acl: challenge part 1 – odd and even access-list matches

ACL – Challenge Part 1

A) Write a standard ACL that matches all prefixes where the second OCTET is ODD.

B) Write a standard ACL that matches all prefixes where the second OCTET is EVEN.

A) Okay so we need to match everything where the second OCTET ios ODD. So first conclusion….we dont care about OCTET 1,3 and 4.
The ACL consists of an IP-address and a wildcard mask. Within the wildcard mask we say what we dont care about.


IP: ?.?.?.?
WC: 255.?.255.255 (dont care means the bit is "1")

So lets take a look at the second OCTET. We wanna have all ODD numbers. The OCTET consists of 8 bits with the values 128. 64. 32. 16. 8. 4. 2. and 1. The “1” here is important because it does not matter which numbers we are adding to each other e.g. 128+32+8 = 168, those numbers will always be EVEN except the “1” is added. So we need to CARE about the “1” in the second OCTET.

This means the bit order has to look that way (1 means dont care, 0 means care):


(128) 1 1 1 1 1 1 1 0 (1)

This results in the following Wildcard…


IP: ?.?.?.?
WC: 255.254.255.255

Now which IP-address should we choose? Well we want that the first bit of the second OCTET (which stands for the 1) is cared about (thats what we set with the WC-mask)

AND is also set to “1” (decimal in the ip-address). So we need to change the ip address to 0.1.0.0.


IP: 0.1.0.0
WC: 255.254.255.255


access-list 50 permit 0.1.0.0 255.254.255.255

B) To do the same with EVEN numbers in the 2nd OCTET we just need to modify the existing ACL. Well the EVEN ACL is the same as the ODD ACL but with one small difference. The ODD ACL cares about the last bit AND that it is set to “1” because when the “1” is added to the octecs summary then the number is always odd. Now we change it the way that we still CARE about that bit, but that it is set to “0” because if the bit for the “1” is always Zero then the resulting number is always even.


IP: 0.1.0.0
WC: 255.254.255.255

access-list 51 permit 0.0.0.0 255.254.255.255

Lets test it with a BGP connection. We have a router that is getting 4 Subnets…two with even and two with odd numbers in the second OCTET.


R2#sh ip bgp
BGP table version is 13, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/24 172.16.0.1 0 0 1 i
*> 10.2.0.0/24 172.16.0.1 0 0 1 i
*> 10.3.0.0/24 172.16.0.1 0 0 1 i
*> 10.4.0.0/24 172.16.0.1 0 0 1 i

Now lets activate ACL 50 first as a dsitribute-list in feature.


R2(config)#access-list 50 deny 0.1.0.0 255.254.255.255
R2(config)#access-list 50 permit any
!
R2(config)#router bgp 2
R2(config-router)#neighbor 172.16.0.1 distribute-list 50 in
R2(config-router)#do clear ip bgp * soft

We should see only see EVEN networks because we DENY the ODD ones:


R2#sh ip bgp
BGP table version is 15, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.2.0.0/24 172.16.0.1 0 0 1 i
*> 10.4.0.0/24 172.16.0.1 0 0 1 i

Looks good. Same with the ACL 51.


R2(config)#access-list 51 deny 0.0.0.0 255.254.255.255
R2(config)#access-list 51 permit any
!
R2(config)#router bgp 2
R2(config-router)#neighbor 172.16.0.1 distribute-list 51 in
R2(config-router)#do clear ip bgp * soft


R2#sh ip bgp
BGP table version is 19, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/24 172.16.0.1 0 0 1 i
*> 10.3.0.0/24 172.16.0.1 0 0 1 i

Have fun with it and feel free to comment!

Advertisements

About markus.wirth

Living near Limburg in Germany, working as a Network Engineer around Frankfurt am Main.
This entry was posted in ACL and tagged , , , , , , , . Bookmark the permalink.

One Response to acl: challenge part 1 – odd and even access-list matches

  1. sheno says:

    hope 4 u success 4 ever dear bro.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s