05-05-2007 01:54 PM - last edited on 01-21-2024 10:32 PM by Translator
Hi Friends, Manoj here .. i need your advice to help me understand the below two ACLs that i found in one of my routers
permit ip host 0.0.0.0 host 255.255.255.255
permit ip host 255.255.255.255 host 0.0.0.0
Looking forward for your answers. Thx in advance ..
Solved! Go to Solution.
05-06-2007 09:06 AM - last edited on 01-21-2024 11:14 PM by Translator
Manoj,
The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.
The Reply would never have the source as a broadcast and destination 0.0.0.0
DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)
So i think the 2 nd ACL is a false config (do u see any matches)
To reset the counters you can use the following command
Clear access-list counters
HTH, rate if it does
Narayan
05-05-2007 06:02 PM - last edited on 01-21-2024 10:36 PM by Translator
Manoj,
I can think of no possible use for that ACL. The only time you see a host address of 0.0.0.0 is in a standard access list (source only) used as a distribution list to match the default route in a routing protocol.
An access list does nothing unless it is applied as an access group, distribute list, in a nat statement, PBR route map, or the other possible uses. My bet would be that you will not find that access list being used, and can delete it. If those two entries are only part of an access list that is in use, those two lines can likely be deleted. A
show access-list
command will show you if a line has ever been matched.
Please rate helpful posts.
Dave
05-05-2007 09:23 PM - last edited on 01-21-2024 10:40 PM by Translator
Greetings Manoj,
I think in plain words the first line of ACL means:
ALLOW EVERYTHING
So, I can understand the first ACL which might be used in many situations especially in NAT when you want to NAT everything. And also used in PBR, routing updates as described in the previous post.
The second line of ACL means:
ALLOW ONLY HOST 255.255.255.255
(which is weird). I havent seen any ACL like this used in my whole experience. Hope that helps...
By the way, can you tell me if its used anywhere?
* Please rate this post if you find it helpfull
05-06-2007 07:27 AM
Manoj,
Are you using these access-lists in any BGP configuration particularly the first one?
Narayan
05-06-2007 07:52 AM - last edited on 01-21-2024 10:48 PM by Translator
Hi Haroon,
I am still a bit confused. Let me give me some more details which might help you. We have an access-group 120 on our Fast Ethernet interface ( ip access-group 120 in ). And in the access-list configuration, we have the below two lists
access-list 120 permit ip host 0.0.0.0 host 255.255.255.255 log
access-list 120 permit ip host 255.255.255.255 host 0.0.0.0 log
If as per your above description, if permit ip host 0.0.0.0 host 255.255.255.255 would mean ALLOW EVERYTHING, wht would be the need to use this here. Also the "sh access-list 120" shows the following matches.
permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)
permit ip host 255.255.255.255 host 0.0.0.0 log
So i would guess the second line could be deleted and is a wrong config as there are no matches in it. Hope this helps... Cheers!!!
05-06-2007 08:00 AM
Manoj,
Since the first access-list permits everything, no packet will ever be checked against the second line and hence can be removed.
Remember access-list is referenced in a sequence and if a match occurs it does not reference it any more.
HTH, rate if it does
Narayan
05-06-2007 08:30 AM - last edited on 01-21-2024 11:12 PM by Translator
Narayan,
If permit ip host 0.0.0.0 host 255.255.255.255 would mean to permit everything, how come the ACL below this have matches. Plz find below complete output of
sh access-list 120
permit ip any host *.*.*.* (4292 matches)
permit ip any host *.*.*.*
permit ip any host *.*.*.*
permit ip any host *.*.*.*
permit ip any host *.*.*.* (15653 matches)
permit ip any *.*.*.* *.*.*.* (48487 matches)
permit ip host 0.0.0.0 host 255.255.255.255 log (15 matches)
permit ip host 255.255.255.255 host 0.0.0.0 log
permit udp any any eq bootps log (4 matches)
permit ip any host *.*.*.* (3770 matches)
permit ip any host *.*.*.* (200 matches)
permit ip any host *.*.*.* (64 matches)
permit ip host *.*.*.* any (63399 matches)
permit ip host *.*.*.* any (754838 matches)
05-06-2007 08:42 AM - last edited on 01-21-2024 11:13 PM by Translator
Sorry Manoj,
I didn't see the access-list clearly.
