cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2681
Views
3
Helpful
15
Replies

ACL query

Manoj Wadhwa
Level 1
Level 1

Hi Friends, Manoj here .. i need your advice to help me understand the below two ACLs that i found in one of my routers

permit ip host 0.0.0.0 host 255.255.255.255
permit ip host 255.255.255.255 host 0.0.0.0

Looking forward for your answers. Thx in advance ..

 

1 Accepted Solution

Accepted Solutions

Manoj,

 

The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.

The Reply would never have the source as a broadcast and destination 0.0.0.0

DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)

So i think the 2 nd ACL is a false config (do u see any matches)

To reset the counters you can use the following command

Clear access-list counters

 

HTH, rate if it does

Narayan

View solution in original post

15 Replies 15

dgahm
Level 8
Level 8

Manoj,

I can think of no possible use for that ACL. The only time you see a host address of 0.0.0.0 is in a standard access list (source only) used as a distribution list to match the default route in a routing protocol.

An access list does nothing unless it is applied as an access group, distribute list, in a nat statement, PBR route map, or the other possible uses. My bet would be that you will not find that access list being used, and can delete it. If those two entries are only part of an access list that is in use, those two lines can likely be deleted. A

show access-list

command will show you if a line has ever been matched.

 

Please rate helpful posts.

 

Dave

haroon.shaikh
Level 1
Level 1

Greetings Manoj,

I think in plain words the first line of ACL means:

ALLOW EVERYTHING

So, I can understand the first ACL which might be used in many situations especially in NAT when you want to NAT everything. And also used in PBR, routing updates as described in the previous post.

The second line of ACL means:

ALLOW ONLY HOST 255.255.255.255 

(which is weird). I havent seen any ACL like this used in my whole experience. Hope that helps...

By the way, can you tell me if its used anywhere?

 

 

* Please rate this post if you find it helpfull

Manoj,

Are you using these access-lists in any BGP configuration particularly the first one?

Narayan

Hi Haroon,

I am still a bit confused. Let me give me some more details which might help you. We have an access-group 120 on our Fast Ethernet interface ( ip access-group 120 in ). And in the access-list configuration, we have the below two lists

access-list 120 permit ip host 0.0.0.0 host 255.255.255.255 log
access-list 120 permit ip host 255.255.255.255 host 0.0.0.0 log

If as per your above description, if permit ip host 0.0.0.0 host 255.255.255.255 would mean ALLOW EVERYTHING, wht would be the need to use this here. Also the "sh access-list 120" shows the following matches.

permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)
permit ip host 255.255.255.255 host 0.0.0.0 log

So i would guess the second line could be deleted and is a wrong config as there are no matches in it. Hope this helps... Cheers!!!

 

 

 

 

 

Manoj,

Since the first access-list permits everything, no packet will ever be checked against the second line and hence can be removed.

Remember access-list is referenced in a sequence and if a match occurs it does not reference it any more.

HTH, rate if it does

Narayan

Narayan,

 

If permit ip host 0.0.0.0 host 255.255.255.255 would mean to permit everything, how come the ACL below this have matches. Plz find below complete output of

sh access-list 120
permit ip any host *.*.*.* (4292 matches)

permit ip any host *.*.*.*

permit ip any host *.*.*.*

permit ip any host *.*.*.*

permit ip any host *.*.*.* (15653 matches)

permit ip any *.*.*.* *.*.*.* (48487 matches)

permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)

permit ip host 255.255.255.255 host 0.0.0.0 log

permit udp any any eq bootps log (4 matches)

permit ip any host *.*.*.* (3770 matches)

permit ip any host *.*.*.* (200 matches)

permit ip any host *.*.*.* (64 matches)

permit ip host *.*.*.* any (63399 matches)

permit ip host *.*.*.* any (754838 matches)

 

Sorry Manoj,

I didn't see the access-list clearly.

The access-list in question will match the DHCP requests...

Whenever a machine requests a IP via DHCP, the source would be 0.0.0.0 and the destination would be 255.255.255.255 i.e broadcast.

The DHCP discover and DHCP request will always have these parameters in the packet

A better option would be to just have the following

permit udp any any eq 67
permit udp any any eq 68

 

HTH, rate if it does

Narayan

hi Narayan,

Your answer makes lots of sense this time. But i am not sure why the source would be 0.0.0.0 for DHCP request. Anyways, i would like to confirm if the ACL

"permit ip host 255.255.255.255 host 0.0.0.0 log" too has something to do with DHCP reply or this is a false config. Can you also let me know how can i reset my matches to 0. Thx a lot ... Manoj

Manoj,

 

The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.

The Reply would never have the source as a broadcast and destination 0.0.0.0

DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)

So i think the 2 nd ACL is a false config (do u see any matches)

To reset the counters you can use the following command

Clear access-list counters

 

HTH, rate if it does

Narayan

Thank you very much Narayan. I've got my query answered. You've been very helpful with your expert advice. Appreciate very much. Thx again. Cheers!!!

-Manoj

Hi,

 

Lets take this a bit further.

I have 2 VLAN's

VLAN 1 = 192.168.10.x (Fast Ethernet0 is on VLAN 1)

VLAN 2 = 192.168.100.x (Fast Ethernet0 is on VLAN 2)

Both Vlans have domain controllers and the 100.x vlan has a Terminal server configured that both need access to. I want to allow access to these resources ONLY.

Basically no other traffic should pass through these 2 vlans except this.

Would the access list look something like this:access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.x 255.255.255.255

 

Which interface(s) would I apply this to?

 

Thanks

 

 

 

 

you can use the following access-list

assunimg the terminal server IP is 192.168.100.100

access-list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.100
access-lsit 111 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 permit ip any any

Interface vlan 1
ip access-group 111 in


HTH, rate if it does

Narayan

This is the networks I am dealing with.

Network A = 172.24.40.0 - This would be VLAN1

Network B = 172.24.32.0 - This would be VLAN2

172.24.40.35 - DC on VLAN1

172.24.40.37 - TS on VLAN1

172.24.34.67 - DC on VLAN2

These are the only IP addresses that both VLANs need access to. I need to structure the access list and routing accordingly.

This is how I would do it:

!

Interface VLAN1

description student vlan

ip address 172.24.40.20 255.255.254.0

!

interface vlan2

description admin vlan

ip address 172.24.32.193 255.255.254.0

!

interface fastethernet 0

description connection to student lab

switchport access vlan 1

!

interface fastethernet 3

description connection to admin

switchport access vlan 2

!

!

access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.35

access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.37

access-list 111 permit ip 172.24.40.0 0.0.0.255 172.24.34.67

access-list 111 deny ip 172.24.32.0 0.0.0.255 172.24.40.37

access-list 111 permit ip any any

!

interface Fastethernet0

ip access-group 111 in

!


Is my config above correct?

Hi

 

the access list would be like this.

access-list 111 permit tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq

(get the port number used by terminal services)

and in the second list

change the ip address of source and destination.

apply the access list in inbound direction of u r ethernet interfaces.

 

Thanks

Mahmood

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco