the
bits of the prefix or mask that are relevant. Wildcard bits are similar
to the bitmasks that are used with normal access lists.
Prefix or mask bits corresponding to wildcard bits set to 1 are ignored
during comparisons and prefix or mask bits corresponding to wildcard
bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any
more specific routes of 192.108.0.0 (including 192.108.0.0
255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0
0.0.255.255

</quote>

But, I still can not understand the meaning of "255.255.0.0
0.0.255.255", for a advertised route, the source pair part "192.108.0.0
0.0.0.0" has already contained the route infomation, who want to check
the destination pair part ""255.255.0.0 0.0.255.255", routing protocol?
or ACL?
How does it know the pair part is a MASK and not a DESTINATION?

[pratice]

  I labbed it with the following result. It shows the acl "permit ip
11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 " DOES NOT match address
EXACTLY, for it allows the more special route "*> 11.6.9.0/24
0.0.0.0 ".!!!

router bgp 600
 no synchronization
 bgp log-neighbor-changes
 network 11.6.6.0 mask 255.255.255.0
 network 11.6.7.0 mask 255.255.255.0
 network 11.6.8.0 mask 255.255.255.0
 network 11.6.9.0 mask 255.255.255.0
 aggregate-address 11.6.0.0 255.255.240.0
 neighbor 135.3.24.2 remote-as 200
 neighbor 135.3.24.2 ebgp-multihop 10
 neighbor 135.3.24.2 distribute-list out600 out
 no auto-summary

R6#sib
BGP table version is 6, local router ID is 211.211.211.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.8.0/21]
R6#clear ip bgp 135.3.24.2 soft
R6#s access-l
Extended IP access list out600
    permit ip 11.6.8.0 0.0.7.255 255.255.248.0 0.0.7.255 (2 matches)
R6#ib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i

[11.6.0.0/20]
R6#
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no pcess-list extended out600 R6(config)# R6(config)#
           HlV..K+{st extended out600 R6(config-ext-nacl)#nermit ip
11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 R6(config-ext-nacl)#end R6#
*Mar 1 05:14:07: %SYS-5-CONFIG_I: Configured from console by console
R6#clear ip bgp 135.3.24.2 soft R6#sib nei 135.3.24.2 ad BGP table
version is 6, local router ID is 211.211.211.1 Status codes: s
suppressed, d damped, h history, * valid, > best, i - internal Origin
codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.0.0/20 0.0.0.0 32768 i
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i
*> 11.6.8.0/24 0.0.0.0 0 32768 i
*> 11.6.9.0/24 0.0.0.0 0 32768 i
R6#s access-l
Extended IP access list out600
    permit ip 11.6.0.0 0.0.15.255 255.255.240.0 0.0.15.255 (5 matches)

[11.6.6.0/22]
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#no ip access-list extended out600 R6(config)#ip access-list
extended out600 R6(config-ext-nacl)#permit ip 11.6.6.0 0.0.3.255
255.255.252.0 0.0.3.255^Z R6#conf t *Mar 1 05:26:42: %SYS-5-CONFIG_I:
Configured from console by console R6#clear ip bgp 135.3.24.2 soft R6#s
access-l Extended IP access list out600
    permit ip 11.6.4.0 0.0.3.255 255.255.252.0 0.0.3.255 (2 matches)
R6#sib nei 135.3.24.2 ad BGP table version is 6, local router ID is
211.211.211.1 Status codes: s suppressed, d damped, h history, * valid,
> best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*> 11.6.6.0/24 0.0.0.0 0 32768 i
*> 11.6.7.0/24 0.0.0.0 0 32768 i

Any advice?

TIA
dillon

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3