So finally...the moment has arrived when I am gonna reveal this gotcha of my ACL filtering post. Today I am just gonna post the solution of my previous post...although you can see the solution but I am still giving you some more time to figure out why it's the correct solution. So many CCNPs, CCNAs went though this post and were not able to figure out the correct solution. So for them I'll soon reveal the dilemma of calculating ACL Wildcard Masks...
So Stay tuned and Enjoy the solution...happy studying :)
Best Regards,
Deepak Arora
CCIE#XXXXX...Oops that number is still missing :)
---------------------------
R1#sh run
Building configuration...
Current configuration : 943 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 10.0.0.1 255.255.255.0
!
interface Serial0/0
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
no ip unreachables
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 100
network 0.0.0.0
no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
access-list 101 deny ip 192.168.0.0 0.0.6.255 any log-input
access-list 101 permit ip any any log-input
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
R1#
R1#
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Serial0/0
D 192.168.4.0/24 [90/2297856] via 1.1.1.2, 00:22:38, Serial0/0
D 192.168.5.0/24 [90/2297856] via 1.1.1.2, 00:22:21, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Loopback1
D 192.168.6.0/24 [90/2297856] via 1.1.1.2, 00:22:08, Serial0/0
D 192.168.7.0/24 [90/2297856] via 1.1.1.2, 00:19:10, Serial0/0
D 192.168.0.0/24 [90/2297856] via 1.1.1.2, 00:23:26, Serial0/0
D 192.168.1.0/24 [90/2297856] via 1.1.1.2, 00:23:13, Serial0/0
D 192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:23:00, Serial0/0
D 192.168.3.0/24 [90/2297856] via 1.1.1.2, 00:22:48, Serial0/0
R1#
------------------------------------------------------------------
R2#sh run
Building configuration...
Current configuration : 1216 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
interface Loopback4
ip address 192.168.4.1 255.255.255.0
!
interface Loopback5
ip address 192.168.5.1 255.255.255.0
!
interface Loopback6
ip address 192.168.6.1 255.255.255.0
!
interface Serial0/0
ip address 1.1.1.2 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 100
network 0.0.0.0
no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
R2#
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Serial0/0
C 192.168.4.0/24 is directly connected, Loopback4
C 192.168.5.0/24 is directly connected, Loopback5
10.0.0.0/24 is subnetted, 1 subnets
D 10.0.0.0 [90/2297856] via 1.1.1.1, 00:26:49, Serial0/0
C 192.168.6.0/24 is directly connected, Loopback6
C 192.168.7.0/24 is directly connected, Loopback7
C 192.168.0.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, Loopback2
C 192.168.3.0/24 is directly connected, Loopback3
R2#
R2#ping 10.0.0.1 sou loop0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
.....
Success rate is 0 percent (0/5)
R2#
R2#ping 10.0.0.1 sou loop1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/80 ms
R2#
-------------------------------------------------------------------
R3# Hmmm ...I used loopback 1 on R1 to emulate it's Ethernet Segment :), Also on R2 I configured Loopback 8 to make sure rest of Even subnets can reach to R1
One more thing...I disabled IP Unreachable on S0/0 of R1 so that even if ping fails sent by R2, you won't see Unreachable message which normally appears as U.U.U.... and so on. Because this feature allows evil minds to find out that ACL is blocking the traffic. But what if they don't see U messages...hmmm ....they don't know than what's blocking the ping on the other side :)
R2(config)#do sh run int lo8
Building configuration...
Current configuration : 65 bytes
!
interface Loopback8
ip address 192.168.8.1 255.255.255.0
end
R2(config)#do ping 10.0.0.1 sou lo8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/64 ms
-------------------------------------------------------------------
No comments:
Post a Comment