[c-nsp] Cisco 2950T-24 ACLs question.

Michael K. Smith - Adhost mksmith at adhost.com
Tue Oct 10 15:00:35 EDT 2006


Hello Frank:


Two questions:
a) Does the "access-list 100 permit ip 0.0.0.0 0.0.255.255 any" possibly
permit more than just DHCP requests?  With 'ip route' the 0.0.0.0
describes
a global catch-all, and so I'm wondering if I'm blocking anything at all
now.

- I think that would match 0.0.0.0 through 255.255.0.0 with the last two
octets having to be 0.0.  So, you might allow a few IP's here and there
if people are using aggregated blocks (216.211.0.0 might actually be in
use, as an example).

b) Is there a way to add blocking of UDP ports 137, 139, 445, etc
without
generating that annoying "%Error:The field sets of all the ACEs in an
ACL
should match" error?  I've tried every combination I can think of,
without
success.  The rules for implementing ACLs on a Cisco 2950T are very
restrictive.

- It's either-or here.  Your ACL statements have to be of a similar type
and even mask length.  So, if you want an ACL that blocks ports, you
have to remove the ACL that blocks IP subnets or hosts.

Mike



More information about the cisco-nsp mailing list