Thursday, February 14, 2008

Using Extended ACLs with IGPs

 

Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route. Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route. Here is an example of its usage:

Noticethat R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2) and R3 (10.0.0.3). We will use ACL 100 and a distribute-list inbound so that R1 only uses the 172.16.0.0/16 route that is being advertised by R2.

Rack2R1#showip route rip
R 172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
[120/1]via 10.0.0.2, 00:00:06, Ethernet0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
[120/1]via 10.0.0.3, 00:00:06, Ethernet0/0
Rack2R1#conf t
Enterconfiguration commands, one per line. End with CNTL/Z.
Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
Rack2R1(config)#access-list100 per ip any any
Rack2R1(config)#router rip
Rack2R1(config-router)#distribute-list100 in e0/0

Rack2R1(config-router)#^Z
Rack2R1#
Rack2R1#clear ip route *
Rack2R1#show ip route rip
R172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
[120/1]via 10.0.0.3, 00:00:02, Ethernet0/0
Rack2R1#

Moreexamples:

This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

access-list100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

access-list100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

You can also use the wild card mask on the host:

Thiswould permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

ShareThis