Re: prefix and acl from john matijevic on 2012-06-24 (Ccielab archives 06/2012)

From: john matijevic <john.matijevic_at_gmail.com>
Date: Sun, 24 Jun 2012 19:47:21 -0400

Hasse,

So then I am confused as to the original question:
"Can I do this with an acl or extended cal"

I am trying to clarify what you are asking so that I can properly
answer the question.
A topology would help along with configs and the specifics of the question.

I see now that you have R1 and R2 and R2 is receiving prefixes from R1.

So then I am assuming that you tested with diffierent access-lists.
Specifically from the Blueprint:
section 2.7.01 Filtering using ACL's and
section 2.7.02 Filtering using Prefix-lists.
I would also practice named acl's as well.

So its safe to assume then you were able to accomplish via standard
acl, extended acl and prefix list.

How about using a named acl?

Standard ACLs
Standard ACLs are the oldest type of ACL. They date back to as early
as Cisco IOS Software Release 8.3. Standard ACLs control traffic by
the comparison of the source address of the IP packets to the
addresses configured in the ACL.

Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3.
Extended ACLs control traffic by the comparison of the source and
destination addresses of the IP packets to the addresses configured in
the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

For Prefix list understanding I found the following from research:

http://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/

Another Blog I found also for Prefix-lists from INE.

http://blog.ine.com/2007/12/26/how-do-prefix-lists-work/

Please let me know if you have any more issues regarding topics of
acls and prefix lists.

Regards,
John

On 6/24/12, Hasse <eriksson.hans_at_gmail.com> wrote:
> Thanks all,
>
> John I am just playing with prefix and access-lists. I was inspiried
> by some WB I am doing.
> I did find this exercise in Narbiks free workbook (Soup to nuts) its
> available via Micronicstraning
> I was week on prefix-list before but not now :)
>
> Then I did extend this exercises and was thinking, how far can a ACL
> or Extended ACL take me.
> Can I solve this with one liner ACL standard or extended. Pushing the
> limits. I was playing around.
>
> Daniel and Sarad thanks.
>
> Topology
>
> R1---------------R2
>
> Router 2 recive following from R1 via RIP, I have filter those routes
> with different prefix-lists,
>
> Ex, only permit A network that are not subnetted.
> ip prefix-list 0.0.0.0/1 ge 8 le 8
>
> Ex, only permit B network that are not subnetted.
> ip prefix-list 128.0.0.0/2 ge 16 le 16
>
> Ex, only permit C network that are not subnetted.
> ip prefix-list 192.0.0.0/3 ge 24 le 24
>
> Ex, only permit A network that are or are not subnetted.
> ip prefix-list 0.0.0.0/1 ge 8 le 16
>
> etc..
>
> All route received from R1 via RIP
>
> R2# show ip rou rip
> R 1.0.0.0/8 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 2.0.0.0/8 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 3.0.0.0/8 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 223.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 4.0.0.0/16 is subnetted, 1 subnets
> R 4.4.0.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 191.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 5.0.0.0/24 is subnetted, 1 subnets
> R 5.5.5.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 200.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 6.0.0.0/26 is subnetted, 1 subnets
> R 6.6.6.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 128.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 125.0.0.0/8 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 131.1.0.0/16 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 193.1.1.0/25 is subnetted, 1 subnets
> R 193.1.1.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 132.1.0.0/24 is subnetted, 1 subnets
> R 132.1.1.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 133.1.0.0/25 is subnetted, 1 subnets
> R 133.1.1.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> R 195.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
> 194.1.1.0/26 is subnetted, 1 subnets
> R 194.1.1.0 [120/1] via 10.1.12.1, 00:00:10, FastEthernet0/0
>
> //Thanks.
>
>
> 2012/6/24 john matijevic <john.matijevic_at_gmail.com>:
>> Good Afternoon,
>>
>> "Can I do this with an acl or extended cal, I have a Brain Freeze
>> Thanks."
>>
>> What is this?
>>
>> Very vague, can you please be more specific and describe exactly the
>> issue or problem that you are trying to solve?
>>
>> Please post network diagram and configurations.
>>
>>
>> Regards,
>> John
>>
>>
>> On 6/24/12, Sarad <tosara_at_gmail.com> wrote:
>>> Hi Hasse,
>>>
>>> We can use a extended access-list in BGP to replace a prefix-list, But
>>> in
>>> IGP it appears differently as extended accesslist represent the route
>>> source and subnet (not subnet and subnet mask)
>>>
>>> Have a look at this
>>> http://blog.internetworkexpert.com/2008/01/04/using-extended-access-lists-in-a-distribute-list/
>>>
>>> Cheers
>>> Sara
>>>
>>>
>>>
>>> On Sun, Jun 24, 2012 at 11:12 PM, <daniel.dib_at_reaper.nu> wrote:
>>>
>>>> Hi Hasse,
>>>>
>>>> You are trying to match every class C address with /24 mask right? This
>>>> is
>>>> not possible with a standard ACL. If you used extended ACL you could
>>>> match
>>>> mask like this.
>>>>
>>>> access-list 100 permit 192.0.0.0 31.255.255.255 host 255.255.255.0
>>>>
>>>> However I think this is only supported in BGP.
>>>>
>>>> /Daniel
>>>>
>>>>
>>>> On Sun, 24 Jun 2012 14:02:01 +0200, Hasse wrote:
>>>>
>>>>> Can I do this with an acl or extended cal, I have a Brain Freeze
>>>>> Thanks.
>>>>>
>>>>> R2#show run | sec rip
>>>>> router rip
>>>>> version 2
>>>>> network 10.0.0.0
>>>>> distribute-list prefix 1 in FastEthernet0/0
>>>>> no auto-summary
>>>>>
>>>>> R2#show run | sec prefix-list
>>>>> ip prefix-list 1 seq 5 permit 192.0.0.0/3 ge 24 le 24
>>>>>
>>>>> R2#show ip route rip
>>>>> R 223.1.1.0/24 [120/1] via 10.1.12.1, 00:00:19, FastEthernet0/0
>>>>> R 200.1.1.0/24 [120/1] via 10.1.12.1, 00:00:19, FastEthernet0/0
>>>>> R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:19, FastEthernet0/0
>>>>> R 195.1.1.0/24 [120/1] via 10.1.12.1, 00:00:19, FastEthernet0/0
>>>>>
>>>>> if I am using a standard ACL
>>>>>
>>>>>
>>>>> Standard ACL
>>>>> R2#show run | sec rip
>>>>> router rip
>>>>> version 2
>>>>> network 10.0.0.0
>>>>> distribute-list 1 in FastEthernet0/0
>>>>> no auto-summary
>>>>>
>>>>> R2#show run | sec access-list
>>>>> access-list 1 permit 192.0.0.0 31.255.255.0
>>>>>
>>>>> R2#show ip ro rip
>>>>> R 223.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>> R 200.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>> 193.1.1.0/25 is subnetted, 1 subnets
>>>>> R 193.1.1.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>> R 192.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>> R 195.1.1.0/24 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>> 194.1.1.0/26 is subnetted, 1 subnets
>>>>> R 194.1.1.0 [120/1] via 10.1.12.1, 00:00:07, FastEthernet0/0
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>>
>>>>> ______________________________**______________________________**
>>>>> ___________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> ______________________________**______________________________**
>>>> ___________
>>>> Subscription information may be found at: http://www.groupstudy.com/**
>>>> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 24 2012 - 19:47:21 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART