as I sended the message I saw the fluke
this is the acl you want
access-list 116 permit ip 0.0.0.0 255.255.255.128 10.1.1.0 0.0.0.255
Router#
00:45:32: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:45:32: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:45:32: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:45:32: IP-EIGRP: 10.1.1.0/25 - do advertise out Serial0
00:45:32: IP-EIGRP: Int 10.1.1.0/25 metric 128256 - 256 128000
00:45:32: IP-EIGRP: 10.1.1.128/25 - do advertise out Serial0
00:45:32: IP-EIGRP: Int 10.1.1.128/25 metric 128256 - 256 128000
00:45:34: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:45:34: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:45:34: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:45:34: IP-EIGRP: 10.1.1.0/25 - do advertise out Serial0
00:45:34: IP-EIGRP: Int 10.1.1.0/25 metric 128256 - 256 128000
00:45:34: IP-EIGRP: 10.1.1.128/25 - do advertise out Serial0
checked mask and network....
cheers
Hans Driessens
Van: Driessens.Hans
Verzonden: dinsdag 3 oktober 2000 16:48
Aan: 'Brian'
CC: '[EMAIL PROTECTED]'
Onderwerp: RE: EXTENDED ACL for distribute-list
hi brian
oops, you're right about the mask. Did you try the normal acl?? I got it
working with the extended acl
try this:
interface Loopback0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback1
ip address 10.1.2.1 255.255.255.0
no ip directed-broadcast
!
interface Ethernet0
ip address 150.55.241.199 255.255.255.0
no ip directed-broadcast
!
interface Serial0
ip address 2.1.1.1 255.255.255.252
no ip directed-broadcast
no ip mroute-cache
no fair-queue
clockrate 64000
!
router eigrp 90
network 2.0.0.0
network 10.0.0.0
network 137.20.0.0
network 150.55.0.0
distribute-list 110 out
no auto-summary
!
!
access-list 110 permit ip any 10.1.1.0 0.0.0.255
debug says:
00:10:09: IP-EIGRP: 10.1.1.0/24 - do advertise out Serial0
00:10:09: IP-EIGRP: Int 10.1.1.0/24 metric 128256 - 256 128000
00:10:09: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:10:09: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:10:09: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
so that's working fine, the same as with a normal acl
if the config was something like
interface Loopback0
ip address 10.1.1.1 255.255.255.128
no ip directed-broadcast
!
interface Loopback1
ip address 10.1.2.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback3
ip address 10.1.1.129 255.255.255.128
no ip directed-broadcast
with the extended acl, both routes are advertised (so not as discribed in
the open forum doc)
see debug output
with extended acl:
00:21:17: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:21:17: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:21:17: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:21:17: IP-EIGRP: 10.1.1.0/25 - do advertise out Serial0
<--------
00:21:17: IP-EIGRP: Int 10.1.1.0/25 metric 128256 - 256 128000
00:21:17: IP-EIGRP: 10.1.1.128/25 - do advertise out Serial0
<--------
with normal acl:
00:24:54: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:24:54: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:24:54: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:24:54: IP-EIGRP: 10.1.1.0/25 - do advertise out Serial0
<--------
00:24:54: IP-EIGRP: Int 10.1.1.0/25 metric 128256 - 256 128000
00:24:54: IP-EIGRP: 10.1.1.128/25 - do advertise out Serial0
00:24:54: IP-EIGRP: Int 10.1.1.128/25 metric 128256 - 256 128000
<--------
Same output with both acl's
with another acl
access-list 115 permit ip 255.255.0.0 0.0.0.0 10.1.1.0 0.0.0.255
gives the right output
00:37:11: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:37:11: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:37:11: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:37:11: IP-EIGRP: 10.1.1.0/25 - denied by distribute list
<------- only /24 allowed
00:37:11: IP-EIGRP: 10.1.1.128/25 - denied by distribute list
00:37:13: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
00:37:13: IP-EIGRP: 150.55.241.0/24 - denied by distribute list
00:37:13: IP-EIGRP: 2.1.1.0/30 - denied by distribute list
00:37:13: IP-EIGRP: 10.1.1.0/25 - denied by distribute list
00:37:13: IP-EIGRP: 10.1.1.128/25 - denied by distribute list
access-list 115 permit ip 255.255.128.0 0.0.0.0 10.1.1.0 0.0.0.255
gives the same result
as well as
access-list 116 permit ip 255.255.255.128 0.0.0.127 10.1.1.0 0.0.0.255
so it seems that it just does not work with an extended acl to check the
mask
Hans
-----Oorspronkelijk bericht-----
Van: Brian [mailto:[EMAIL PROTECTED]]
Verzonden: dinsdag 3 oktober 2000 15:33
Aan: Driessens.Hans
CC: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Onderwerp: RE: EXTENDED ACL for distribute-list
access-lists use wildcard masks not netmasks........
