Friday, September 25, 2009

Filtering ALL Even Subnets With Single ACL


These days I am quite busy with my job schedule which is keeping me away from studies & blog.

Anyways... today lets play around some ACLs. I know many people who think that they know ACL stuff very well. But actually that's not the case. Specially if they were been given task like I show up in Diagram here. The challenge here is following:

R2 has got plenty of networks to advertise using EIGRP to R1. Administrator f R1 wants that only Odd Network Subnets like 192.168.1.0/24...3.0/24 etc of R2 should be able to reach LAN segment of R1 and all Even subnets should not be able to do that. And for that you are only allowed to use single ACL entry....but also don't use Group Objects ( If you know really what they are :-) )

So good luck to all of you * R1 Admins :-) * I will post the solution and some more ACL details soon.

Happy Studying...

Regards,
Deepak Arora

3 comments:

Mohan.Jeerankalagi said...

Hi Deepak,

Here is the configuration I set on Router - R1. In the thread you've mentioned only one ACL entry..however I didn't find other option to meet the goal without having second ACL entry. Please do let me know if you have other solution for this.

R1#show run | s eigrp
router eigrp 100
network 1.1.1.0 0.0.0.3
distribute-list 10 in
auto-summary
R1#show run | s access-l
access-list 10 deny 192.168.0.0 0.0.6.255
access-list 10 permit any
R1#show ip route | in 192.168.
D 192.168.5.0/24 [90/2297856] via 1.1.1.2, 00:02:08, Serial0/0
D 192.168.1.0/24 [90/2297856] via 1.1.1.2, 00:02:08, Serial0/0
D 192.168.3.0/24 [90/2297856] via 1.1.1.2, 00:02:08, Serial0/0
R1#

Deepak Arora said...

Newer Versions of IOS Allows ACL Group Objects as well.

http://ccie-in-3-months.blogspot.in/2008/07/object-groups-for-acls-at-last.html

Robin de Vente said...

(Old post, yes I know... ;-))

@Mohan.Jeerankalagi What you are doing above is also denying the even routes to R1. In my opinion the question states that it is not allowed for even routes to reach the LAN segment of R1. So, I think it is not a problem when the even routes exist on R1, but the problem is that they are not allowed on R3. It's a little bit hard to test because R3 is not participating in routing but if you enable routing, for test, on R3 and add int f0/0 to the eigrp routing process, and change your distribute-list on R1 from in to out it should be ok.

My config:
R1
router eigrp 100
distribute-list 1 out
network 1.1.1.1 0.0.0.0
network 10.0.0.1 0.0.0.0
!
access-list 1 permit 192.168.1.0 0.0.6.255
!
R1#sh ip route

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, Serial1/0
L 1.1.1.1/32 is directly connected, Serial1/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Ethernet0/0
L 10.0.0.1/32 is directly connected, Ethernet0/0
D 192.168.0.0/24 [90/2297856] via 1.1.1.2, 00:14:39, Serial1/0
D 192.168.1.0/24 [90/2297856] via 1.1.1.2, 00:14:43, Serial1/0
D 192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:14:39, Serial1/0
D 192.168.3.0/24 [90/2297856] via 1.1.1.2, 00:14:43, Serial1/0
D 192.168.4.0/24 [90/2297856] via 1.1.1.2, 00:14:39, Serial1/0
D 192.168.5.0/24 [90/2297856] via 1.1.1.2, 00:14:43, Serial1/0
D 192.168.6.0/24 [90/2297856] via 1.1.1.2, 00:14:39, Serial1/0


R3
router eigrp 100
network 10.0.0.2 0.0.0.0
!
R3#sh ip route

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Ethernet0/0
L 10.0.0.2/32 is directly connected, Ethernet0/0
D 192.168.1.0/24 [90/2323456] via 10.0.0.1, 00:02:16, Ethernet0/0
D 192.168.3.0/24 [90/2323456] via 10.0.0.1, 00:02:16, Ethernet0/0
D 192.168.5.0/24 [90/2323456] via 10.0.0.1, 00:02:16, Ethernet0/0

@deepak I also read your solution. What do you think of my interpretation of your question and this solution?