Friday, October 2, 2009

Filtering ALL Even Subnets With Single ACL....Solution

So finally...the moment has arrived when I am gonna reveal this gotcha of my ACL filtering post. Today I am just gonna post the solution of my previous post...although you can see the solution but I am still giving you some more time to figure out why it's the correct solution. So many CCNPs, CCNAs went though this post and were not able to figure out the correct solution. So for them I'll soon reveal the dilemma of calculating ACL Wildcard Masks...

So Stay tuned and Enjoy the solution...happy studying :)

Best Regards,
Deepak Arora
CCIE#XXXXX...Oops that number is still missing :)

---------------------------
R1#sh run
Building configuration...

Current configuration : 943 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0/0
 ip address 1.1.1.1 255.255.255.252
 ip access-group 101 in
 no ip unreachables
 serial restart-delay 0
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 100
 network 0.0.0.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
access-list 101 deny   ip 192.168.0.0 0.0.6.255 any log-input
access-list 101 permit ip any any log-input
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

R1#
R1#
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial0/0
D    192.168.4.0/24 [90/2297856] via 1.1.1.2, 00:22:38, Serial0/0
D    192.168.5.0/24 [90/2297856] via 1.1.1.2, 00:22:21, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Loopback1
D    192.168.6.0/24 [90/2297856] via 1.1.1.2, 00:22:08, Serial0/0
D    192.168.7.0/24 [90/2297856] via 1.1.1.2, 00:19:10, Serial0/0
D    192.168.0.0/24 [90/2297856] via 1.1.1.2, 00:23:26, Serial0/0
D    192.168.1.0/24 [90/2297856] via 1.1.1.2, 00:23:13, Serial0/0
D    192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:23:00, Serial0/0
D    192.168.3.0/24 [90/2297856] via 1.1.1.2, 00:22:48, Serial0/0
R1#
------------------------------------------------------------------
R2#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface Loopback4
 ip address 192.168.4.1 255.255.255.0
!
interface Loopback5
 ip address 192.168.5.1 255.255.255.0
!
interface Loopback6
 ip address 192.168.6.1 255.255.255.0
!
interface Serial0/0
 ip address 1.1.1.2 255.255.255.252
 serial restart-delay 0
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 100
 network 0.0.0.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

R2#
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial0/0
C    192.168.4.0/24 is directly connected, Loopback4
C    192.168.5.0/24 is directly connected, Loopback5
     10.0.0.0/24 is subnetted, 1 subnets
D       10.0.0.0 [90/2297856] via 1.1.1.1, 00:26:49, Serial0/0
C    192.168.6.0/24 is directly connected, Loopback6
C    192.168.7.0/24 is directly connected, Loopback7
C    192.168.0.0/24 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Loopback1
C    192.168.2.0/24 is directly connected, Loopback2
C    192.168.3.0/24 is directly connected, Loopback3
R2#
R2#ping 10.0.0.1 sou loop0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
.....
Success rate is 0 percent (0/5)
R2#
R2#ping 10.0.0.1 sou loop1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/80 ms
R2#
-------------------------------------------------------------------
R3# Hmmm ...I used loopback 1 on R1 to emulate it's Ethernet Segment :), Also on R2 I configured Loopback 8 to make sure rest of Even subnets can reach to R1


One more thing...I disabled IP Unreachable on S0/0 of R1 so that even if ping fails sent by R2, you won't see Unreachable message which normally appears as U.U.U.... and so on. Because this feature allows evil minds to find out that ACL is blocking the traffic. But what if they don't see U messages...hmmm ....they don't know than what's blocking the ping on the other side :)



R2(config)#do sh run int lo8
Building configuration...

Current configuration : 65 bytes
!
interface Loopback8
 ip address 192.168.8.1 255.255.255.0
end

R2(config)#do ping 10.0.0.1 sou lo8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/64 ms








-------------------------------------------------------------------


No comments: