RE: access-list
From: Ashok Ananda -X \(aananda - HCL at Cisco\) (aananda@cisco.com)
Date: Sun Nov 27 2005 - 11:18:57 GMT-3
Thanks Josef.
Just wondering is this syntax correct?
"access-list 100 deny 100.100.0.0 0.0.0.0 255.255.255.0 0.0.0.0" I
think we have to specify the protocol here.
Also my understand of matching subnet and mask portion works only wrto.
BGP.
Thanks & Regards,
Ashok M A
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Josef A
Sent: Saturday, November 26, 2005 10:25 PM
To: Ashok M A
Cc: ccielab@groupstudy.com
Subject: Re: access-list
Your ACL will permit more networks than ask for. It will permit
additional subnets of 100.100.1.0 and 100.100.2.0.
Try labbing it up. It's more accurate to use a prefix-list or an
extended ACL to match both the network and its mask. If there are no
subnets of 100.100.1.0 and 100.100.2.0 among the routes being filtered
your ACL might seem to work correctly, but if you introduce those
subnets, they will surely pass thru.
HTH
Josef
On 11/26/05, Ashok M A <ashok_ccie@yahoo.co.in> wrote:
>
> I am not sure why this doesn�t work?
>
> Access-list 100 permit 100.100.1.0 0.0.0.255 Access-list 100 permit
> 100.100.2.0 0.0.0.255
>
>
>
> Thanks & Regards,
>
> Ashok M A
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Pierre-Alex
> Sent: Saturday, November 26, 2005 1:25 AM
> To: Desmond Ong; FORUM
> Subject: Re: access-list
>
> If you cannot use prefix-list you can use an extended access-list:
>
> access-list 100 permit 100.100.1.0 0.3.255 255.255.255.0 0.0.0.0
access-list
> 100 permit 100.100.2.0 0.3.255 255.255.255.0 0.0.0.0
>
> Please note that trying to summurize both. .1 and .2 networks end up
> creating more entries because you automatically get the 0 and
> .3 networks:
>
> access-list 100 deny 100.100.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> access-list 100 deny 100.100.3.0 0.0.0.0 255.255.255.0 0.0.0.0
> access-list 100 permit 100.100.0.0 0.3.255 255.255.255.0 0.0.0.0
>
> NB: in an extended acl, the first part of the acl, matches the network
> the networks (100.100.0.0 0.3.255 ) , the second part matches the
> mask.
>
> Cheers
>
> Pierre
>
> ----- Original Message -----
> From: "Desmond Ong" <desmond.gk@netstarnetworks.com>
> To: "FORUM" <ccielab@groupstudy.com>
> Sent: Thursday, November 03, 2005 2:10 PM
> Subject: access-list
>
>
> > Hi there,
> >
> > if i were asked to permit only 100.100.1.0/24 and 100.100.2.0/24
> > into
> the
> > network,
> >
> > my access list will be 100.100.1.0 0.0.3.255 or will it be
> > 100.100.1.0 0.0.3.0 ??? is there any difference?
> >
> > Tks!
> >
> > Desmond
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> ---------------------------------
> Enjoy this Diwali with Y! India Click here
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Thu Dec 01 2005 - 09:12:08 GMT-3