11-16-2010 04:00 PM - edited 03-04-2019 10:29 AM
Hello
Could someone help me with an extended access list that I try to figure out.
I want my router to only accept various /16 prefixes and deny everything that is greater than /16.
Right now i get these networks: 192.12.0.0/16 192.13.0.0/16 192.12.2.0/24
/Dan
11-16-2010 04:02 PM
with "greater than /16" i mean /17 /18... and so on.
11-16-2010 04:04 PM
Dan
I am not clear from this post what you are trying to do with an extended access list. The extended access list can be used for multiple purposes including using the extended access list to filter data packets on an interface or using the extended access list to filter routing updates.
If you are trying to filter routing updates then the feature that you want to use is prefix list and not extended access list. If you are trying to filter data packets on an interface then extended access list is what you need to use.
So perhaps you can clarify what you are trying to accomplish?
HTH
Rick
11-16-2010 04:13 PM
thanks for your reply, I am trying to block routing updates.
On this page: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml
They are using this for an example when they are trying to only allow 160.0.0.0/8.
access-list 101 permit ip 160.0.0.0 0.255.255.255 255.0.0.0 0.0.0.0
I want an access-list as above that will allow 192.12.0.0/16 and 192.13.0.0/16
but block 192.12.2.0/24 and 192.13.2.0/24
11-16-2010 04:53 PM
I believe you'd be better served with a prefix list. Consider the following.
If you want any 192.x.x.x network with a subnet between 8 and 16 bits try this:
ip prefix-list tango permit 192.0.0.0/8 le 16
The command reference for 'ip prefix-list' can be found here:
http://www.cisco.com/en/US/docs/ios/iproute_bgp/command/reference/irg_bgp2.html#wp1094224
Chris
11-17-2010 02:11 AM
Dan
The link that you gave is about filtering routes in BGP. In filtering BGP route updates it does work to use an extended access list. It is not clear what your environment is and whether you are running BGP and whether it is BGP updates that you want to filter.
Even if you do want to filter BGP updates it would be easier to do this with a prefix list. The extended access list was the older method of filtering BGP route updates. Prefix lists are more recent and more powerful. So I suggest that you take a good look at the example given by Chris and at the link that he provides. This would be the better way.
HTH
Rick
11-17-2010 08:22 AM
Hello
Thanks for all help. Thanks for the tip about prefix lists that was exactly what i needed.
But i also wonder if it is possible to do the same(block BGP updates) with community filtering, so i can block some updates from some communities?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: