ACL query

Answered Question
May 5th, 2007

Hi Friends, Manoj here .. i need your advice to help me understand the below two ACLs that i found in one of my routers

permit ip host 0.0.0.0 host 255.255.255.255

permit ip host 255.255.255.255 host 0.0.0.0

Looking forward for your answers. Thx in advance ..

I have this problem too.
0 votes
Correct Answer by royalblues about 9 years 7 months ago

Manoj,

The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.

The Reply would never have the source as a broadcast and destination 0.0.0.0

DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)

So i think the 2 nd ACL is a false config (do u see any matches)

To reset the counters you can use the following command

Clear access-list counters

HTH, rate if it does

Narayan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dgahm Sat, 05/05/2007 - 18:02

Manoj,

I can think of no possible use for that ACL. The only time you see a host address of 0.0.0.0 is in a standard access list (source only) used as a distribution list to match the default route in a routing protocol.

An access list does nothing unless it is applied as an access group, distribute list, in a nat statement, PBR route map, or the other possible uses. My bet would be that you will not find that access list being used, and can delete it. If those two entries are only part of an access list that is in use, those two lines can likely be deleted. A show access-list command will show you if a line has ever been matched.

Please rate helpful posts.

Dave

haroon.shaikh Sat, 05/05/2007 - 21:23

Greetings Manoj,

I think in plain words the first line of ACL means:

ALLOW EVERYTHING

So, I can understand the first ACL which might be used in many situations especially in NAT when you want to NAT everything. And also used in PBR, routing updates as described in the previous post.

The second line of ACL means:

ALLOW ONLY HOST 255.255.255.255 (which is weird)

I havent seen any ACL like this used in my whole experience. Hope that helps...

By the way, can you tell me if its used anywhere?

* Please rate this post if you find it helpfull

royalblues Sun, 05/06/2007 - 07:27

Manoj,

Are you using these access-lists in any BGP configuration particularly the first one?

Narayan

Manoj Wadhwa Sun, 05/06/2007 - 07:52

Hi Haroon,

I am still a bit confused. Let me give me some more details which might help you. We have an access-group 120 on our Fast Ethernet interface ( ip access-group 120 in ). And in the access-list configuration, we have the below two lists

access-list 120 permit ip host 0.0.0.0 host 255.255.255.255 log

access-list 120 permit ip host 255.255.255.255 host 0.0.0.0 log

If as per your above description, if permit ip host 0.0.0.0 host 255.255.255.255 would mean ALLOW EVERYTHING, wht would be the need to use this here. Also the "sh access-list 120" shows the following matches.

permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)

permit ip host 255.255.255.255 host 0.0.0.0 log

So i would guess the second line could be deleted and is a wrong config as there are no matches in it. Hope this helps... Cheers!!!

royalblues Sun, 05/06/2007 - 08:00

Manoj,

Since the first access-list permits everything, no packet will ever be checked against the second line and hence can be removed.

Remember access-list is referenced in a sequence and if a match occurs it does not reference it any more.

HTH, rate if it does

Narayan

Manoj Wadhwa Sun, 05/06/2007 - 08:30

Narayan,

If permit ip host 0.0.0.0 host 255.255.255.255 would mean to permit everything, how come the ACL below this have matches. Plz find below complete output of sh access-list 120.

permit ip any host *.*.*.* (4292 matches)

permit ip any host *.*.*.*

permit ip any host *.*.*.*

permit ip any host *.*.*.*

permit ip any host *.*.*.* (15653 matches)

permit ip any *.*.*.* *.*.*.* (48487 matches)

permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)

permit ip host 255.255.255.255 host 0.0.0.0 log

permit udp any any eq bootps log (4 matches)

permit ip any host *.*.*.* (3770 matches)

permit ip any host *.*.*.* (200 matches)

permit ip any host *.*.*.* (64 matches)

permit ip host *.*.*.* any (63399 matches)

permit ip host *.*.*.* any (754838 matches)

royalblues Sun, 05/06/2007 - 08:42

Sorry Manoj,

I didn't see the access-list clearly.

The access-list in question will match the DHCP requests...

