blog
    Using Extended ACLs with ...
    09 January 08

    Using Extended ACLs with IGPs

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route.  Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route.  Here is an example of its usage:

    Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2) and R3 (10.0.0.3).  We will use ACL 100 and a distribute-list inbound so that R1 only uses the 172.16.0.0/16 route that is being advertised by R2.

    Rack2R1#show ip route rip
    R    172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
    [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
    R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
    [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
    Rack2R1#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
    Rack2R1(config)#access-list 100 per ip any any
    Rack2R1(config)#router rip
    Rack2R1(config-router)#distribute-list 100 in e0/0

    Rack2R1(config-router)#^Z
    Rack2R1#
    Rack2R1#clear ip route *
    Rack2R1#show ip route rip
    R    172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
    R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
    [120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
    Rack2R1#

    More examples:

    This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

    access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

    This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

    access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

    This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

    access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

    You can also use the wild card mask on the host:

    This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

    access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo