Jan
08

Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route.  Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route.  Here is an example of its usage:

Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2) and R3 (10.0.0.3).  We will use ACL 100 and a distribute-list inbound so that R1 only uses the 172.16.0.0/16 route that is being advertised by R2.

Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
Rack2R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
Rack2R1(config)#access-list 100 per ip any any
Rack2R1(config)#router rip
Rack2R1(config-router)#distribute-list 100 in e0/0

Rack2R1(config-router)#^Z
Rack2R1#
Rack2R1#clear ip route *
Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
Rack2R1#

More examples:

This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

You can also use the wild card mask on the host:

This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

About Brian Dennis, CCIE #2210:

Brian Dennis has been in the networking industry for more than 22 years, with a focus on Cisco networking for the past 16 years. Brian achieved his first CCIE in Routing & Switching in 1996, and is currently the only ten year CCIE that holds five CCIE certifications. Prior to working with INE, Brian taught and developed CCIE preparation courses for various well known training organizations. Brian not only brings his years of teaching experience to the classroom, but also years of real world enterprise and service provider experience.

Find all posts by Brian Dennis, CCIE #2210 | Visit Website


You can leave a response, or trackback from your own site.

2 Responses to “Using Extended ACLs with IGPs”

 
  1. daghighi says:

    Again thank you for these interesting examples.

    Is this explained somewhere in cisco DocCD ?

    Thanks,
    Navid

  2. suresh Mishr says:

    Hi Brian

    Well this example shows how to use access-list when receiving routes from another router. How about when redistributing from one IGP to another IGP.

    I was reading cisco document and it said that we can use destination to specify the mask and the source to specify the IP address

 

Leave a Reply

Categories

CCIE Bloggers