From: Tarun Pahuja (pahujat@gmail.com)
Date: Mon May 28 2007 - 12:43:00 ART
> Raj,
> Please pay close attention to the word IGP in the previous
> thread. extended ACLs work like a charm when used with BGP for filtering
> routes with different prefixes. Also, If you using Rip V1 in your example,
> remember Rip Version 1 does not send subnet information in it's updates.
>
> Thanks,
> Tarun Pahuja
> CCIE#7707(R&S,Security,SP,Voice,Storage)
>
>
>
> On 5/26/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> >
> > In regards to your question about using extended ACLs when filtering
> > with
> > IGPs below is part of an email I sent previously on this subject (now
> > part
> > of my personal wiki ;-).
> >
> > Extended ACLs work with IGP protocols but you can not match on the
> > subnet
> > mask portion of the route. Extended ACLs can be used with IGP protocols
> > to match the network portion of the route and the IP address of the
> > router (source) that sent the route. Here is an example of its usage:
> >
> > Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2)
> > and R3 (10.0.0.3). We will use ACL 100 and a distribute-list inbound so
> > that R1 only uses the 172.16.0.0/16 route that is being advertised by
> > R2.
> >
> > Rack2R1#show ip route rip
> > R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > [120/1] via 10.0.0.2 , 00:00:06, Ethernet0/0
> > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> > [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > Rack2R1#conf t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
> > Rack2R1(config)#access-list 100 per ip any any
> > Rack2R1(config)#router rip
> > Rack2R1(config-router)#distribute-list 100 in e0/0
> >
> > Rack2R1(config-router)#^Z
> > Rack2R1#
> > Rack2R1#clear ip route *
> > Rack2R1#show ip route rip
> > R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
> > Rack2R1#
> >
> > More examples:
> >
> > This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16,
> > 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255
> >
> >
> > This would permit any 10.1.X.X /X network from 1.1.1.1 (i.e. 10.1.1.0/24
> > ,
> > 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255
> >
> >
> > This would permit any 10.1.1.X /X network from 1.1.1.1 (i.e. 10.1.1.0/24
> > ,
> > 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255
> >
> >
> > You can also use the wild card mask on the host:
> >
> > This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16,
> > 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
> >
> > HTH,
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > On 5/26/07 11:17 AM, "Raj Bansal" <ccie_study06@yahoo.com > wrote:
> >
> > > Folks:
> > >
> > > Does rip have issues dealing with extended acls or expanded acls.?
> > >
> > > If I want to control a route, it seems that extended acls and
> > expanded acls
> > > doesn't work. It seems to work with standard acls and prefix list.
> > Reason I
> > > was trying to use an extended acl is to control the summary route
> > being sent
> > > out with a /16.
> > >
> > > int serial0/0
> > > ip summary address rip 172.16.0.0 255.255.0.0
> > >
> > > router rip
> > > distribute list 10 out serial0/0 <---- works
> > > distribute list 101 out serial0/0 <----doesn't work
> > > distribute list prefix-list rip out serial0/0 <---works
> > > distribute list 2201 out serial0/0 <---doesn't work
> > >
> > > I can discount the expanded acls. Seems its used mostly in bgp
> > sceanarios.
> > > But what's up with extended acl?
> > >
> > > One might argue why not use just the standard acl. But what if I
> > have a
> > > route that is redistributed into rip and its a /32 (ospf point to
> > multipoint
> > > with a /31). Now I match on the network and it gets leaked out to rip
> > > peer(neighbor).
> > >
> > > access-list 10 permit 172.16.0.0 0.0.0.0
> > > access-list 101 permit ip 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > > prefix-list rip permit 172.16.0.0/16.
> > >
> > > Thanks.
> > >
> > > Raj
> > >
> > >
> > >
> > > ---------------------------------
> > > Be a better Heartthrob. Get better relationship answers from someone
> > who
> > > knows.
> > > Yahoo! Answers - Check it out.
> > >
> > > ---------------------------------
> > > Expecting? Get great news right away with email Auto-Check.
> > > Try the Yahoo! Mail Beta.
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART