Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL problem

Im trying to define ACL's for use in policy based routing

problem is i need to specify 2 ACLs,

one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2

How do i do this with ACLs? I did:

access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255

both both result in ACL:

access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

any idea how to do this?

following are the route-maps:

route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1

route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2

Thanks in advance!

Everyone's tags (5)
5 REPLIES

Re: ACL problem

Im trying to define ACL's for use in policy based routing

problem is i need to specify 2 ACLs,

one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2

How do i do this with ACLs? I did:

access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255

both both result in ACL:

access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

any idea how to do this?

following are the route-maps:

route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1

route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2

Thanks in advance!

Hi,

You want two separate network to flow with separet next hops if yes try with these ACL and share the results


access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Check out the below link on PBR also for more information

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

New Member

Re: ACL problem

Hi Ganesh!

It gave me this result:

access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.

The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.

Is there any other way?

Re: ACL problem

Hi Ganesh!

It gave me this result:

access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.

The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.

Is there any other way?

Hi,

If you see my previous post in first line host 1 to 6 will come and  second line was for single host that is 10.5.0.7 and acl 102 is for network 10.0.5.8/29

Ganesh.H

New Member

Re: ACL problem

Yes, but this:

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

gives this in show run:

access-list 101 permit ip any 172.17.0.0 0.0.0.255

Which means access list 102 will never apply to anything will it? since "any" covers everything.

Thanks!

Re: ACL problem

Yes, but this:

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

gives this in show run:

access-list 101 permit ip any 172.17.0.0 0.0.0.255

Which means access list 102 will never apply to anything will it? since "any" covers everything.

Thanks!

Hi,

It's really starnge can you try with below option :-

1) try configure named acl for extended and type the first network and second line with permit ip host 10.5.0.7 172.17.0.0 0.0.0.255


or

2) Try configure 3 ACL one for host 1 to 6, one for host 7 and lastly for 8 to 14

HTH

Ganesh.H

469
Views
4
Helpful
5
Replies
CreatePlease login to create content