From: Raj Bansal (ccie_study06@yahoo.com)
Date: Wed May 30 2007 - 11:56:49 ART
So why does bit masking works in an extended acl when receving routes.
For example, if the task says receives only routes with 172.16.5.0 and 172.16.13.0 with single acl, this works.
access-list 101 permit 172.16.5.0 0.0.0.0.8.0 255.255.255.0 0.0.0.0
the 172.16.5.0 is not the source.
-Raj
Tarun Pahuja <pahujat@gmail.com> wrote:
> Raj,
> Please pay close attention to the word IGP in the previous
> thread. extended ACLs work like a charm when used with BGP for filtering
> routes with different prefixes. Also, If you using Rip V1 in your example,
> remember Rip Version 1 does not send subnet information in it's updates.
>
> Thanks,
> Tarun Pahuja
> CCIE#7707(R&S,Security,SP,Voice,Storage)
>
>
>
> On 5/26/07, Brian Dennis wrote:
> >
> > In regards to your question about using extended ACLs when filtering
> > with
> > IGPs below is part of an email I sent previously on this subject (now
> > part
> > of my personal wiki ;-).
> >
> > Extended ACLs work with IGP protocols but you can not match on the
> > subnet
> > mask portion of the route. Extended ACLs can be used with IGP protocols
> > to match the network portion of the route and the IP address of the
> > router (source) that sent the route. Here is an example of its usage:
> >
> > Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2)
> > and R3 (10.0.0.3). We will use ACL 100 and a distribute-list inbound so
> > that R1 only uses the 172.16.0.0/16 route that is being advertised by
> > R2.
> >
> > Rack2R1#show ip route rip
> > R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > [120/1] via 10.0.0.2 , 00:00:06, Ethernet0/0
> > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> > [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > Rack2R1#conf t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
> > Rack2R1(config)#access-list 100 per ip any any
> > Rack2R1(config)#router rip
> > Rack2R1(config-router)#distribute-list 100 in e0/0
> >
> > Rack2R1(config-router)#^Z
> > Rack2R1#
> > Rack2R1#clear ip route *
> > Rack2R1#show ip route rip
> > R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
> > Rack2R1#
> >
> > More examples:
> >
> > This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16,
> > 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255
> >
> >
> > This would permit any 10.1.X.X /X network from 1.1.1.1 (i.e. 10.1.1.0/24
> > ,
> > 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255
> >
> >
> > This would permit any 10.1.1.X /X network from 1.1.1.1 (i.e. 10.1.1.0/24
> > ,
> > 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255
> >
> >
> > You can also use the wild card mask on the host:
> >
> > This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16,
> > 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
> >
> > access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
> >
> > HTH,
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > On 5/26/07 11:17 AM, "Raj Bansal" wrote:
> >
> > > Folks:
> > >
> > > Does rip have issues dealing with extended acls or expanded acls.?
> > >
> > > If I want to control a route, it seems that extended acls and
> > expanded acls
> > > doesn't work. It seems to work with standard acls and prefix list.
> > Reason I
> > > was trying to use an extended acl is to control the summary route
> > being sent
> > > out with a /16.
> > >
> > > int serial0/0
> > > ip summary address rip 172.16.0.0 255.255.0.0
> > >
> > > router rip
> > > distribute list 10 out serial0/0 <---- works
> > > distribute list 101 out serial0/0 <----doesn't work
> > > distribute list prefix-list rip out serial0/0 <---works
> > > distribute list 2201 out serial0/0 <---doesn't work
> > >
> > > I can discount the expanded acls. Seems its used mostly in bgp
> > sceanarios.
> > > But what's up with extended acl?
> > >
> > > One might argue why not use just the standard acl. But what if I
> > have a
> > > route that is redistributed into rip and its a /32 (ospf point to
> > multipoint
> > > with a /31). Now I match on the network and it gets leaked out to rip
> > > peer(neighbor).
> > >
> > > access-list 10 permit 172.16.0.0 0.0.0.0
> > > access-list 101 permit ip 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > > prefix-list rip permit 172.16.0.0/16.
> > >
> > > Thanks.
> > >
> > > Raj
> > >
> > >
> > >
> > > ---------------------------------
> > > Be a better Heartthrob. Get better relationship answers from someone
> > who
> > > knows.
> > > Yahoo! Answers - Check it out.
> > >
> > > ---------------------------------
> > > Expecting? Get great news right away with email Auto-Check.
> > > Try the Yahoo! Mail Beta.
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART