[c-nsp] Cisco 2950T-24 ACLs question.

Jay Hennigan jay at west.net
Wed Oct 11 02:00:47 EDT 2006


> Two questions:
> a) Does the "access-list 100 permit ip 0.0.0.0 0.0.255.255 any" possibly
> permit more than just DHCP requests?  With 'ip route' the 0.0.0.0
> Describes a global catch-all, and so I'm wondering if I'm blocking anything
> at all
> now.

That access-list will allow all IP traffic with a source address between 
0.0.0.0 and 0.0.255.255 to any destination.  DHCP discover requests are 
UDP with a source of 0.0.0.0 port 68 and a destination 255.255.255.255 
port 67.  You need to account for the return traffic as well as unicasts 
between the DHCP client and server for the offer, ack, lease renewal, 
etc.  What problem are you trying to solve with the ACL?

> - I think that would match 0.0.0.0 through 255.255.0.0 with the last two
> octets having to be 0.0.  So, you might allow a few IP's here and there
> if people are using aggregated blocks (216.211.0.0 might actually be in
> use, as an example).

The first two octets would have to be 0.0, the last could be anything. 
A "1" bit in a wildcard mask means "don't care", so the first two octets 
have to match the address of 0.0, the last two do not.

-- 
Jay Hennigan - CCIE #7880 - Network Administration - jay at west.net
NetLojix Communications, Inc.  -  http://www.netlojix.com/
WestNet:  Connecting you to the planet.  805 884-6323 - WB6RDV


More information about the cisco-nsp mailing list