In this post, we will simulate a filtration scenario where you are tasked to filter (Deny) subnets that has even numbers in the third octet.
we will use the following topology:
Three routers are enough to do the trick, they all working in IGP (OSPF) area 0, each router is using his Loopback0 as OSPF router-id.
all interfaces are enabled for OSPF, we will use R3 to advertise many loopback prefixes
10.150.1.1/32 ==> 10.150.10.1/32
You can of course consider R1 is branch office and R2 is where network security engineer applying filtration to prevent important sites (even 3rd octet subnets) from entering to both (R2 and R1)
In order to do this, we will create a standard access list, in order to match prefixes and not extended access list.
R2:
#enable
#configure terminal
#access-list 1 deny 10.150.0.0 0.0.254.255 log
#access-list 1 permit any log
router ospf 1
router-id 2.2.2.2
network 0.0.0.0 255.255.255.255 area 0
distribute-list 1 in Ethernet0/1
R2#
After we applied the distribute list, we will start getting logs on R2
R2#
*Jun 19 06:11:02.383: %SEC-6-IPACCESSLOGNP: list 1 denied 0 10.150.8.1 -> 0.0.0.0, 1 packet
*Jun 19 06:11:02.384: %SEC-6-IPACCESSLOGNP: list 1 denied 0 10.150.6.1 -> 0.0.0.0, 1 packet
*Jun 19 06:11:02.384: %SEC-6-IPACCESSLOGNP: list 1 denied 0 10.150.4.1 -> 0.0.0.0, 1 packet
*Jun 19 06:11:02.384: %SEC-6-IPACCESSLOGNP: list 1 denied 0 10.150.2.1 -> 0.0.0.0, 1 packet
*Jun 19 06:11:02.384: %SEC-6-IPACCESSLOGNP: list 1 denied 0 10.150.10.1 -> 0.0.0.0, 1 packet
R2#
The above logs, shows the even 3rd octet prefixes being denied.
on the same router, you can issue the command:
#clear ip access-list counters
you will see the permitted prefixes logs:
OK, now let's do a test on R1 to see if we can achieve reachability to the allowed/filtered prefixes:
As you can see, ping to odd 3rd octet of the subnet 10.150.0.0/16 is allowed and ping is successful, while the even 3rd octet is not successful. and shows the letter (U.U.U) which indicates unreachable flag.
So, how did we do that using this wildcard (0.0.254.255)?
The answer is, since we use 255 to say match any, we mean here match any bit from 0-255
But once we remove the 1st bit, we changed this to match any bit except the 1st bit.
Once we done that, all numbers will be even and odd was excluded from the match process.
So for example: subnet 0 is matched and next subnet which is 1 will not be matched because the 1 bit is set to 0, which means its OFF, then subnet 2 will be matched, but 3 will not because you will not be able to add 2+1 bits because 1 is not enabled to be matched.
then, the access list will decide if you want to deny or allow based on your set option.
I hope this was useful!
Samer R. Saleem
No comments:
Post a Comment