Whenever a machine requests a IP via DHCP, the source would be 0.0.0.0 and the destination would be 255.255.255.255 i.e broadcast.

The DHCP discover and DHCP request will always have these parameters in the packet

A better option would be to just have the following

permit udp any any eq 67

permit udp any any eq 68

HTH, rate if it does

Narayan

Manoj Wadhwa Sun, 05/06/2007 - 08:57

hi Narayan,

Your answer makes lots of sense this time. But i am not sure why the source would be 0.0.0.0 for DHCP request. Anyways, i would like to confirm if the ACL

"permit ip host 255.255.255.255 host 0.0.0.0 log" too has something to do with DHCP reply or this is a false config. Can you also let me know how can i reset my matches to 0. Thx a lot ... Manoj

Correct Answer
royalblues Sun, 05/06/2007 - 09:06

Manoj,

The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.

The Reply would never have the source as a broadcast and destination 0.0.0.0

DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)

So i think the 2 nd ACL is a false config (do u see any matches)

To reset the counters you can use the following command

Clear access-list counters

HTH, rate if it does

Narayan

Manoj Wadhwa Sun, 05/06/2007 - 09:20

Thank you very much Narayan. I've got my query answered. You've been very helpful with your expert advice. Appreciate very much. Thx again. Cheers!!!

-Manoj

bradlesliect Mon, 05/07/2007 - 05:06

Hi,

Lets take this a bit further.

I have 2 VLAN's

VLAN 1 = 192.168.10.x (Fast Ethernet0 is on VLAN 1)

VLAN 2 = 192.168.100.x (Fast Ethernet0 is on VLAN 2)

Both Vlans have domain controllers and the 100.x vlan has a Terminal server configured that both need access to. I want to allow access to these resources ONLY.

Basically no other traffic should pass through these 2 vlans except this.

Would the access list look something like this:access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.x 255.255.255.255

Which interface(s) would I apply this to?

Thanks

royalblues Mon, 05/07/2007 - 07:35

you can use the following access-list

assunimg the terminal server IP is 192.168.100.100

access-list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.100

access-lsit 111 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 111 permit ip any any

Interface vlan 1

ip access-group 111 in

HTH, rate if it does

Narayan

bradlesliect Mon, 05/07/2007 - 11:22

This is the networks I am dealing with.

Network A = 172.24.40.0 - This would be VLAN1

Network B = 172.24.32.0 - This would be VLAN2

172.24.40.35 - DC on VLAN1

172.24.40.37 - TS on VLAN1

172.24.34.67 - DC on VLAN2

These are the only IP addresses that both VLANs need access to. I need to structure the access list and routing accordingly.

This is how I would do it:

!

Interface VLAN1

description student vlan

ip address 172.24.40.20 255.255.254.0

!

interface vlan2

description admin vlan

ip address 172.24.32.193 255.255.254.0

!

interface fastethernet 0

description connection to student lab

switchport access vlan 1

!

interface fastethernet 3

description connection to admin

switchport access vlan 2

!

!

access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.35

access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.37

access-list 111 permit ip 172.24.40.0 0.0.0.255 172.24.34.67

access-list 111 deny ip 172.24.32.0 0.0.0.255 172.24.40.37

access-list 111 permit ip any any

!

interface Fastethernet0

ip access-group 111 in

!

Is my config above correct?

mahmoodmkl Mon, 05/07/2007 - 08:22

Hi

the access list would be like this.

access-list 111 permit tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq (get the port number used by terminal services)

and in the second list

change the ip address of source and destination.

apply the access list in inbound direction of u r ethernet interfaces.

Thanks

Mahmood

sdoremus33 Mon, 05/07/2007 - 11:42

ACLS's run FIFO, so basically the first ACL found in ran against the interface router via ingress or egress you can specify here Nevertheless why are you running these permit ip host 0.0.0.0 255.255.255.255 allows all subnetsand has a wildcard to allow all hosts within these subnets, and as far as ip host 255.255.255.255 0.0.0.0 also allows all subnets with no restriction on hosts. I am confused here what are you trying to accomplish here? Take care

Actions

This Discussion