Could someone help me with an extended access list that I try to figure out.
I want my router to only accept various /16 prefixes and deny everything that is greater than /16.
Right now i get these networks: 188.8.131.52/16 184.108.40.206/16 220.127.116.11/24
I am not clear from this post what you are trying to do with an extended access list. The extended access list can be used for multiple purposes including using the extended access list to filter data packets on an interface or using the extended access list to filter routing updates.
If you are trying to filter routing updates then the feature that you want to use is prefix list and not extended access list. If you are trying to filter data packets on an interface then extended access list is what you need to use.
So perhaps you can clarify what you are trying to accomplish?
thanks for your reply, I am trying to block routing updates.
They are using this for an example when they are trying to only allow 18.104.22.168/8.
access-list 101 permit ip 22.214.171.124 0.255.255.255 255.0.0.0 0.0.0.0
I want an access-list as above that will allow 126.96.36.199/16 and 188.8.131.52/16
but block 184.108.40.206/24 and 220.127.116.11/24
I believe you'd be better served with a prefix list. Consider the following.
If you want any 192.x.x.x network with a subnet between 8 and 16 bits try this:
ip prefix-list tango permit 192.0.0.0/8 le 16
The command reference for 'ip prefix-list' can be found here:
The link that you gave is about filtering routes in BGP. In filtering BGP route updates it does work to use an extended access list. It is not clear what your environment is and whether you are running BGP and whether it is BGP updates that you want to filter.
Even if you do want to filter BGP updates it would be easier to do this with a prefix list. The extended access list was the older method of filtering BGP route updates. Prefix lists are more recent and more powerful. So I suggest that you take a good look at the example given by Chris and at the link that he provides. This would be the better way.
Thanks for all help. Thanks for the tip about prefix lists that was exactly what i needed.
But i also wonder if it is possible to do the same(block BGP updates) with community filtering, so i can block some updates from some communities?