--------- Forwarded message ---------- From: Donny mateo Tandase To: Lee Donald , "'mathew'" , ccielab@groupstudy.com Date: Wed, 21 Sep 2005 20:42:38 -0700 (PDT) Subject: RE: Prefix-list function using Extended ACL. How to do that? Depends on the goal really. The standard access-list will work functionaly. (permit 10.0.0.0 0.0.0.0 or never try this but should be ok permit host 10.0.0.0) The extended acces-list will also work and would be "grammatically" more accurate. ip access-list extended bla permit 10.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0 The first pair (source ip for normal ACL) determines the subnet ID and it's wildcard, while the second pair (destination ip for normal ACL) determine the subnet mask ID and it's wildcard. Cheers, Donny Lee Donald wrote: Mat, You don't need an extended access-list for that. Access-list 1 permit 10.0.0.0 0.255.255.255 Regards Lee. ---- Subject: Using offset list to offset even or odd routes To filter out even routes I would perform the below command router rip offset-list 10 out 16 Serial0/0 access-list 10 permit 0.0.0.0 255.255.254.255 To filter out the odd routes I attempted the below command. The problem is it is not just filtering out the odd routes it seems to be filtering out some odd and some even routes. Can someone tell me how I would filter out odd routes in the third octet router rip offset-list 10 out 16 Serial0/0 access-list 10 permit 0.0.0.0 255.255.253.255 ---------- Forwarded message ---------- From: "Cisco Nuts" To: mikenoc@mindspring.com, ccielab@groupstudy.com Date: Sun, 13 Nov 2005 00:21:28 +0000 Subject: RE: Using offset list to offset even or odd routes Mike, It should be 0.0.1.0 255.255.254.255 Write down this in 1's and 0's for the 3rd octect and you will see how this works for odd routes. For even-Always a 0 For odd-Always a 1 --- ---------- Forwarded message ---------- From: "Brian Dennis" To: "nenad pudar" Date: Fri, 25 Nov 2005 17:18:34 -0500 Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10 The problem is that you are testing it from the router with the reflexive ACL applied. Since by default, traffic sourced by the router is not affected by an outbound ACL, the traffic does not get reflected. Test this configuration from a router behind R6. If you want to be able to ping and telnet from R6, you can statically permit the returning traffic in the inbound ACL or policy route the traffic out a loopback. By policy routing the traffic out a loopback it will be "reflected" when to exits the router on your serial interface. HTH, Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security) bdennis@internetworkexpert.com Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Direct: 775-745-6404 (Outside the US and Canada) ________________________________ From: nenad pudar [mailto:nenad.pudar@gmail.com] Sent: Friday, November 25, 2005 12:09 PM To: Brian Dennis Cc: Cham; ccielab@groupstudy.com Subject: Re: Reflexive ACL - IE LAB2 Q10.8-10 It is not clear to me what lab requirements are ,below I created one example in which only the trace route is allowed. In addition we should not break existing applications (bgp &ospf) interface Serial0/0 description to to r1 0/1 ip address 172.16.66.5 255.255.255.252 ip access-group INBOUND in ip access-group OUTBOUND out ip nat outside encapsulation ppp ip ospf hello-interval 20 ip ospf retransmit-interval 10 ppp authentication chap PPP ppp chap hostname r6 end RTF-R6#sh ip access-lists OUTBOUND Extended IP access list OUTBOUND permit tcp any any reflect TCP&UDP-TRAFFIC permit udp any any reflect TCP&UDP-TRAFFIC RTF-R6#sh ip access-lists INBOUND Extended IP access list INBOUND permit tcp any any eq bgp (62 matches) permit ospf any any (29 matches) permit icmp any any port-unreachable (4 matches) permit icmp any any time-exceeded evaluate TCP&UDP-TRAFFIC RTF-R6#telnet 172.16.66.6 Trying 172.16.66.6 ... % Connection timed out; remote host not responding RTF-R6#ping 172.16.66.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.66.