Weird uses of access-lists

Hello

A while ago I showed you how we can use an access-list to act like a prefix list. E.g. in this case we filter all 172.16 routes if their length is between 17 and 32. Same as ip prefix-list 172.16.0.0/16 ge 17 le 32.

access-list 100 permit ip 172.16.0.0 0.0.255.255 255.255.128.0 0.0.127.255

and here’s how to filter a route coming from a particular gateway:

access-list 100 deny ip host 155.1.0.3 host 155.1.7.0 !!! filter route 155.1.7.0 coming from gateway 155.1.0.3 !!!!
access-list 100 deny ip host 155.1.0.3 host 155.1.9.0
access-list 100 deny ip host 155.1.0.1 host 155.1.146.0
access-list 100 deny ip host 155.1.0.1 host 150.1.1.1

!!!Now we use this in a distri list!!!!

distribute list 100 in tunnel0

 

Distribute lists with gateway option

Hello

Just a short update today. A relatively less known option to filter updates coming from a specific router using a prefix list.

2 prefix lists are needed: the first one denies the gateway from which we don’t want any updates and permits all the other gateways. the second prefix list defines routes.

ip prefix-list IDONTLIKER4 seq 5 deny 155.1.0.4/32
ip prefix-list IDONTLIKER4 seq 10 permit 0.0.0.0/0 le 32

ip prefix-list ROUTES seq 5 permit 0.0.0.0/0 le 32

router rip

distribute-list prefix ROUTES gateway IDONTLIKER4 in.

!!!we have applied the config but haven’t cleared the routing table yet so we still see a route to 150.1.4.4 coming from 155.1.0.4!!!

R5#show ip route

150.1.0.0/32 is subnetted, 10 subnets
R 150.1.1.1 [120/1] via 155.1.0.1, 00:00:24, Tunnel0
R 150.1.2.2 [120/1] via 155.1.0.2, 00:00:02, Tunnel0
R 150.1.3.3 [120/1] via 155.1.0.3, 00:00:09, Tunnel0
R 150.1.4.4 [120/1] via 155.1.45.4, 00:00:12, Ethernet0/0.45
[120/1] via 155.1.0.4, 00:00:21, Tunnel0
C 150.1.5.5 is directly connected, Loopback0
R 150.1.6.6 [120/2] via 155.1.0.1, 00:00:24, Tunnel0
R 150.1.7.7 [120/2] via 155.1.0.3, 00:00:09, Tunnel0
R 150.1.8.8 [120/1] via 155.1.58.8, 00:00:24, Ethernet0/0.58

!!!now we clear the routing table and the route to 150.1.4.4 through 155.1.0.4 is gone!!!
R5#clear ip route *
R5#show ip route

150.1.0.0/32 is subnetted, 10 subnets
R 150.1.1.1 [120/1] via 155.1.0.1, 00:00:07, Tunnel0
R 150.1.2.2 [120/1] via 155.1.0.2, 00:00:07, Tunnel0
R 150.1.3.3 [120/1] via 155.1.0.3, 00:00:07, Tunnel0
R 150.1.4.4 [120/1] via 155.1.45.4, 00:00:03, Ethernet0/0.45
C 150.1.5.5 is directly connected, Loopback0
R 150.1.6.6 [120/2] via 155.1.0.1, 00:00:07, Tunnel0
R 150.1.7.7 [120/2] via 155.1.0.3, 00:00:07, Tunnel0
R 150.1.8.8 [120/1] via 155.1.58.8, 00:00:07, Ethernet0/0.58
R 150.1.9.9 [120/3] via 155.1.0.3, 00:00:07, Tunnel0
R 150.1.10.10 [120/2] via 155.1.58.8, 00:00:07, Ethernet0/0.58

The trick here is not to forget the word PREFIX after distribute-list. ios will accept the syntax without it thinking we refer to an access-list ROUTES (which doesn’t exist). This will have unpredictable and iosversion-dependent results.

Access lists after 11p.m.

Today I was configuring a summary route between two routers and I had a strange problem:

On R5 i wanted to configure a summary route for addresses 150.1.1.1, 150.1.2.2, 150.1.3.3 etc and send this route over to R8.

int eth0/0.58

ip summary-address rip 150.1.1.0 255.255.255.248

That should do it right?

So I did, and to my astonishment R8 got the summary PLUS all the /32 routes.

After 15 minutes of troubleshooting and cursing at GNS3 I realized what was happening. It was well after 11p.m. and I couldn’t see the fact that instead of creating a summary route 150.1.0.0 255.255.248.0, I created one for 255.255.255.248.

When you’re tired, doublecheck all the numbers. Tiredness is very much like being drunk. Being tired can cause serious network outages.