Re: Extended IP access list from marc abel on 2011-07-12 (Ccielab archives 07/2011)

From: marc abel <marcabel_at_gmail.com>
Date: Mon, 11 Jul 2011 22:38:52 -0500

Distribute lists are for denying routes, not traffic. If you want to
deny traffic, apply the access list to an interface. If you are indeed
trying to block routes then your format is a little off.

When using an extended access-list in an IGP distribute list the
"source" matches the source of the route and the "destination" matches
the prefix. So your access list

10 deny ip host 2.2.2.2 host 3.3.3.0

Denies the route 3.3.3.0 sourced from 2.2.2.2

In your scenario below you could deny the route 2.2.2.2 sourced from
R1 by applying a distribute list on R2 like

access-list 101 deny ip host 10.1.1.1 host 2.2.2.2

Now this isn't actually going to stop traffic. Not having a route may
stop traffic, but if you were learning the route another way then it
would still pass.

-Marc

On Mon, Jul 11, 2011 at 9:55 PM, <jhnrose401_at_gmail.com> wrote:
> Dear
>
> I am working on the extended access list
>
> TASK when R1 try to ping the 3.3.3.3 using source 2.2.2.2 ping the 3.3.3.3 it
> will not reachable. i am not able to do this pls help
>
> when i will use host key word i want to do this is using host key word
>
> R1 :
> sh run | sec router
> router rip
> version 2
> network 0.0.0.0
> no auto-summary
> Serial1/0 10.1.1.1 YES manual up up
>
> Loopback1 2.2.2.2 YES manual up up
>
>
> R2
>
> Serial1/0 10.1.1.2 YES SLARP up up
>
> Loopback2 3.3.3.3 YES manual up up
>
> Loopback3 4.4.4.4 YES manual up up
>
>
> router rip
> version 2
> network 0.0.0.0
> distribute-list 101 in
> no auto-summary
>
> Router#sh access-lists
> Extended IP access list 101
> 10 deny ip host 2.2.2.2 host 3.3.3.0
> 20 permit ip any any (1 match)
> Router#ping 3.3.3.3 source 2.2.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
> Packet sent with a source address of 2.2.2.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 60/83/136 ms
>
>
> the
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Jul 11 2011 - 22:38:52 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART