Re: rule for prefix-access list conversion

From: Hobbs (deadheadblues@gmail.com)
Date: Fri Aug 15 2008 - 13:13:48 ART

I see. So what I am doing probably isn't possible with extended ACL? I want
to permit a range of routes /24 through /26. on the 192.168.0.0/16 network.

If I only wanted /24 then I could do it?

thanks,

On Fri, Aug 15, 2008 at 9:45 AM, Derek Pocoroba <dpocoroba@gmail.com> wrote:

> If you use an extended ACL for a filter. You can NOT match on the subnet
> portion of the route. You will match the network and the source that sent
> the route.
>
> EX:
> R1#show ip route rip
> R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R1(config)#access-list 101 deny ip host 10.0.0.3 host 172.16.0.0
> R1(config)#access-list 101 per ip any any
> R1(config)#router rip
> R1(config-router)#distribute-list 101 in e0/0
> R1(config-router)#do clear ip route *
> R1(config-router)#do show ip route rip
> R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
>
> Wildcards are also permitted on both the host and network
>
> EX:
>
> access-list 101 per ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
>
> Allow 192.168.X.X/X from any neighbor on 10.0.0.X
> ( 192.168.22/23, 192.168.1.0/24, 192.168.100/25, etc from 10.0.0.22,
> 10.0.0.254,etc)
>
> HTH
>
>
> On Thu, Aug 14, 2008 at 6:38 PM, David Prall <dcp@dcptech.com> wrote:
>
>> If this is for an access-list in a route-map for redistribution you can
>> use
>> an extended ACL. The first portion is the network and the second portion
>> is
>> the subnet mask.
>>
>> If my quick memory is right:
>> access-list 100 permit ip 192.168.0.0 0.0.255.64 255.255.0.0 0.0.255.64
>>
>> David
>>
>> --
>> http://dcp.dcptech.com
>>
>>
>> > -----Original Message-----
>> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>> > Behalf Of Hobbs
>> > Sent: Thursday, August 14, 2008 9:28 PM
>> > To: Igor Manassypov
>> > Cc: ccielab@groupstudy.com
>> > Subject: Re: rule for prefix-access list conversion
>> >
>> > Hi Igor,
>> >
>> > Well I don't think you can do it, but I could be wrong. Some easy
>> > prefix-length only matches can be converted but not complex ge or le
>> > matches. Here is my attempt and maybe someone can point out
>> > if I am path...
>> >
>> > Suppose you had the requirement:
>> >
>> > Only allow 192.168.0.0 routes with subnet less than /26
>> >
>> > Our prefix-list would be easy:
>> > ip prefix-list ALLOW permit 192.168.0.0/16 le 26
>> >
>> > Our ACL would be harder to find. but we know our first 16
>> > bits: 192.168.
>> >
>> > So our acl looks like this for now:
>> >
>> > access-list 1 permit 192.168.x.x 0.0.x.x
>> >
>> > We dont care what the third bit is either so we could now go:
>> >
>> > access-list 1 permit 192.168.0.x 0.0.255.x
>> >
>> > That leaves the last bits of the network and mask. We can
>> > break out the
>> > networks of the 4th octet in binary:
>> >
>> > xxxx xxxx
>> >
>> > /24 = 0000 0000
>> >
>> > /25 = 0000 0000
>> > 1000 0000
>> >
>> > /26 = 0000 0000
>> > 0100 0000
>> > 1000 0000
>> > 1100 0000
>> >
>> > /27 = 0000 0000
>> > 0010 0000
>> > 0100 0000
>> > 0110 0000
>> > 1000 0000
>> > 1010 0000
>> > 1100 0000
>> > 1110 0000
>> >
>> > We can already see where this is headed. Our first two bits
>> > are "don't care"
>> > and our last 6 must be 0 in order to be considered less than /26.
>> >
>> > so we could have this:
>> >
>> > access-list 1 permit 192.168.0.0 0.0.255.128
>> >
>> > However this would prevent a problem for networks such as
>> > 192.168.11.0/28because the network has all 0's and for all the router
>> > knows could be a /24,
>> > /25 or /26 with all 0's.
>> >
>> > So we need to deny all of these:
>> >
>> > 192.168.0.0/27,/28,/29,/30
>> > 192.168.1.0/27,/28,/29,/30
>> > 192.168.2.0/27,/28,/29,/30
>> >
>> > Don't know a way of doing it without too many entries...and
>> > if we were to
>> > deny these first we would deny their /24,/25,/26 counterparts...
>> >
>> > maybe that's why prefix-lists were invented...
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov
>> > <imanassypov@rogers.com>wrote:
>> >
>> > > Hello,
>> > >
>> > > What is the rule for converting between 'prefix-list' and
>> > 'access-list'?
>> > >
>> > > Thanks!
>> > >
>> > >
>> > > Igor M., M.Eng, P.Eng
>> > > Network Architect
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> > ______________________________________________________________
>> > _________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > ______________________________________________________________
>> > _________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Derek Pocoroba
> CCIE #18559

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART