Jan
08

Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route.  Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route.  Here is an example of its usage:

Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2) and R3 (10.0.0.3).  We will use ACL 100 and a distribute-list inbound so that R1 only uses the 172.16.0.0/16 route that is being advertised by R2.

Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
Rack2R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
Rack2R1(config)#access-list 100 per ip any any
Rack2R1(config)#router rip
Rack2R1(config-router)#distribute-list 100 in e0/0

Rack2R1(config-router)#^Z
Rack2R1#
Rack2R1#clear ip route *
Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
Rack2R1#

More examples:

This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

You can also use the wild card mask on the host:

This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

Brian Dennis, CCIE #2210
About Brian Dennis, CCIE #2210

Subscribe to INE Blog Updates