Re: access-list

From: Josef A (josefnet@gmail.com)
Date: Sat Nov 26 2005 - 13:54:43 GMT-3

• Next message: "Griffith: "Re: access-list"
• Previous message: Josef A: "Re: I am missing something? - VIrtual Template"
• Maybe in reply to: Desmond Ong: "access-list"
• Next in thread: "Griffith: "Re: access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Your ACL will permit more networks than ask for. It will permit additional
subnets of 100.100.1.0 and 100.100.2.0.

Try labbing it up. It's more accurate to use a prefix-list or an extended
ACL to match both the network and its mask. If there are no subnets of
100.100.1.0 and 100.100.2.0 among the routes being filtered your ACL might
seem to work correctly, but if you introduce those subnets, they will surely
pass thru.

HTH
Josef

On 11/26/05, Ashok M A <ashok_ccie@yahoo.co.in> wrote:
>
> I am not sure why this doesnt work?
>
> Access-list 100 permit 100.100.1.0 0.0.0.255
> Access-list 100 permit 100.100.2.0 0.0.0.255
>
>
>
> Thanks & Regards,
>
> Ashok M A
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Pierre-Alex
> Sent: Saturday, November 26, 2005 1:25 AM
> To: Desmond Ong; FORUM
> Subject: Re: access-list
>
> If you cannot use prefix-list you can use an extended access-list:
>
> access-list 100 permit 100.100.1.0 0.3.255 255.255.255.0 0.0.0.0
access-list
> 100 permit 100.100.2.0 0.3.255 255.255.255.0 0.0.0.0
>
> Please note that trying to summurize both. .1 and .2 networks end
> up creating more entries because you automatically get the 0 and
> .3 networks:
>
> access-list 100 deny 100.100.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list
> 100 deny 100.100.3.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 100 permit
> 100.100.0.0 0.3.255 255.255.255.0 0.0.0.0
>
> NB: in an extended acl, the first part of the acl, matches the
> network the networks (100.100.0.0 0.3.255 ) , the second part matches the
> mask.
>
> Cheers
>
> Pierre
>
> ----- Original Message -----
> From: "Desmond Ong" <desmond.gk@netstarnetworks.com>
> To: "FORUM" <ccielab@groupstudy.com>
> Sent: Thursday, November 03, 2005 2:10 PM
> Subject: access-list
>
>
> > Hi there,
> >
> > if i were asked to permit only 100.100.1.0/24 and 100.100.2.0/24 into
> the
> > network,
> >
> > my access list will be 100.100.1.0 0.0.3.255 or will it be
> > 100.100.1.0 0.0.3.0 ??? is there any difference?
> >
> > Tks!
> >
> > Desmond
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> ---------------------------------
> Enjoy this Diwali with Y! India Click here
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: "Griffith: "Re: access-list"
• Previous message: Josef A: "Re: I am missing something? - VIrtual Template"
• Maybe in reply to: Desmond Ong: "access-list"
• Next in thread: "Griffith: "Re: access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3