Re: access-list

From: Josef A (josefnet@gmail.com)
Date: Sun Nov 27 2005 - 12:02:04 GMT-3

• Next message: Ashok Ananda -X \(aananda - HCL at Cisco\): "RE: OSPF doubt"
• Previous message: Ashok Ananda -X \(aananda - HCL at Cisco\): "RE: access-list"
• Maybe in reply to: Desmond Ong: "access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ashok, I agree! Matching subnet and mask using an exetnded ACL is used only
with BGP. When used with RIP and EIGRP, the extended ACL will be matching
the source of the route and the route itself. That's why I prefer
prefix-lists in situations like this.

For the ACL below, you also need to specify the protocol. The router will
not accept an extended ACL without the protocol.

Josef

On 11/27/05, Ashok Ananda -X (aananda - HCL at Cisco) <aananda@cisco.com>
wrote:
>
> Thanks Josef.
>
> Just wondering is this syntax correct?
>
> "access-list 100 deny 100.100.0.0 0.0.0.0 255.255.255.0 0.0.0.0" I
> think we have to specify the protocol here.
>
> Also my understand of matching subnet and mask portion works only wrto.
> BGP.
>
>
>
> Thanks & Regards,
>
> Ashok M A
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Josef A
> Sent: Saturday, November 26, 2005 10:25 PM
> To: Ashok M A
> Cc: ccielab@groupstudy.com
> Subject: Re: access-list
>
> Your ACL will permit more networks than ask for. It will permit
> additional subnets of 100.100.1.0 and 100.100.2.0.
>
> Try labbing it up. It's more accurate to use a prefix-list or an
> extended ACL to match both the network and its mask. If there are no
> subnets of 100.100.1.0 and 100.100.2.0 among the routes being filtered
> your ACL might seem to work correctly, but if you introduce those
> subnets, they will surely pass thru.
>
> HTH
> Josef
>
>
> On 11/26/05, Ashok M A <ashok_ccie@yahoo.co.in> wrote:
> >
> > I am not sure why this doesnt work?
> >
> > Access-list 100 permit 100.100.1.0 0.0.0.255 Access-list 100 permit
> > 100.100.2.0 0.0.0.255
> >
> >
> >
> > Thanks & Regards,
> >
> > Ashok M A
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Pierre-Alex
> > Sent: Saturday, November 26, 2005 1:25 AM
> > To: Desmond Ong; FORUM
> > Subject: Re: access-list
> >
> > If you cannot use prefix-list you can use an extended access-list:
> >
> > access-list 100 permit 100.100.1.0 0.3.255 255.255.255.0 0.0.0.0
> access-list
> > 100 permit 100.100.2.0 0.3.255 255.255.255.0 0.0.0.0
> >
> > Please note that trying to summurize both. .1 and .2 networks end up
> > creating more entries because you automatically get the 0 and
> > .3 networks:
> >
> > access-list 100 deny 100.100.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> > access-list 100 deny 100.100.3.0 0.0.0.0 255.255.255.0 0.0.0.0
> > access-list 100 permit 100.100.0.0 0.3.255 255.255.255.0 0.0.0.0
> >
> > NB: in an extended acl, the first part of the acl, matches the network
>
> > the networks (100.100.0.0 0.3.255 ) , the second part matches the
> > mask.
> >
> > Cheers
> >
> > Pierre
> >
> > ----- Original Message -----
> > From: "Desmond Ong" <desmond.gk@netstarnetworks.com>
> > To: "FORUM" <ccielab@groupstudy.com>
> > Sent: Thursday, November 03, 2005 2:10 PM
> > Subject: access-list
> >
> >
> > > Hi there,
> > >
> > > if i were asked to permit only 100.100.1.0/24 and 100.100.2.0/24
> > > into
> > the
> > > network,
> > >
> > > my access list will be 100.100.1.0 0.0.3.255 or will it be
> > > 100.100.1.0 0.0.3.0 ??? is there any difference?
> > >
> > > Tks!
> > >
> > > Desmond
> > >
> > > ____________________________________________________________________
> > > ___ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > ---------------------------------
> > Enjoy this Diwali with Y! India Click here
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ashok Ananda -X \(aananda - HCL at Cisco\): "RE: OSPF doubt"
• Previous message: Ashok Ananda -X \(aananda - HCL at Cisco\): "RE: access-list"
• Maybe in reply to: Desmond Ong: "access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3