Re: Access List/EIGRP Problem
the rule of the game for access-list is first specify the more specific then go on to the general --- Minh Vu [EMAIL PROTECTED] wrote: I agreed with Chuck. If your first line in ACL is "Deny ip host 0.0.0.0 any", seem to me it will deny all IP regardless you put permit IP after it. (as of my head, router will go from top down, which is check 1st ACL if not match then go to 2nd ACL and if not match then go to 3rd ACLand so on...) In this case you put the deny any host on your 1st ACL then it match therefore it will drop the packet without go to next ACL. ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 - Original Message - From: "Chuck Larrieu" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 22, 2000 1:30 PM Subject: RE: Access List/EIGRP Problem This topic brings up some of the subtleties with regards to access lists. Now that I am looking into more complex interactions among protocols and services, I am finding that just about any time I have to engage access-lists I have to begin thinking in far broader terms than I am used to. And certainly in far broader terms than several of the well known introductory and CCNA level books suggest. There is nothing like applying a standard access list to an interface, then a few minutes later seeing your routes disappear! Some of the more advanced texts suggest constructing access-lists such that most specific items appear first, and then filter down to least specific. Others may suggest that one put the mostly likely to be used things at the top of the lists and work down. I'm getting to the point where I have to remember to put routing protocol items at the top of my lists. I guess what I'm getting to in my rambling way is that access-list construction and placement is probably more of n art than a science. One must always consider what one is doing, and why. One must always consider the law of unintended consequences. Happy holidays! Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stephen Skinner Sent: Friday, December 22, 2000 12:42 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Access List/EIGRP Problem your access-list is the wrong way round ..you have a deny host any any I.E your 0.0.0.0 is treated as a any any then the permit if oyu put them the other way round it should work From: "Stull, Cory" [EMAIL PROTECTED] Reply-To: "Stull, Cory" [EMAIL PROTECTED] To: "'Edward Gomez'" [EMAIL PROTECTED], "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: Access List/EIGRP Problem Date: Tue, 19 Dec 2000 09:05:07 -0600 Edward, Without seeing your whole config we can't be positive but your probably also blocking your EIGRP hellos. You might want to go with distribute-list anyway. Go to cisco.com and lookup distribute-list and go to the link on using it with EIGRP. Good luck Cory -Original Message- From: Edward Gomez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 8:30 AM To: '[EMAIL PROTECTED]' Subject: Access List/EIGRP Problem Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Priv
Re: Access List/EIGRP Problem
Like everything else, it depends. For short lists, it doesn't make all that much difference. For complex lists, I agree that most specific first is far easier to understand and troubleshoot. Performance problems with access lists are more likely to be associated with the fact that an access list is there (i.e., forcing traffic into a slower switching path) than to be caused by the total number of rules. The number of rules was more of a concern in early IOS releases where almost everything was process switched. The most complex access lists will usually be machine-generated, so they can be tuned for performance. You'll see some extreme cases in carriers; I know of a tier 1 ISP that has to restore its configuration from TFTP, not NVRAM, because NVRAM doesn't hold the 8000-plus access list rules they use. the rule of the game for access-list is first specify the more specific then go on to the general --- Minh Vu [EMAIL PROTECTED] wrote: I agreed with Chuck. If your first line in ACL is "Deny ip host 0.0.0.0 any", seem to me it will deny all IP regardless you put permit IP after it. (as of my head, router will go from top down, which is check 1st ACL if not match then go to 2nd ACL and if not match then go to 3rd ACLand so on...) In this case you put the deny any host on your 1st ACL then it match therefore it will drop the packet without go to next ACL. ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 - Original Message - From: "Chuck Larrieu" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 22, 2000 1:30 PM Subject: RE: Access List/EIGRP Problem This topic brings up some of the subtleties with regards to access lists. Now that I am looking into more complex interactions among protocols and services, I am finding that just about any time I have to engage access-lists I have to begin thinking in far broader terms than I am used to. And certainly in far broader terms than several of the well known introductory and CCNA level books suggest. There is nothing like applying a standard access list to an interface, then a few minutes later seeing your routes disappear! Some of the more advanced texts suggest constructing access-lists such that most specific items appear first, and then filter down to least specific. Others may suggest that one put the mostly likely to be used things at the top of the lists and work down. I'm getting to the point where I have to remember to put routing protocol items at the top of my lists. I guess what I'm getting to in my rambling way is that access-list construction and placement is probably more of n art than a science. One must always consider what one is doing, and why. One must always consider the law of unintended consequences. Happy holidays! Chuck _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List/EIGRP Problem
your access-list is the wrong way round ..you have a deny host any any I.E your 0.0.0.0 is treated as a any any then the permit if oyu put them the other way round it should work From: "Stull, Cory" [EMAIL PROTECTED] Reply-To: "Stull, Cory" [EMAIL PROTECTED] To: "'Edward Gomez'" [EMAIL PROTECTED],"'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: Access List/EIGRP Problem Date: Tue, 19 Dec 2000 09:05:07 -0600 Edward, Without seeing your whole config we can't be positive but your probably also blocking your EIGRP hellos. You might want to go with distribute-list anyway. Go to cisco.com and lookup distribute-list and go to the link on using it with EIGRP. Good luck Cory -Original Message- From: Edward Gomez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 8:30 AM To: '[EMAIL PROTECTED]' Subject: Access List/EIGRP Problem Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List/EIGRP Problem
I agreed with Chuck. If your first line in ACL is "Deny ip host 0.0.0.0 any", seem to me it will deny all IP regardless you put permit IP after it. (as of my head, router will go from top down, which is check 1st ACL if not match then go to 2nd ACL and if not match then go to 3rd ACLand so on...) In this case you put the deny any host on your 1st ACL then it match therefore it will drop the packet without go to next ACL. ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 - Original Message - From: "Chuck Larrieu" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 22, 2000 1:30 PM Subject: RE: Access List/EIGRP Problem This topic brings up some of the subtleties with regards to access lists. Now that I am looking into more complex interactions among protocols and services, I am finding that just about any time I have to engage access-lists I have to begin thinking in far broader terms than I am used to. And certainly in far broader terms than several of the well known introductory and CCNA level books suggest. There is nothing like applying a standard access list to an interface, then a few minutes later seeing your routes disappear! Some of the more advanced texts suggest constructing access-lists such that most specific items appear first, and then filter down to least specific. Others may suggest that one put the mostly likely to be used things at the top of the lists and work down. I'm getting to the point where I have to remember to put routing protocol items at the top of my lists. I guess what I'm getting to in my rambling way is that access-list construction and placement is probably more of n art than a science. One must always consider what one is doing, and why. One must always consider the law of unintended consequences. Happy holidays! Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stephen Skinner Sent: Friday, December 22, 2000 12:42 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Access List/EIGRP Problem your access-list is the wrong way round ..you have a deny host any any I.E your 0.0.0.0 is treated as a any any then the permit if oyu put them the other way round it should work From: "Stull, Cory" [EMAIL PROTECTED] Reply-To: "Stull, Cory" [EMAIL PROTECTED] To: "'Edward Gomez'" [EMAIL PROTECTED], "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: Access List/EIGRP Problem Date: Tue, 19 Dec 2000 09:05:07 -0600 Edward, Without seeing your whole config we can't be positive but your probably also blocking your EIGRP hellos. You might want to go with distribute-list anyway. Go to cisco.com and lookup distribute-list and go to the link on using it with EIGRP. Good luck Cory -Original Message- From: Edward Gomez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 8:30 AM To: '[EMAIL PROTECTED]' Subject: Access List/EIGRP Problem Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info:
Re: Access List/EIGRP Problem
I think you may wish to reverse the order of your access list by permitting traffic first and then denying everything else..dj "Edward Gomez" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List/EIGRP Problem
Edward, Without seeing your whole config we can't be positive but your probably also blocking your EIGRP hellos. You might want to go with distribute-list anyway. Go to cisco.com and lookup distribute-list and go to the link on using it with EIGRP. Good luck Cory -Original Message- From: Edward Gomez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 8:30 AM To: '[EMAIL PROTECTED]' Subject: Access List/EIGRP Problem Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]