Re: rip standard acl/extended acl/prefix list/expanded acl

From: Bit Gossip (bit.gossip@chello.nl)
Date: Thu Aug 16 2007 - 02:18:42 ART

• Next message: Narbik Kocharians: "Re: Little question about EIGRP summary address"
• Previous message: Bit Gossip: "Re: Split-horizon rule while redistributing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Brian,
does this usage of extended ACL to match sending router and network number
work for all IGP?
What about EIGRP and OSPF?
Thanks,
Bit.

----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "Raj Bansal" <ccie_study06@yahoo.com>; <ccielab@groupstudy.com>
Sent: Saturday, May 26, 2007 8:40 PM
Subject: Re: rip standard acl/extended acl/prefix list/expanded acl

> In regards to your question about using extended ACLs when filtering with
> IGPs below is part of an email I sent previously on this subject (now part
> of my personal wiki ;-).
>
> Extended ACLs work with IGP protocols but you can not match on the subnet
> mask portion of the route. Extended ACLs can be used with IGP protocols
> to match the network portion of the route and the IP address of the
> router (source) that sent the route. Here is an example of its usage:
>
> Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2)
> and R3 (10.0.0.3). We will use ACL 100 and a distribute-list inbound so
> that R1 only uses the 172.16.0.0/16 route that is being advertised by
> R2.
>
> Rack2R1#show ip route rip
> R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> Rack2R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
> Rack2R1(config)#access-list 100 per ip any any
> Rack2R1(config)#router rip
> Rack2R1(config-router)#distribute-list 100 in e0/0
>
> Rack2R1(config-router)#^Z
> Rack2R1#
> Rack2R1#clear ip route *
> Rack2R1#show ip route rip
> R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
> Rack2R1#
>
> More examples:
>
> This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16,
> 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
>
> access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255
>
>
> This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24,
> 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)
>
> access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255
>
>
> This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24,
> 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)
>
> access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255
>
>
> You can also use the wild card mask on the host:
>
> This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16,
> 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)
>
> access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
>
> HTH,
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> On 5/26/07 11:17 AM, "Raj Bansal" <ccie_study06@yahoo.com> wrote:
>
>> Folks:
>>
>> Does rip have issues dealing with extended acls or expanded acls.?
>>
>> If I want to control a route, it seems that extended acls and expanded
>> acls
>> doesn't work. It seems to work with standard acls and prefix list. Reason
>> I
>> was trying to use an extended acl is to control the summary route being
>> sent
>> out with a /16.
>>
>> int serial0/0
>> ip summary address rip 172.16.0.0 255.255.0.0
>>
>> router rip
>> distribute list 10 out serial0/0 <---- works
>> distribute list 101 out serial0/0 <----doesn't work
>> distribute list prefix-list rip out serial0/0 <---works
>> distribute list 2201 out serial0/0 <---doesn't work
>>
>> I can discount the expanded acls. Seems its used mostly in bgp
>> sceanarios.
>> But what's up with extended acl?
>>
>> One might argue why not use just the standard acl. But what if I have a
>> route that is redistributed into rip and its a /32 (ospf point to
>> multipoint
>> with a /31). Now I match on the network and it gets leaked out to rip
>> peer(neighbor).
>>
>> access-list 10 permit 172.16.0.0 0.0.0.0
>> access-list 101 permit ip 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0
>> prefix-list rip permit 172.16.0.0/16.
>>
>> Thanks.
>>
>> Raj
>>
>>
>>
>> ---------------------------------
>> Be a better Heartthrob. Get better relationship answers from someone who
>> knows.
>> Yahoo! Answers - Check it out.
>>
>> ---------------------------------
>> Expecting? Get great news right away with email Auto-Check.
>> Try the Yahoo! Mail Beta.
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Narbik Kocharians: "Re: Little question about EIGRP summary address"
• Previous message: Bit Gossip: "Re: Split-horizon rule while redistributing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART