Re: rule for prefix-access list conversion

From: Fahad Khan (fahad.khan@gmail.com)
Date: Fri Aug 15 2008 - 14:18:15 ART

Hi,

U guys better go through these links

http://blog.internetworkexpert.com/category/ccie-routing-switching/interior-gateway-routing/page/2/

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#bgpfilter

go through case study 3 fully,

HTH,

On 8/15/08, David Prall <dcp@dcptech.com> wrote:

> With Derek's distribute-list config you could change the acl to
>
> access-list 101 permit ip any 192.168.0.0 0.0.255.64
>
> This would only allow the routes 192.168.0.0 /16 to /26. I'm sure with
> some
> preceding deny's we could get it so that we only allowed /24 to /26.
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Hobbs
> > Sent: Friday, August 15, 2008 12:14 PM
> > To: Derek Pocoroba
> > Cc: David Prall; Igor Manassypov; ccielab@groupstudy.com
> > Subject: Re: rule for prefix-access list conversion
> >
> > I see. So what I am doing probably isn't possible with
> > extended ACL? I want
> > to permit a range of routes /24 through /26. on the
> > 192.168.0.0/16 network.
> >
> > If I only wanted /24 then I could do it?
> >
> > thanks,
> >
> > On Fri, Aug 15, 2008 at 9:45 AM, Derek Pocoroba
> > <dpocoroba@gmail.com> wrote:
> >
> > > If you use an extended ACL for a filter. You can NOT match
> > on the subnet
> > > portion of the route. You will match the network and the
> > source that sent
> > > the route.
> > >
> > > EX:
> > > R1#show ip route rip
> > > R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > > [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> > > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
> > > [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
> > > R1#conf t
> > > Enter configuration commands, one per line. End with CNTL/Z.
> > > R1(config)#access-list 101 deny ip host 10.0.0.3 host 172.16.0.0
> > > R1(config)#access-list 101 per ip any any
> > > R1(config)#router rip
> > > R1(config-router)#distribute-list 101 in e0/0
> > > R1(config-router)#do clear ip route *
> > > R1(config-router)#do show ip route rip
> > > R 172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > > R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
> > > [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
> > >
> > > Wildcards are also permitted on both the host and network
> > >
> > > EX:
> > >
> > > access-list 101 per ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
> > >
> > > Allow 192.168.X.X/X from any neighbor on 10.0.0.X
> > > ( 192.168.22/23, 192.168.1.0/24, 192.168.100/25, etc from 10.0.0.22,
> > > 10.0.0.254,etc)
> > >
> > > HTH
> > >
> > >
> > > On Thu, Aug 14, 2008 at 6:38 PM, David Prall
> > <dcp@dcptech.com> wrote:
> > >
> > >> If this is for an access-list in a route-map for
> > redistribution you can
> > >> use
> > >> an extended ACL. The first portion is the network and the
> > second portion
> > >> is
> > >> the subnet mask.
> > >>
> > >> If my quick memory is right:
> > >> access-list 100 permit ip 192.168.0.0 0.0.255.64
> > 255.255.0.0 0.0.255.64
> > >>
> > >> David
> > >>
> > >> --
> > >> http://dcp.dcptech.com
> > >>
> > >>
> > >> > -----Original Message-----
> > >> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > >> > Behalf Of Hobbs
> > >> > Sent: Thursday, August 14, 2008 9:28 PM
> > >> > To: Igor Manassypov
> > >> > Cc: ccielab@groupstudy.com
> > >> > Subject: Re: rule for prefix-access list conversion
> > >> >
> > >> > Hi Igor,
> > >> >
> > >> > Well I don't think you can do it, but I could be wrong. Some easy
> > >> > prefix-length only matches can be converted but not
> > complex ge or le
> > >> > matches. Here is my attempt and maybe someone can point out
> > >> > if I am path...
> > >> >
> > >> > Suppose you had the requirement:
> > >> >
> > >> > Only allow 192.168.0.0 routes with subnet less than /26
> > >> >
> > >> > Our prefix-list would be easy:
> > >> > ip prefix-list ALLOW permit 192.168.0.0/16 le 26
> > >> >
> > >> > Our ACL would be harder to find. but we know our first 16
> > >> > bits: 192.168.
> > >> >
> > >> > So our acl looks like this for now:
> > >> >
> > >> > access-list 1 permit 192.168.x.x 0.0.x.x
> > >> >
> > >> > We dont care what the third bit is either so we could now go:
> > >> >
> > >> > access-list 1 permit 192.168.0.x 0.0.255.x
> > >> >
> > >> > That leaves the last bits of the network and mask. We can
> > >> > break out the
> > >> > networks of the 4th octet in binary:
> > >> >
> > >> > xxxx xxxx
> > >> >
> > >> > /24 = 0000 0000
> > >> >
> > >> > /25 = 0000 0000
> > >> > 1000 0000
> > >> >
> > >> > /26 = 0000 0000
> > >> > 0100 0000
> > >> > 1000 0000
> > >> > 1100 0000
> > >> >
> > >> > /27 = 0000 0000
> > >> > 0010 0000
> > >> > 0100 0000
> > >> > 0110 0000
> > >> > 1000 0000
> > >> > 1010 0000
> > >> > 1100 0000
> > >> > 1110 0000
> > >> >
> > >> > We can already see where this is headed. Our first two bits
> > >> > are "don't care"
> > >> > and our last 6 must be 0 in order to be considered less than /26.
> > >> >
> > >> > so we could have this:
> > >> >
> > >> > access-list 1 permit 192.168.0.0 0.0.255.128
> > >> >
> > >> > However this would prevent a problem for networks such as
> > >> > 192.168.11.0/28because the network has all 0's and for
> > all the router
> > >> > knows could be a /24,
> > >> > /25 or /26 with all 0's.
> > >> >
> > >> > So we need to deny all of these:
> > >> >
> > >> > 192.168.0.0/27,/28,/29,/30
> > >> > 192.168.1.0/27,/28,/29,/30
> > >> > 192.168.2.0/27,/28,/29,/30
> > >> >
> > >> > Don't know a way of doing it without too many entries...and
> > >> > if we were to
> > >> > deny these first we would deny their /24,/25,/26 counterparts...
> > >> >
> > >> > maybe that's why prefix-lists were invented...
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov
> > >> > <imanassypov@rogers.com>wrote:
> > >> >
> > >> > > Hello,
> > >> > >
> > >> > > What is the rule for converting between 'prefix-list' and
> > >> > 'access-list'?
> > >> > >
> > >> > > Thanks!
> > >> > >
> > >> > >
> > >> > > Igor M., M.Eng, P.Eng
> > >> > > Network Architect
> > >> > >
> > >> > >
> > >> > > Blogs and organic groups at http://www.ccie.net
> > >> > >
> > >> > >
> > >> > ______________________________________________________________
> > >> > _________
> > >> > > Subscription information may be found at:
> > >> > > http://www.groupstudy.com/list/CCIELab.html
> > >> >
> > >> >
> > >> > Blogs and organic groups at http://www.ccie.net
> > >> >
> > >> > ______________________________________________________________
> > >> > _________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> > ______________________________________________________________
> > _________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Derek Pocoroba
> > > CCIE #18559
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
> 

-- 
*FAHAD KHAN

BE Computer Systems NED,

CCNA,CCDA,CCNP,FOUNDFE,CLSE,QOS,JNCIA,JNCIS,MCP,CCIE  (Written)

Systems Support Engineer, Premier Systems (Pvt) limited,

Karachi, Pakistan

92-321-2370510.*

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART