Pages

Thursday, February 18, 2016

Access-list Fun - CCIE R&S Preparation

I'm a few weeks away from my 1st attempt to CCIE Route & Switch Lab exam. In our study group, we call this period "Beast Mode". We lab daily, nightly, and try to all all day on the weekends.
Anyway, it's not the point of this post. As I lab through various workbooks, I always found myself stumble on getting odd Filtering task using Access-list. For some odd reason, wildcard always cause trouble in my head. 10 out of 10 times, I will figure it out correctly, but it takes me a while to get the calculation together. This time, I will write it in here. Again, I love disclaimer, and here is it again
"This is how my head agree on doing access-list with wildcard mask calculation. I believe everyone has a different way to accomplish the same task. If my method confuse you on step 2, stop and figure out your own way. The answer key is at the bottom of the post, as long as you can get to the correct answer (all the time), that's all that matter."

Assume we are running some routing protocol between R6 and R8.
R8 has a list of Loopback Interfaces.


You are tasked to ensure that R6 only see the ODD third-octet of that network ranges, means R6 should only see

There are several ways to do it. Like I stated above, my head hate wildcard, so I always start with regular subnet mask.

Method 1 - Be as specific as possible
Let's break it down. We don't care about 1st octet "192" and 2nd octet "168". Also the 4th octet "0" is typical. Using my windows calculator, I converted my 3rd octet to Binary
  • 210 = 1101  0010
  • 211 = 1101  0011
  • 212 = 1101  0100
  • 213 = 1101  0101
  • 214 = 1101  0110
  • 215 = 1101  0111
  • 216 = 1101  1000
  • 217 = 1101  1001
  • 218 = 1101  1010
  • 219 = 1101  1011
we need to filter all EVEN number, so that our final result should look like below in Binary

  • 211 = 1101  0011
  • 213 = 1101  0101
  • 215 = 1101  0111
  • 217 = 1101  1001
  • 219 = 1101  1011
Looking at the binary, the below bit are the same
  • 211 = 1101  0011
  • 213 = 1101  0101
  • 215 = 1101  0111
  • 217 = 1101  1001
  • 219 = 1101  1011
I will convert "1101 0001" back to decimal, which is "209". So our network will be 192.168.209.0.
Let's move on to the subnet-mask. The rule of subnet-mask is, "unchanged bit = 1" and "change bit = 0", so the subnet-mask for the ODD range, the 3rd octet subnet-mask is "1111 0001", which is "241" in decimal. The entire subnet-mask can be written as:
  • Binary:  1111 1111 . 1111 1111 . 1111 0001 . 0000 0000
  • Decimal: 255.255.241.0
The network we choose will be: 192.168.209.0/255.255.241.0
Now writing the ACL is easy
  • access-list 10 permit 192.168.209.0  0.0.14.255
Method 2 - Be as broad as possible.
This method rely on the fact that the set of networks in R8 are limited to the range listed above. In another word, there is no 192.168.220.0/24, or even 100.5.27.0/24, basically those networks are the only network show up in R8 routing table. 
1st and 2nd octet has no restriction, same as 4th octet. That's why instead of writing "192.168.x.0", we can write "0.0.x.0"
Now the "x" will be interesting. At the list below
  • 211 = 1101  0011
  • 213 = 1101  0101
  • 215 = 1101  0111
  • 217 = 1101  1001
  • 219 = 1101  1011
That's all we need to worry about for Broad matching. We need ODD number, and if the 1st bit is "1", for sure we will yield ODD number, ranging from [1-255]. Again, our actual range in the router is [210-219], so even if our Access-List's matching range is super wide, we will still see the same matching as Method 1. Let's write out the network first: "0.0.1.0"
Applying the same concept as method one to this subnet-mask calculation, "unchange bit = 1", "change bit = 0", the subnet mask will be 
  • Binary:  0000 0000 . 0000 0000 . 0000 0001 . 0000 0000
  • Decimal: 0.0.1.0
Yes, it looks like the network, no, they do not always match like this. The network we choose will be: 0.0.1.0/0.0.1.0.
If you put it into the ACL with wildcard mask instead, we will have
  • access-list 10 permit 0.0.1.0 255.255.254.255
Conclusion
. This is strictly for CCIE Lab preparation. If you have to do this in actual network, you have too much fun. ;)
- Lot of workbooks, and practice lab or mock-lab's answer keys love method 2. I guess since it's broader, it will be safer if later tasks in the lab ask you to add more network into the Permit/Deny access-list. For me, first method works out better in my head. 
- That's all I have for tonight. It's said that I only finished half of what I was planning to do tonight, but... I got to write another blog.

Good luck on your study! I hope you don't land on this particular post while searching solution for Production environment.

No comments:

Post a Comment