The access-list in question will match the DHCP requests...
Whenever a machine requests a IP via DHCP, the source would be 0.0.0.0 and the destination would be 255.255.255.255 i.e broadcast.
The DHCP discover and DHCP request will always have these parameters in the packet
A better option would be to just have the following
permit udp any any eq 67
permit udp any any eq 68
HTH, rate if it does
Narayan
05-06-2007 08:57 AM
hi Narayan,
Your answer makes lots of sense this time. But i am not sure why the source would be 0.0.0.0 for DHCP request. Anyways, i would like to confirm if the ACL
"permit ip host 255.255.255.255 host 0.0.0.0 log" too has something to do with DHCP reply or this is a false config. Can you also let me know how can i reset my matches to 0. Thx a lot ... Manoj
05-06-2007 09:06 AM - last edited on 01-21-2024 11:14 PM by Translator
Manoj,
The source would be 0.0.0.0 since the machine is actually requesting an IP and does not have any IP at that time.
The Reply would never have the source as a broadcast and destination 0.0.0.0
DHCP replies would have the source IP of the DHCP server and the destiantion would either be a broadcast or a unicast (if some DHCP relay agent is used)
So i think the 2 nd ACL is a false config (do u see any matches)
To reset the counters you can use the following command
Clear access-list counters
HTH, rate if it does
Narayan
05-06-2007 09:20 AM
Thank you very much Narayan. I've got my query answered. You've been very helpful with your expert advice. Appreciate very much. Thx again. Cheers!!!
-Manoj
05-07-2007 05:06 AM - last edited on 01-21-2024 11:22 PM by Translator
Hi,
Lets take this a bit further.
I have 2 VLAN's
VLAN 1 = 192.168.10.x (Fast Ethernet0 is on VLAN 1)
VLAN 2 = 192.168.100.x (Fast Ethernet0 is on VLAN 2)
Both Vlans have domain controllers and the 100.x vlan has a Terminal server configured that both need access to. I want to allow access to these resources ONLY.
Basically no other traffic should pass through these 2 vlans except this.
Would the access list look something like this:access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.x 255.255.255.255
Which interface(s) would I apply this to?
Thanks
05-07-2007 07:35 AM - last edited on 01-21-2024 11:16 PM by Translator
you can use the following access-list
assunimg the terminal server IP is 192.168.100.100
access-list 111 permit ip 192.168.10.0 0.0.0.255 host 192.168.100.100
access-lsit 111 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 permit ip any any
Interface vlan 1
ip access-group 111 in
HTH, rate if it does
Narayan
05-07-2007 11:22 AM - last edited on 01-21-2024 11:20 PM by Translator
This is the networks I am dealing with.
Network A = 172.24.40.0 - This would be VLAN1
Network B = 172.24.32.0 - This would be VLAN2
172.24.40.35 - DC on VLAN1
172.24.40.37 - TS on VLAN1
172.24.34.67 - DC on VLAN2
These are the only IP addresses that both VLANs need access to. I need to structure the access list and routing accordingly.
This is how I would do it:
!
Interface VLAN1
description student vlan
ip address 172.24.40.20 255.255.254.0
!
interface vlan2
description admin vlan
ip address 172.24.32.193 255.255.254.0
!
interface fastethernet 0
description connection to student lab
switchport access vlan 1
!
interface fastethernet 3
description connection to admin
switchport access vlan 2
!
!
access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.35
access-list 111 permit ip 172.24.32.0 0.0.0.255 172.24.40.37
access-list 111 permit ip 172.24.40.0 0.0.0.255 172.24.34.67
access-list 111 deny ip 172.24.32.0 0.0.0.255 172.24.40.37
access-list 111 permit ip any any
!
interface Fastethernet0
ip access-group 111 in
!
Is my config above correct?
05-07-2007 08:22 AM - last edited on 01-21-2024 11:18 PM by Translator
Hi
the access list would be like this.
access-list 111 permit tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq
(get the port number used by terminal services)
and in the second list
change the ip address of source and destination.
apply the access list in inbound direction of u r ethernet interfaces.
Thanks
Mahmood
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: