• Using the minimum amount of ACL lines, allow access to R1 from the Loopback0 subnets of R2 through R6 that have an even 3rd octet.
• Deny access from any other “150.X.0.0/16” subnets.
• Any hosts from the “155.X.0.0/16” subnets should still be able to reach R1.
• Apply the access-list inbound on all interfaces of R1.
Configuration
R1:
access-list 1 permit 150.1.0.0 0.0.6.255 access-list 1 permit 155.1.0.0 0.0.255.255
!
interface FastEthernet 0/0 ip access-group 1 in
!
interface Serial 0/1 ip access-group 1 in
!
interface Serial 0/0 ip access-group 1 in
Verification
Note
Standard ACLs only allow you to match source IP addresses based on “base” IP address and wildcard mask. Because of that “aggregate” behavior, standard ACLs are commonly configured at network nodes close to the “protected” object.
One very common task is finding a required “base” IP address and wildcard mask pair based on set of requirements. Let us look at three different examples to illustrate how they could be solved.
Example 1 (the task):
Configure the IP/Wildcard Mask pair to match IP addresses in subnets
155.1.Y.0/24 where Y is an even number and is greater than or equal to 1 and less than or equal to 6.
Note that the 4th octet of the subnets may take any value from 0 to 255, so we just set the corresponding part of the wildcard mask to 255 (all 1’s).
Step 1:
We start by finding the fixed part of the subnets range. Since Y changes from 1 to 6, only the last 3 bits of the 3rd octet may vary. Thus, the topmost 6 bits of Y are fixed at zero. For the fixed part of the base IP address, we set wildcard bits to zeroes (meaning it does not change). Now write down all possible values that Y may take:
2=00000010 4=00000100 6=00000110 Step 2:
Find the part of the “bit-vector” that changes between different values. In this case, this part contains bits 1 and 2 (counting from the right and starting at zero).
Create a mask vector, putting 1’s in the positions where bit values in data vectors may change:
m=00000110=6
Essentially, this is the wildcard mask for the third octet.
Step 3:
Take into account the extra values covered by the mask. Note that the mask always cover 2^N values, where N is the number of 1’s in the mask. In our case, we had three values, but the mask contains two non-zero bits resulting in four possible values. Effectively, our wildcard mask cover one extra bit vector:
0=00000000
Strictly speaking you may need a special ACL entry to deny the corresponding subnet. However, in our topology, there is no router with subnet 155.1.0.0/24, so you may ignore this extra value.
Step 4:
Compute the “base” 3rd octet value, taking the common part of all the bit vectors.
Effectively you may do so by performing a logical bitwise AND over all values:
2 AND 4 AND 6 = 0.
Thus the resulting IP and Wildcard Mask pair is:
155.1.0.0 0.0.6.255
The resulting ACL may look like:
deny 155.1.0.0 0.0.0.255 permit 155.1.0.0.6.255
Note that the first line is NOT necessary in our case.
Example 2:
Configure the IP/Wildcard Mask pair to match IP addresses in subnets
155.1.Y.0/24 where Y is an odd number and is greater than or equal to 1 and less than or equal to 6.
Note that the 4th octet of the subnets may take any value from 0 to 255, so we just set the corresponding part of the wildcard mask to 255 (all 1’s).
Step 1:
We start by finding the fixed part of the subnets range. Since Y changes from 1 to 6, only the last 3 bits of the 3rd octet may vary. Thus, the topmost 6 bits of Y are fixed to zero. For the fixed part of the base IP address, we set wildcard bits to zeroes (meaning it does not change). Now write down all possible values that Y may take:
1=00000001 3=00000011 5=00000101 Step 2:
Find the part of the “bit-vector” that changes between the different values. In this case, this part contains bits 1 and 2 (counting from the right and starting at zero).
The zero bit is fixed to “1”. Create a mask vector, putting 1’s in the positions where bit values in data vectors may change:
m=00000110=6
Essentially, this is the wildcard mask for the third octet.
Step 3:
Take into account the extra values covered by the mask. Note that the mask always cover 2^N values where N is the number of 1’s in the mask. In our case, we had three values, but the mask contains two non-zero bits resulting in four possible values. Effectively, our wildcard mask covers one extra bit vector:
7=00000111
Strictly speaking we need a special ACL entry to deny the corresponding subnet, since it is a part of our topology.
Step 4:
Compute the “base” 3rd octet value using the common part of all the bit vectors.
Effectively, you may do so by performing a logical bitwise AND over all the values:
1 AND 3 AND 5 = 1.
Thus the resulting IP and wildcard mask pair is:
155.1.1.0 0.0.6.255
and the resulting ACL looks like:
deny 155.1.7.0 0.0.0.255 permit 155.1.1.0 0.0.6.255
In cases where octet values are widely separated, the resulting ACL may contain too many “deny” statements and it may be more effective to use just the entries matching specific values. In our case, the resulting ACL needs to also permit the 155.1.0.0/16 subnet as well.
Note that standard ACLs do not allow you to specify the protocol values and effectively permit any IP protocol for matching sources. The general use of standard ACLs is route filtering and prefix matching in routing protocol
configuration. Note that standard ACLs may be named as well as numbered (1-99).
To verify your configuration, first make sure that the IP access list applies to the interfaces:
Rack1R1#sh ip interface serial 0/0 | inc acce Outgoing access list is not set
Inbound access list is 1
IP access violation accounting is disabled
Rack1R1#sh ip interface serial 0/1 | inc acce Outgoing access list is not set
Inbound access list is 1
IP access violation accounting is disabled
Rack1R1#sh ip interface FastEthernet 0/0 | inc acce Outgoing access list is not set
Verify that you can only reach R1 from the Loopbacks of R2, R4 and R6:
Rack1R2#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/86/88 ms Rack1R3#ping 155.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3 ...
Success rate is 0 percent (0/5)
Rack1R4#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1R5#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5 U.U.U
Success rate is 0 percent (0/5)
Rack1R6#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1SW1#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.7.7 UU.UU
Success rate is 0 percent (0/5)
Rack1SW2#ping 150.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.8.8 .U.U.
Success rate is 0 percent (0/5)