Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1044
Views
0
Helpful
6
Replies

extended access list

user55600
Level 1
Level 1

‎11-16-2010 04:00 PM - edited ‎03-04-2019 10:29 AM

Hello

Could someone help me with an extended access list that I try to figure out.

I want my router to only accept various /16 prefixes and deny everything that is greater than /16.

Right now i get these networks: 192.12.0.0/16       192.13.0.0/16     192.12.2.0/24

/Dan

Labels:
0 Helpful
6 Replies 6

user55600
Level 1
Level 1

‎11-16-2010 04:02 PM

with "greater than /16" i mean /17 /18... and so on.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎11-16-2010 04:04 PM

Dan

I am not clear from this post what you are trying to do with an extended access list. The extended access list can be used for multiple purposes including using the extended access list to filter data packets on an interface or using the extended access list to filter routing updates.

If you are trying to filter routing updates then the feature that you want to use is prefix list and not extended access list. If you are trying to filter data packets on an interface then extended access list is what you need to use.

So perhaps you can clarify what you are trying to accomplish?

HTH

Rick

HTH

Rick
0 Helpful

user55600
Level 1
Level 1
In response to Richard Burts

‎11-16-2010 04:13 PM

thanks for your reply, I am trying to block routing updates.

On this page: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

They are using this for an example when they are trying to only allow 160.0.0.0/8.

access-list 101 permit ip 160.0.0.0 0.255.255.255 255.0.0.0 0.0.0.0

I want an access-list as above that will allow 192.12.0.0/16 and 192.13.0.0/16 
but block 192.12.2.0/24 and 192.13.2.0/24

0 Helpful

gatlin007
Level 4
Level 4
In response to user55600

‎11-16-2010 04:53 PM

I believe you'd be better served with a prefix list.  Consider the following.

If you want any 192.x.x.x network with a subnet between 8 and 16 bits try this:

ip prefix-list tango permit 192.0.0.0/8 le 16

The command reference for 'ip prefix-list' can be found here:

http://www.cisco.com/en/US/docs/ios/iproute_bgp/command/reference/irg_bgp2.html#wp1094224



Chris

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gatlin007

‎11-17-2010 02:11 AM

Dan

The link that you gave is about filtering routes in BGP. In filtering BGP route updates it does work to use an extended access list. It is not clear what your environment is and whether you are running BGP and whether it is BGP updates that you want to filter.

Even if you do want to filter BGP updates it would be easier to do this with a prefix list. The extended access list was the older method of filtering BGP route updates. Prefix lists are more recent and more powerful. So I suggest that you take a good look at the example given by Chris and at the link that he provides. This would be the better way.

HTH

Rick

HTH

Rick
0 Helpful

user55600
Level 1
Level 1
In response to Richard Burts

‎11-17-2010 08:22 AM

Hello

Thanks for all help. Thanks for the tip about prefix lists that was exactly what i needed.

But i also wonder if it is possible to do the same(block BGP updates) with community filtering, so i can block some updates from some communities?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card