From: David Prall (dcp@dcptech.com)
Date: Fri Aug 15 2008 - 14:07:17 ART
Igor,
My 10.0.0.0 0.255.0.0 255.255.0.0 0.0.0.0 will only allow networks
10.[0-255].0.0 255.255.0.0
Your 10.0.0.0 0.255.255.255 255.255.0.0 0.0.0.0 will do the same, but if the
subnet mask was different you would allow more.
David
-- http://dcp.dcptech.com> -----Original Message----- > From: Igor Manassypov [mailto:imanassypov@rogers.com] > Sent: Friday, August 15, 2008 11:25 AM > To: David Prall; 'Igor Manassypov'; 'Fahad Khan' > Cc: 'Hobbs'; ccielab@groupstudy.com > Subject: RE: rule for prefix-access list conversion > > I think I got that now, > in your case by > > > permit ip 10.0.0.0 0.255.0.0 255.255.0.0 0.0.0.0 > > i think you actually meant permit 10.0.0.0 0.255.255.255 > 255.255.0.0 0.0.0.0 > > or, equivalently, > > permit ip host 10.0.0.0 host 255.255.0.0 > > > -cool! > > > > David Prall <dcp@dcptech.com> wrote: > > The destination is not a destination in this case, it > is the subnet mask of > the routes. In my case here I am redistributing static > routes, but I am only > redistributing the default route 0.0.0.0 0.0.0.0, I > also have a bogon route > of 0.0.0.0 255.0.0.0 which does not get redistributed. > > As an example, I am using the 10/8 network internally. > I am using OSPF as my > IGP. I have broken my network up into 3 distinct zones > which are using eBGP > for interzone routing. I only want to send 10/16 routes > to my BGP neighbors. > > Off the top of my head: > ip access-list extended OSPF2BGP > permit ip 10.0.0.0 0.255.0.0 255.255.0.0 0.0.0.0 > route-map OSPF2BGP permit 10 > match ip address OSPF2BGP > router bgp 65000 > redistribute ospf 1 route-map OSPF2BGP > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: Igor Manassypov [mailto:imanassypov@rogers.com] > > Sent: Friday, August 15, 2008 9:52 AM > > To: David Prall; 'Fahad Khan' > > Cc: 'Hobbs'; 'Igor Manassypov'; ccielab@groupstudy.com > > Subject: RE: rule for prefix-access list conversion > > > > Lets say I do match on the host portion of the prefix with my > > extended list, - what would be the destination? > > > > David Prall wrote: > > > > Nope, can be used in just about every protocol I've > > tried. First time I saw > > this was in the OSPF configuration guide. > > > > router eigrp 1 > > redistribute static route-map default-only > > ip access-list extended default-only > > permit ip host 0.0.0.0 host 0.0.0.0 > > route-map default-only permit 10 > > match ip address default-only > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: Fahad Khan [mailto:fahad.khan@gmail.com] > > > Sent: Friday, August 15, 2008 3:38 AM > > > To: David Prall > > > Cc: Hobbs; Igor Manassypov; ccielab@groupstudy.com > > > Subject: Re: rule for prefix-access list conversion > > > > > > Plz confirm that this kind of ACL can only be used in BGP? > > > > > > Thanks, > > > > > > On 8/15/08, David Prall wrote: > > > > > > If this is for an access-list in a route-map for > > > redistribution you can use > > > an extended ACL. The first portion is the network and > > > the second portion is > > > the subnet mask. > > > > > > If my quick memory is right: > > > access-list 100 permit ip 192.168.0.0 0.0.255.64 > > > 255.255.0.0 0.0.255.64 > > > > > > David > > > > > > -- > > > http://dcp.dcptech.com > > > > > > > > > > -----Original Message----- > > > > From: nobody@groupstudy.com > > [mailto:nobody@groupstudy.com] On > > > > Behalf Of Hobbs > > > > Sent: Thursday, August 14, 2008 9:28 PM > > > > To: Igor Manassypov > > > > Cc: ccielab@groupstudy.com > > > > Subject: Re: rule for prefix-access list conversion > > > > > > > > Hi Igor, > > > > > > > > Well I don't think you can do it, but I could be > > > wrong. Some easy > > > > prefix-length only matches can be converted but not > > > complex ge or le > > > > matches. Here is my attempt and maybe someone can > point out > > > > if I am path... > > > > > > > > Suppose you had the requirement: > > > > > > > > Only allow 192.168.0.0 routes with subnet less than /26 > > > > > > > > Our prefix-list would be easy: > > > > ip prefix-list ALLOW permit 192.168.0.0/16 le 26 > > > > > > > > Our ACL would be harder to find. but we know our first 16 > > > > bits: 192.168. > > > > > > > > So our acl looks like this for now: > > > > > > > > access-list 1 permit 192.168.x.x 0.0.x.x > > > > > > > > We dont care what the third bit is either so we > > could now go: > > > > > > > > access-list 1 permit 192.168.0.x 0.0.255.x > > > > > > > > That leaves the last bits of the network and mask. We can > > > > break out the > > > > networks of the 4th octet in binary: > > > > > > > > xxxx xxxx > > > > > > > > /24 = 0000 0000 > > > > > > > > /25 = 0000 0000 > > > > 1000 0000 > > > > > > > > /26 = 0000 0000 > > > > 0100 0000 > > > > 1000 0000 > > > > 1100 0000 > > > > > > > > /27 = 0000 0000 > > > > 0010 0000 > > > > 0100 0000 > > > > 0110 0000 > > > > 1000 0000 > > > > 1010 0000 > > > > 1100 0000 > > > > 1110 0000 > > > > > > > > We can already see where this is headed. Our > first two bits > > > > are "don't care" > > > > and our last 6 must be 0 in order to be considered > > > less than /26. > > > > > > > > so we could have this: > > > > > > > > access-list 1 permit 192.168.0.0 0.0.255.128 > > > > > > > > However this would prevent a problem for networks such as > > > > 192.168.11.0/28because the network has all 0's and > > > for all the router > > > > knows could be a /24, > > > > /25 or /26 with all 0's. > > > > > > > > So we need to deny all of these: > > > > > > > > 192.168.0.0/27,/28,/29,/30 > > > > 192.168.1.0/27,/28,/29,/30 > > > > 192.168.2.0/27,/28,/29,/30 > > > > > > > > Don't know a way of doing it without too many > entries...and > > > > if we were to > > > > deny these first we would deny their /24,/25,/26 > > > counterparts... > > > > > > > > maybe that's why prefix-lists were invented... > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Aug 14, 2008 at 8:38 AM, Igor Manassypov > > > > wrote: > > > > > > > > > Hello, > > > > > > > > > > What is the rule for converting between > 'prefix-list' and > > > > 'access-list'? > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > Igor M., M.Eng, P.Eng > > > > > Network Architect > > > > > > > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > _________ > > > > > Subscription information may be found at: > > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > ______________________________________________________________ > > > > _________ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > ______________________________________________________________ > > > _________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > FAHAD KHAN > > > > > > BE Computer Systems NED, > > > > > > > CCNA,CCDA,CCNP,FOUNDFE,CLSE,QOS,JNCIA,JNCIS,MCP,CCIE (Written) > > > > > > Systems Support Engineer, Premier Systems (Pvt) limited, > > > > > > Karachi, Pakistan > > > > > > 92-321-2370510. > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > ______________________________________________________________ > > _________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > > > > > > > > > > > > > > > Igor M., M.Eng, P.Eng > > Network Architect > > > > > > > > > Igor M., M.Eng, P.Eng > Network Architect
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART