ACL not working

dredlord

Hi guys. Im trying to get my first ACl to work and as yet no luck

I want to block all ICMP echo traffic coming from EVEN hosts from this destination. ( ill use a standard ACL since the filter is based on source). For some odd reason Even hosts can ping but not odd hosts.

Network address is as follows 192.168.14.0 ( Class c )

My ACL is as follows:

access-list 1 permit 192.168.14.0 0.0.0.254

I assumed that since any odd number contains the number 1 i should allow any host that makes use of that bit since its defenatly odd.

Any help will be appreciated. ( do you know were i can get some nice practice labs on this topic)

Pash

dredlord wrote:

Hi guys. Im trying to get my first ACl to work and as yet no luck

I want to block all ICMP echo traffic coming from EVEN hosts from this destination. ( ill use a standard ACL since the filter is based on source). For some odd reason Even hosts can ping but not odd hosts.

Network address is as follows 192.168.14.0 ( Class c )

My ACL is as follows:

access-list 1 permit 192.168.14.0 0.0.0.254

I assumed that since any odd number contains the number 1 i should allow any host that makes use of that bit since its defenatly odd.

Any help will be appreciated. ( do you know were i can get some nice practice labs on this topic)

Your wildcard is all wrong my friend. Your wildcard is always a direct result of you minusing 255 from your subnet mask octets. You cant have a 255.255.255.1 subnet mask because that doesnt work. You cannot specifically only pick odd's and evens hosts in a network range, unfortunately. Only ranges of IP's speccified from your network address and the wildcard you provide

dredlord

i'm sure its possible since its in the academy ccna 1 and 2 lab companion. I rember doing this in class.

Pash

dredlord wrote:

i'm sure its possible since its in the academy ccna 1 and 2 lab companion. I rember doing this in class.

yes it actually might be possible, i think by using keywords though, let me get back to you.

tech-airman

dredlord wrote:

Hi guys. Im trying to get my first ACl to work and as yet no luck

I want to block all ICMP echo traffic coming from EVEN hosts from this destination. ( ill use a standard ACL since the filter is based on source). For some odd reason Even hosts can ping but not odd hosts.

Network address is as follows 192.168.14.0 ( Class c )

My ACL is as follows:

access-list 1 permit 192.168.14.0 0.0.0.254

I assumed that since any odd number contains the number 1 i should allow any host that makes use of that bit since its defenatly odd.

Any help will be appreciated. ( do you know were i can get some nice practice labs on this topic)

dredlord,

For ICMP traffic, do you use a standard or extended access list?

tube

access-list 1 permit 192.168.14.0 0.0.0.254

Your above ACL is used to permit the EVEN hosts.

It should be:

access-list 1 deny 192.168.14.0 0.0.0.254
access-list 1 permit any


For more specific protocol such ICMP, I would better use extended ACL

access-list 100 permit icmp 192.168.14.0 0.0.0.254 host 192.168.14.1 echo
access-list 100 deny icmp any any

which it permits all Even hosts to ping the FastEthernet router interface and denies odd hosts

to permit the odd host and deny even hosts, you just change the last octet to 1:

access-list 100 permit icmp 192.168.14.1 0.0.0.254 host 192.168.14.1 echo
access-list 100 deny icmp any any

dtlokee

As tube said the key is the LSB in binary, if it is on (1) then the decimal value is odd, if it is off (0), then the decimal value is even (or zero, I know, which is neither even nor odd)

If you look at the powers of 2 (128 64 32 16 8 4 2 1) in an octet any combination of 128 + 64 + 32 + 16 + 8 + 4 + 2 will always be even, if you change the LSB to 1 then it is odd.

dredlord

tank you all for the replies much appreciated.

dredlord

OMG got it to work. Since the lab states no conectivity allowed to even i used a standard acl configured as follows.

access-list 1 PERMIT 192.168.14.1 0.0.0.254

Please check my logic behind it:

I asumed that the LSB for a odd number shall always be one so if the LSB is 1 let the packet trough, if not discard it.

geezer

dredlord wrote:

Please check my logic behind it:

I asumed that the LSB for a odd number shall always be one so if the LSB is 1 let the packet trough, if not discard it.

I know a bit of a not-so-recent post

The bit of the host's lowest significant bit (LSB) ending with a 1 or 0 (zero) in conjunction with a '254' mask will match for odd/even respectively as there is only a 'match' when there is a zero present in the mask as the 254 mask ends with a zero if that makes sense?