RE: rule for prefix-access list conversion

From: David Prall (dcp@dcptech.com)
Date: Fri Aug 15 2008 - 14:13:02 ART

• Next message: Fahad Khan: "Re: rule for prefix-access list conversion"
• Previous message: Brad Ellis: "RE: Question about CCIE lab voucher."
• Maybe in reply to: Igor Manassypov: "rule for prefix-access list conversion"
• Next in thread: Fahad Khan: "Re: rule for prefix-access list conversion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

With Derek's distribute-list config you could change the acl to

access-list 101 permit ip any 192.168.0.0 0.0.255.64

This would only allow the routes 192.168.0.0 /16 to /26. I'm sure with some
preceding deny's we could get it so that we only allowed /24 to /26.

David

--
http://dcp.dcptech.com
  
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On 
> Behalf Of Hobbs
> Sent: Friday, August 15, 2008 12:14 PM
> To: Derek Pocoroba
> Cc: David Prall; Igor Manassypov; ccielab@groupstudy.com
> Subject: Re: rule for prefix-access list conversion
> 
> I see. So what I am doing probably isn't possible with 
> extended ACL? I want
> to permit a range of routes /24 through /26. on the 
> 192.168.0.0/16 network.
> 
> If I only wanted /24 then I could do it?
> 
> thanks,
> 
> On Fri, Aug 15, 2008 at 9:45 AM, Derek Pocoroba 
> <dpocoroba@gmail.com> wrote:
> 
> > If you use an extended ACL for a filter. You can NOT match 
> on the subnet
> > portion of the route. You will match the network and the 
> source that sent
> > the route.
> >
> > EX:
> > R1#show ip route rip
> > R    172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> >                   [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> > R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> >                    [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > R1#conf t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > R1(config)#access-list 101 deny ip host 10.0.0.3 host 172.16.0.0
> > R1(config)#access-list 101 per ip any any
> > R1(config)#router rip
> > R1(config-router)#distribute-list 101 in e0/0
> > R1(config-router)#do clear ip route *
> > R1(config-router)#do show ip route rip
> > R    172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> >                    [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
> >
> > Wildcards are also permitted on both the host and network
> >
> > EX:
> >
> > access-list 101 per ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
> >
> > Allow 192.168.X.X/X from any neighbor on 10.0.0.X
> > ( 192.168.22/23, 192.168.1.0/24, 192.168.100/25, etc from 10.0.0.22,
> > 10.0.0.254,etc)
> >
> > HTH
> >
> >
> > On Thu, Aug 14, 2008 at 6:38 PM, David Prall 
> <dcp@dcptech.com> wrote:
> >
> >> If this is for an access-list in a route-map for 
> redistribution you can
> >> use
> >> an extended ACL. The first portion is the network and the 
> second portion
> >> is
> >> the subnet mask.
> >>
> >> If my quick memory is right:
> >> access-list 100 permit ip 192.168.0.0 0.0.255.64 
> 255.255.0.0 0.0.255.64
> >>
> >> David
> >>
> >> --
> >> http://dcp.dcptech.com
> >>
> >>
> >> > -----Original Message-----
> >> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> >> > Behalf Of Hobbs
> >> > Sent: Thursday, August 14, 2008 9:28 PM
> >> > To: Igor Manassypov
> >> > Cc: ccielab@groupstudy.com
> >> > Subject: Re: rule for prefix-access list conversion
> >> >
> >> > Hi Igor,
> >> >
> >> > Well I don't think you can do it, but I could be wrong. Some easy
> >> > prefix-length only matches can be converted but not 
> complex ge or le
> >> > matches. Here is my attempt and maybe someone can point out
> >> > if I am path...
> >> >
> >> > Suppose you had the requirement:
> >> >
> >> > Only allow 192.168.0.0 routes with subnet less than /26
> >> >
> >> > Our prefix-list would be easy:
> >> > ip prefix-list ALLOW permit 192.168.0.0/16 le 26
> >> >
> >> > Our ACL would be harder to find. but we know our first 16
> >> > bits: 192.168.
> >> >
> >> > So our acl looks like this for now:
> >> >
> >> > access-list 1 permit 192.168.x.x 0.0.x.x
> >> >
> >> > We dont care what the third bit is either so we could now go:
> >> >
> >> > access-list 1 permit 192.168.0.x 0.0.255.x
> >> >
> >> > That leaves the last bits of the network and mask. We can
> >> > break out the
> >> > networks of the 4th octet in binary:
> >> >
> >> >       xxxx xxxx
> >> >
> >> > /24 = 0000 0000
> >> >
> >> > /25 = 0000 0000
> >> >       1000 0000
> >> >
> >> > /26 = 0000 0000
> >> >         0100 0000
> >> >         1000 0000
> >> >         1100 0000
> >> >
> >> > /27 = 0000 0000
> >> >         0010 0000
> >> >         0100 0000
> >> >         0110 0000
> >> >         1000 0000
> >> >         1010 0000
> >> >         1100 0000
> >> >         1110 0000
> >> >
> >> > We can already see where this is headed. Our first two bits
> >> > are "don't care"
> >> > and our last 6 must be 0 in order to be considered less than /26.
> >> >
> >> > so we could have this:
> >> >
> >> > access-list 1 permit 192.168.0.0 0.0.255.128
> >> >
> >> > However this would prevent a problem for networks such as
> >> > 192.168.11.0/28because the network has all 0's and for 
> all the router
> >> > knows could be a /24,
> >> > /25 or /26 with all 0's.
> >> >
> >> > So we need to deny all of these:
> >> >
> >> > 192.168.0.0/27,/28,/29,/30
> >> > 192.168.1.0/27,/28,/29,/30
> >> > 192.168.2.0/27,/28,/29,/30
> >> >
> >> > Don't know a way of doing it without too many entries...and
> >> > if we were to
> >> > deny these first we would deny their /24,/25,/26 counterparts...
> >> >
> >> > maybe that's why prefix-lists were invented...
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov
> >> > <imanassypov@rogers.com>wrote:
> >> >
> >> > > Hello,
> >> > >
> >> > > What is the rule for converting between 'prefix-list' and
> >> > 'access-list'?
> >> > >
> >> > > Thanks!
> >> > >
> >> > >
> >> > > Igor M., M.Eng, P.Eng
> >> > > Network Architect
> >> > >
> >> > >
> >> > > Blogs and organic groups at http://www.ccie.net
> >> > >
> >> > >
> >> > ______________________________________________________________
> >> > _________
> >> > > Subscription information may be found at:
> >> > > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> > ______________________________________________________________
> >> > _________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> 
> ______________________________________________________________
> _________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Derek Pocoroba
> > CCIE #18559
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> ______________________________________________________________
> _________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

• Next message: Fahad Khan: "Re: rule for prefix-access list conversion"
• Previous message: Brad Ellis: "RE: Question about CCIE lab voucher."
• Maybe in reply to: Igor Manassypov: "rule for prefix-access list conversion"
• Next in thread: Fahad Khan: "Re: rule for prefix-access list conversion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART