From: Shamin (ccie.xpert@gmail.com)
Date: Sat Mar 31 2007 - 09:08:44 ART
Hi,
Will it not be good to do a prefix-list with a distribute-list to deny the
default route.
For example,The prefix list would look like:
ip prefix-list DEFAULT deny 0.0.0.0/32
Is this is a good solution and btw is my Prefix-list going to match the
default route?.
Inputs appreciated.
Regards
Shamin
On 3/30/07, Chris Tevlin <nobody@groupstudy.com> wrote:
>
> As far as why the entries are listed out of order, I can't say. It may
> have
> to with the IOS version. However, there is no significance of the order
> since all are host statements.
>
> Note that in the case where the permit statements are shown in a different
> order than entered, you have incremented the last octet. By default,
> these
> are host entries and their order won't matter in execution. When the
> wildcard mask is omitted, all bits are checked and the resultant wildcard
> mask is 0.0.0.0 - host.
>
> In the case where the permit statements are correctly ordered, you have
> incremented the third octet and provided a wildcard mask of 0.0.0.255.
>
> I haven't tried to use 0.0.0.0 in an access list for the purpose of
> limiting
> redistribution as you've indicated. I question whether it might not work,
> even if the order were correctly displayed. The effect of the gateway of
> last resort being 0.0.0.0 0.0.0.0, is that in the process of ANDing with a
> destination IP address, all host bits are set to off, and the network will
> always match when ANDed with 0.0.0.0. In an ACL, the wildcard mask will
> determine the significant bits for comparison, but an entry of 0.0.0.0
> with
> all bits significant (wildcard mask of 0.0.0.0) would mean a host, and not
> a
> network. Hummm. I wonder if you try the access list with network entries
> for all routes you wish to permit (provide the wildcard masks), and then
> deny 0.0.0.0 0.0.0.0 if it won't show up correctly and actually work?
>
> Chris
>
>
> ""Broad, Adam"" wrote in message
> news:200703291503.l2TF3Kek010710@groupstudy.com...
> > Heres an example from my router- Note the order I entered the acl
> > entries-
> >
> > abztstrtr1(config)#access-list 20 permit 10.0.0.1
> > abztstrtr1(config)#access-list 20 permit 10.0.0.2
> > abztstrtr1(config)#access-list 20 permit 10.0.0.3
> > abztstrtr1(config)#access-list 20 permit 10.0.0.4
> > abztstrtr1(config)#access-list 20 permit 10.0.0.5
> > abztstrtr1(config)#access-list 20 permit 10.0.0.6
> > abztstrtr1(config)#^Z
> > abztstrtr1#sh access-lists 20
> > Standard IP access list 20
> > 20 permit 10.0.0.2
> > 30 permit 10.0.0.3
> > 10 permit 10.0.0.1
> > 60 permit 10.0.0.6
> > 40 permit 10.0.0.4
> > 50 permit 10.0.0.5
> > abztstrtr1#sh run | i access-list 20
> > access-list 20 permit 10.0.0.2
> > access-list 20 permit 10.0.0.3
> > access-list 20 permit 10.0.0.1
> > access-list 20 permit 10.0.0.6
> > access-list 20 permit 10.0.0.4
> > access-list 20 permit 10.0.0.5
> >
> > I am using a cisco 2821 with a recent IOS-
> > abztstrtr1#sh ver
> > Cisco IOS Software, 2800 Software (C2800NM-IPVOICEK9-M), Version
> > 12.4(12), RELEASE SOFTWARE (fc1)
> >
> > It also happened on a different router -
> > cisco 3725, Version 12.2(11)T6.
> >
> > Here are some results with the mask added, as you can see they are
> > ordered as you would expect.
> >
> > Enter configuration commands, one per line. End with CNTL/Z.
> > abztstrtr1(config)#access-list 60 permit 10.0.1.0 0.0.0.255
> > abztstrtr1(config)#access-list 60 permit 10.0.2.0 0.0.0.255
> > abztstrtr1(config)#access-list 60 permit 10.0.3.0 0.0.0.255
> > abztstrtr1(config)#access-list 60 permit 10.0.4.0 0.0.0.255
> > abztstrtr1(config)#access-list 60 permit 10.0.5.0 0.0.0.255
> > abztstrtr1(config)#access-list 60 permit 10.0.6.0 0.0.0.255
> > abztstrtr1(config)#^Z
> > abztstrtr1#sh access-lists 60
> > Standard IP access list 60
> > 10 permit 10.0.1.0, wildcard bits 0.0.0.255
> > 20 permit 10.0.2.0, wildcard bits 0.0.0.255
> > 30 permit 10.0.3.0, wildcard bits 0.0.0.255
> > 40 permit 10.0.4.0, wildcard bits 0.0.0.255
> > 50 permit 10.0.5.0, wildcard bits 0.0.0.255
> > 60 permit 10.0.6.0, wildcard bits 0.0.0.255
> > abztstrtr1#sh run | i access-list 60
> > access-list 60 permit 10.0.1.0 0.0.0.255
> > access-list 60 permit 10.0.2.0 0.0.0.255
> > access-list 60 permit 10.0.3.0 0.0.0.255
> > access-list 60 permit 10.0.4.0 0.0.0.255
> > access-list 60 permit 10.0.5.0 0.0.0.255
> > access-list 60 permit 10.0.6.0 0.0.0.255
> > abztstrtr1#
> >
> > Standard access lists that have an entry without a mask on them
> > ie access-list 20 permit 10.0.0.1
> > will be put into a hash table and treated seperately to other entries.
> > If you put in a access list entry with a mask
> > ie access-list 20 permit 10.0.0.2 0.0.0.255
> > then that entry will be put after ALL the access list entries that do
> > not have a mask.
> > The hash table determines the order in the ACL.
> > hopefully you can replicate this, I cant explain why it worked
> > differently on your first try?
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Chris Schock
> > Sent: 29 March 2007 14:44
> > To: cisco@groupstudy.com
> > Subject: Re: ACL sequence question - [7:119463]
> >
> >
> > Not sure, when I paste in the same two lines I get the expected result:
> >
> > sw1#conf t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > sw1(config)#access-list 19 permit 10.10.10.10
> > sw1(config)#access-list 19 deny 0.0.0.0
> > sw1(config)#^Z
> > sw1#sh access-l
> > 4w0d: %SYS-5-CONFIG_I: Configured from console by consoleist 19
> > Standard IP access list 19
> > 10 permit 10.10.10.10
> > 20 deny 0.0.0.0
> >
> >
> >
> > Chris Schock
> > CDHS Telecommunications Network Group
> > chris.schock@state.co.us
> >
> >
> >
> >>>> "Broad, Adam" 3/29/2007 3:59:00 AM >>>
> >
> > If I have a standard access list with one entry in it -
> >
> > for example -
> > access-list 19 permit 10.10.10.10
> >
> > I then add in the line
> > access-list 19 deny 0.0.0.0
> >
> > why does the access list look like this-
> > access-list 19 deny 0.0.0.0
> > access-list 19 permit 10.10.10.10
> >
> > and not -
> > access-list 19 permit 10.10.10.10
> > access-list 19 deny 0.0.0.0
> >
> > As access lists should be in the order you add the lines into the
> > router?
> > All other lines added after this go in at the end. Does anyone know why
> > the
> > "deny 0.0.0.0" is special and always seems to go at the
> > top of the list? I have tried it with longer Access lists and with
> > different
> > IOS versions and platforms and I get the same result.
> >
> > (In this case we are using the access list as a distribute list to deny
> > the
> > default route getting propagated.)
> > Its not a problem, just a query.
> >
> > thanks, Adam.
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART