Re: Is this a valid access-list ????

ryel.dsouza · ‎01-19-2009

Is this a valid access list if i want to permit multicast traffic from a particular multicast group while denying the rest

I want to permit traffic from 226.0.0.0 - 238.255.255.255

"access-list 13 permit 226.0.0.0 12.255.255.255"

viyuan700 · ‎01-19-2009

"access-list 13 permit 226.0.0.0 12.255.255.255"

i think shd be

access-list 13 permit 226.0.0.0 15.255.255.255

ryel.dsouza · ‎01-19-2009

but it would permit past 238.0.0.0 like 239.0.0.0 and so on

viyuan700 · ‎01-19-2009

"but it would permit past 238.0.0.0 like 239.0.0.0 and so on"

it will just go to 239.255.255.255 not further but you dont have a perfect block to use one access list, i think you can break into more access list to be specific

Danilo Dy · ‎01-19-2009

Your ACL is invalid.

This ACL will work

access-list 13 permit 226.0.0.0 15.255.255.255

This will permit 224.0.0.0 - 239.255.255.255

ryel.dsouza · ‎01-19-2009

but it will permit all the networks of 239.0.0.0 - 239.255.255.255 also

i was also thinking

access-list 13 permit 226.0.0.0 7.255.255.255

access-list 13 permit 234.0.0.0 3.255.255.255

Danilo Dy · ‎01-19-2009

You can do this

access-list 13 permit 226.0.0.0 1.255.255.255

access-list 13 permit 228.0.0.0 3.255.255.255

access-list 13 permit 232.0.0.0 3.255.255.255

access-list 13 permit 236.0.0.0 1.255.255.255

access-list 13 permit 238.0.0.0 0.255.255.255

First is 226.0.0.0 - 227.255.255.255

Second is 228.0.0.0 - 231.255.255.255

Third is 236.0.0.0 - 237.255.255.255

Fourth is 238.0.0.0 - 238.255.255.255

Giuseppe Larosa · ‎01-19-2009

Hello Ryel,

you need to think in binary to build the correct wildcard mask and to see if one entry is enough

226 = 1110 0010

238 = 1110 1110

but you want permit 237 or 227 also that are even.

so the last bit can be 1 in some cases

so you need to collect common digits

226 = 1110 0010

227 = 1110 0011

one line 226.0.0.0 1.255.255.255

228 = 1110 0100

229 = 1110 0101

230 = 1110 0110

231 = 1110 0111

one line 228.0.0.0 3.255.255.255

232 = 1110 1000

233 = 1110 1001

234 = 1110 1010

235 = 1110 1011

one line 232.0.0.0 3.255.255.255

236 = 1110 1100

237 = 1110 1101

one line 236.0.0.0 1.255.255.255

238 = 1110 1110

one line 238.0.0.0 0.255.255.255

so you see you need multiple lines

Hope to help

Giuseppe

Richard Burts · ‎01-19-2009

I believe that there is an important aspect of this that has not yet been addressed. Ryel phrases his requirement as being traffic from a multicast group but the multicast address would be the destination address. Multicast traffic is traffic from a unicast source to a multicast group. A standard access list such as access list 13 can only check the source address. If Ryel wants to restrict traffic to particular multicast groups then the access list needs to be an extended access list so that it can check the destination address.

HTH

Rick

HTH

Rick

Giuseppe Larosa · ‎01-19-2009

Hello Rick,

thanks for pointing out the most important aspect: I thought it was an ACL to use with an RP not to filter traffic you are right in that case an extended acl has to be used with destination field = multicast group

Best Regards

Giuseppe