ACL problem

Unanswered Question
Apr 28th, 2010
User Badges:

Im trying to define ACL's for use in policy based routing


problem is i need to specify 2 ACLs,


one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2


How do i do this with ACLs? I did:


access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255


both both result in ACL:


access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255


any idea how to do this?


following are the route-maps:


route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1


route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Ganesh Hariharan Wed, 04/28/2010 - 03:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Im trying to define ACL's for use in policy based routing


problem is i need to specify 2 ACLs,


one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2


How do i do this with ACLs? I did:


access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255


both both result in ACL:


access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255


any idea how to do this?


following are the route-maps:


route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1


route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2


Thanks in advance!

Hi,


You want two separate network to flow with separet next hops if yes try with these ACL and share the results



access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255


access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255


access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255


Check out the below link on PBR also for more information


http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

StanDamen Wed, 04/28/2010 - 03:54
User Badges:

Hi Ganesh!


It gave me this result:


access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255


Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.


The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.


Is there any other way?

Ganesh Hariharan Wed, 04/28/2010 - 03:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Ganesh!


It gave me this result:


access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255


Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.


The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.


Is there any other way?

Hi,


If you see my previous post in first line host 1 to 6 will come and  second line was for single host that is 10.5.0.7 and acl 102 is for network 10.0.5.8/29


Ganesh.H

StanDamen Wed, 04/28/2010 - 04:01
User Badges:

Yes, but this:


access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255


gives this in show run:


access-list 101 permit ip any 172.17.0.0 0.0.0.255


Which means access list 102 will never apply to anything will it? since "any" covers everything.


Thanks!

Ganesh Hariharan Wed, 04/28/2010 - 04:14
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Yes, but this:


access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255


gives this in show run:


access-list 101 permit ip any 172.17.0.0 0.0.0.255


Which means access list 102 will never apply to anything will it? since "any" covers everything.


Thanks!

Hi,


It's really starnge can you try with below option :-


1) try configure named acl for extended and type the first network and second line with permit ip host 10.5.0.7 172.17.0.0 0.0.0.255



or


2) Try configure 3 ACL one for host 1 to 6, one for host 7 and lastly for 8 to 14


HTH


Ganesh.H

Actions

This Discussion

Related Content