That makes things a little more complicated. Forget about the src/dst thing 'cause it will keep confusing you!
There's the network match, and a mask to match the network portion. Then there's the mask part, and a mask to match the mask portion! So let's say you wanted to match /20 through /24 out of 192.168.0.0/16. The network part is any network from 192.168.0.0 through 192.168.255.255. The mask part is anything from 255.255.240.0 through 255.255.255.0. Access-list 101 permit ip 192.168.0.0 0.0.255.255 255.255.240.0 0.0.15.0 Or less brain power: Ip prefix-list MuchBetter permit 192.168.0.0/16 ge 20 le 24 :) Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al. CCSI/JNCI-M/JNCI-ER VP - Technical Training - IPexpert, Inc. IPexpert Sr. Technical Instructor [EMAIL PROTECTED] Telephone: +1.810.326.1444 Fax: +1.810.454.0130 http://www.ipexpert.com -----Original Message----- From: Suresh Mishra [mailto:[EMAIL PROTECTED] Sent: Monday, May 12, 2008 10:30 AM To: Scott Morris; [email protected] Subject: Access-list Hello all, I have confusion about using access-list to match packet and routes. I know for packets we have both source and destination that we can specify in the extended access-list But for routes we have only one value that is the route and its subnet mask. In that case how can we use the extended access-list to match the routes. Thanks Suresh