On Tue, 3 Oct 2000, Driessens.Hans wrote:
> Hi ClueLess
>
> you want to use a standard access-list instead of an extended if you are
> doing it like this. You are filtering on source address instead of
> destination address and that is no good. Also, your access-list 10 has no
> mask and uses the default. If 10.1.1.0 is the only network allowed use the
> mask /24...
>
> interface Loopback0
> ip address 10.1.1.1 255.255.255.0
> !
> interface Loopback1
> ip address 10.1.2.1 255.255.255.0
> !
> router eigrp 90
> network 10.0.0.0
> network 137.20.0.0
> distribute-list 10 out
> no auto-summary
> !
> ip classless
> !
> access-list 10 permit 10.1.1.0 255.255.255.0
>
> Hans
>
> -----Oorspronkelijk bericht-----
> Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Verzonden: zondag 1 oktober 2000 4:34
> Aan: [EMAIL PROTECTED]
> Onderwerp: EXTENDED ACL for distribute-list
>
>
> Hi all,
>
> Could someone shed some light on how to use EXTENDED ACL for
> distribute-list?
>
> I'm trying to allow only 10.1.1.0/24 route to be distributed by eigrp
> 90. Below is config and debug ip eigrp output. I thought ACL 110 is
> a bit "relaxed" but should have allow the 10.1.1.0/24 route to be
> distribute out. But it got DENIED. ACL 10 worked.
>
> Initially, I had "access-list 110 permit ip 10.1.1.0 0.0.0.0
> 255.255.255.0 0.0.0.0" which I thought would be the most specific.
> But this didn't work also.
>
> I found the URL below from Open Forum:
> http://www-1.cisco.com/cgi-bin/Support/OpenForum/dispnewqa.pl/6352
> If anyone have some good link on this topic, please kindly send them
> in!
>
> Any comment welcome!
> ClueLess.
>
>
> r7#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) 2500 Software (C2500-DS-L), Version 11.3(11a), RELEASE
> SOFTWARE (fc1)
> Copyright (c) 1986-1999 by cisco Systems, Inc.
> Compiled Mon 20-Sep-99 07:43 by jjgreen
> Image text-base: 0x03040474, data-base: 0x00001000
>
> Partial config:
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.0
> !
> interface Loopback1
> ip address 10.1.2.1 255.255.255.0
> !
> router eigrp 90
> network 10.0.0.0
> network 137.20.0.0
> distribute-list 110 out
> no auto-summary
> !
> ip classless
> !
> access-list 10 permit 10.1.1.0
> access-list 110 permit ip 10.1.1.0 0.0.0.255 any
>
> With distribute-list 110 out:
> 1d21h: IP-EIGRP: 137.20.50.0/24 - denied by distribute list
> 1d21h: IP-EIGRP: 10.1.1.0/24 - denied by distribute list
> 1d21h: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
>
> With distribute-list 10 out:
> 1d21h: IP-EIGRP: 137.20.50.0/24 - denied by distribute list
> 1d21h: IP-EIGRP: 10.1.1.0/24 - do advertise out Ethernet0
> 1d21h: IP-EIGRP: Int 10.1.1.0/24 metric 128256 - 256 128000
> 1d21h: IP-EIGRP: 10.1.2.0/24 - denied by distribute list
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
-----------------------------------------------
Brian Feeny, CCNP, CCDA [EMAIL PROTECTED]
Network Administrator
ShreveNet Inc. (ASN 11881)
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
