cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1063
Views
4
Helpful
5
Replies

ACL problem

StanDamen
Level 1
Level 1

Im trying to define ACL's for use in policy based routing

problem is i need to specify 2 ACLs,

one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2

How do i do this with ACLs? I did:

access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255

both both result in ACL:

access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

any idea how to do this?

following are the route-maps:

route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1

route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2

Thanks in advance!

5 Replies 5

Ganesh Hariharan
VIP Alumni
VIP Alumni

Im trying to define ACL's for use in policy based routing

problem is i need to specify 2 ACLs,

one that puts traffic from 10.5.0.1 to 10.5.0.6 destination 172.17.0.0/24 through hop 10.4.0.1

and another that puts 10.5.0.7 to 10.5.0.12 destination 172.17.0.0/24 through hop 10.4.0.2

How do i do this with ACLs? I did:

access-list 101 permit ip 10.5.0.1 0.0.0.7 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.7 0.0.0.7 172.17.0.0 0.0.0.255

both both result in ACL:

access-list 102 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

any idea how to do this?

following are the route-maps:

route-map customers permit1

match ip address 101

set ip next-hop 10.4.0.1

route-map customers permit2

match ip address 102

set ip next-hop 10.4.0.2

Thanks in advance!

Hi,

You want two separate network to flow with separet next hops if yes try with these ACL and share the results


access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Check out the below link on PBR also for more information

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh!

It gave me this result:

access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.

The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.

Is there any other way?

Hi Ganesh!

It gave me this result:

access-list 101 permit ip 10.5.0.0 0.0.0.7 172.17.0.0 0.0.0.255
access-list 101 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.5.0.8 0.0.0.7 172.17.0.0 0.0.0.255

Which is not precisely what i wanted, but at least 10.5.0.8 0.0.0.7 is now shown.

It should start at 10.5.0.7 though.

The second line pretty much negates the other lines, so that needs changing. However if i remove it (no access-list 101 permit ip any 172.17.0.0 0.0.0.255
) it removes the entire access list.

Is there any other way?

Hi,

If you see my previous post in first line host 1 to 6 will come and  second line was for single host that is 10.5.0.7 and acl 102 is for network 10.0.5.8/29

Ganesh.H

Yes, but this:

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

gives this in show run:

access-list 101 permit ip any 172.17.0.0 0.0.0.255

Which means access list 102 will never apply to anything will it? since "any" covers everything.

Thanks!

Yes, but this:

access-list 101 permit ip 10.5.0.7 255.255.255.255 172.17.0.0 0.0.0.255

gives this in show run:

access-list 101 permit ip any 172.17.0.0 0.0.0.255

Which means access list 102 will never apply to anything will it? since "any" covers everything.

Thanks!

Hi,

It's really starnge can you try with below option :-

1) try configure named acl for extended and type the first network and second line with permit ip host 10.5.0.7 172.17.0.0 0.0.0.255


or

2) Try configure 3 ACL one for host 1 to 6, one for host 7 and lastly for 8 to 14

HTH

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: