Monday, March 4, 2013

Lab 217 - ACL Complex Matching

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5' Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Solution

Task 1
On SW1 configure the following Loopback intefaces:
  • Lo1: 182.17.77.7/24
  • Lo2: 182.81.77.7/24
  • Lo3: 190.17.73.7/24
  • Lo4: 190.81.73.7/24
  • Lo5: 190.81.77.7/24
  • Lo6: 182.17.73.7/24
  • Lo7: 182.81.73.7/24
  • Lo8: 190.17.77.7/24
 Advertise the loopback subnets above into EIGRP.

SW1 Config:
!
int Lo1
ip address 182.17.77.7 255.255.255.0
!
int Lo2
ip address 182.81.77.7 255.255.255.0
!
int Lo3
ip address 190.17.73.7 255.255.255.0
!
int Lo4
ip address 190.81.73.7 255.255.255.0
!
int Lo5
ip address 190.81.77.7 255.255.255.0
!
int Lo6
ip address 182.17.73.7 255.255.255.0
!
int Lo7
ip address 182.81.73.7 255.255.255.0
!
int Lo8
ip address 190.17.77.7 255.255.255.0
!

router eigrp 1
 network 10.0.7.7 0.0.0.0
 network 172.16.27.7 0.0.0.0
 network 182.0.0.0 0.255.255.255
 network 190.0.0.0 0.255.255.255
 no auto-summary
!


Task 2
Configure ACL packet filtering on R1 so that the source 10.0.5.0/24 (R5's Lo0) cannot have connectivity to the subnets configured in Task 1. Use only two ACL statements to accomplish the task.

Pic. 2 - Routing Table of R1 (loopbacks advertised).
R1 Config:
!
access-list 100 deny ip 10.0.5.0 0.0.0.255 182.17.73.0 8.64.4.255
access-list 100 permit ip any any

!
interface FastEthernet0/1
 ip address 172.16.215.1 255.255.255.0
 ip access-group 100 in
 speed 100
 full-duplex
!



Explanation:

Group bytes 1-3 and find the bits that do change in order to find the wildcard mask.

Pic. 3 - Wildcard Mask.