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) RTF-R6#tr 172.16.66.6 Type escape sequence to abort. Tracing the route to 172.16.66.6 1 172.16.66.6 16 msec * 16 msec ---- ---------- Forwarded message ---------- From: hulbertj@comcast.net To: "Vincent Mashburn" , "Bryant, Paul M" , "rosy bird" , Date: Fri, 02 Dec 2005 15:11:27 +0000 Subject: RE: Basic Dielema....Acces-list or Prefix-List IOS does assign a sequence number to standard and extended access-lists. This allows us to remove or add another line anywhere in the ACL. Rack1R1#sho access-lists Rack1R1#conf t Enter configuration commands, one per line. End with CNTL/Z. Rack1R1(config)#access-list 1 permit 1.1.1.0 0.0.0.255 Rack1R1(config)#access-list 1 deny 2.2.2.0 0.0.0.255 Rack1R1(config)#access-list 1 permit 3.3.3.0 0.0.0.255 Rack1R1(config)#access-list 1 deny 4.4.4.0 0.0.0.255 Rack1R1(config)#do sho access-lists 1 Standard IP access list 1 10 permit 1.1.1.0, wildcard bits 0.0.0.255 20 deny 2.2.2.0, wildcard bits 0.0.0.255 30 permit 3.3.3.0, wildcard bits 0.0.0.255 40 deny 4.4.4.0, wildcard bits 0.0.0.255 Rack1R1(config)# Rack1R1(config)#ip access-list standard 1 Rack1R1(config-std-nacl)#no 30 Rack1R1(config-std-nacl)#15 permit 15.15.15.0 0.0.0.255 Rack1R1(config-std-nacl)#do sho access-list 1 Standard IP access list 1 10 permit 1.1.1.0, wildcard bits 0.0.0.255 15 permit 15.15.15.0, wildcard bits 0.0.0.255 20 deny 2.2.2.0, wildcard bits 0.0.0.255 40 deny 4.4.4.0, wildcard bits 0.0.0.255 Rack1R1(config-std-nacl)# ----- Silvio, Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows: Ip prefix-list LIST permit w.x.y.z/len Where w.x.y.z is your exact prefix And where len is your exact prefix-length "Ip prefix-list LIST permit 1.2.3.0/24" would be an exact match for the prefix 1.2.3.0 with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match 1.2.3.4/32, nor anything in between. When you add the keywords "GE" and "LE" to the prefix-list, the "len" value changes its meaning. When using GE and LE, the len value specifies how many bits of the prefix you are checking, starting with the most significant bit. Ip prefix-list LIST permit 1.2.3.0/24 le 32 This means: Check the first 24 bits of the prefix 1.2.3.0 The subnet mask must be less than or equal to 32 This equates to the access-list syntax: Access-list 1 permit host 1.2.3.0 Ip prefix-list LIST permit 0.0.0.0/0 le 32 This means: Check the first 0 bits of the prefix 0.0.0.0 The subnet mask must be less than or equal to 32 This equates to anything Ip prefix-list LIST permit 0.0.0.0/0 This means: The exact prefix 0.0.0.0, with the exact prefix-length 0. This is matching a default route. Ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29 This means: Check the first 8 bits of the prefix 10.0.0.0 The subnet mask must be greater than or equal to 21, and less than or equal to 29. Ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8 This matches all class A addresses with classful masks. It means: Check the first bit of the prefix, it must be a 0. The subnet mask must be greater than or equal to 8, and less than or equal to 8. (It is exactly 8) When using the GE and LE values, you must satisfy the condition: Len < GE <= LE Therefore: Ip prefix-list LIST permit 1.2.3.0/24 ge 8 Is not a valid list. What you can not do with the prefix-list is match on arbitrary bits like you can in an access-list. Prefix-lists cannot be used to check if a number is even or odd, nor check if a number is divisible by 15, etc... Bit checking in a prefix-list is sequential, starting with the most significant (leftmost) bit. HTH, Brian McGahan, CCIE #8593 bmcgahan@xxxxxxxxxxxxxxxxxxxxxx ---- MHO, while mathematically the XOR works perfectly fine it's generally a way to make things appear much more complicated than they really are (or at least have to be). 0 in mask means the bit must stay the same. 1 in mask means you don't care the value (e.g. there are some things you're trying to match where it's a 1 and some where it's a 0) Looking your columns there, the only entries you have variance are in the 3rd column (32-bit position) and the 6th colum (4-bit position). So if you stick 1's in your mask (for "don't care") then you'll have a mask of 36. An additional check you can do is to look at the number of "1" values in your mask and take 2^x (where x = # of 1's). That will tell you how many matches your mask will make. So in this case, the 1 in 32-bit and 1 in 4-bit positions makes two "1" bits in the mask. 2^2 = 4. There are 4 things you're trying to match anyway, so it's all cool. Remember, no more, no less. If you find a fancy mask that let's in the stuff you're looking for plus 16,000 of its closest friends why not save yourself the headache and do "permit ip any any"? :) ---