[c-nsp] Cisco 2950T-24 ACLs question.

Frank Bulk frnkblk at iname.com
Wed Oct 11 21:37:11 EDT 2006 

Jay:

The 2950T-24 has a really strict ACL construct requirement that all subnet
masks must be the same, which is why I couldn't use "access-list 100 permit
ip 0.0.0.0 0.0.0.0 any" for my DHCP broadcasts.  Also, it seems that
"access-list 100 permit udp 0.0.0.0 0.0.255.255 eq 67 any 68" is not
allowed.  Perhaps I didn't read the documentation well enough, but looks
like there is no mix and matching for L3 ACEs and L2 ACEs.

Because the ACL can only be inbound on the 2950 (in my case, coming in from
the stations), the return traffic is not limited in any way.

The problem I solved with these ACLs are rogue machines spoofing their
source IP address.  That traffic is now dropped at the switch port (again,
not even counters on 2950 telling me how matches).  Ideally all these client
would be /32 and route through a router to stop that kind of behavior, but
I'm not really set up for that.  I do use "ip verify unicast reverse-path"
to stop funny stuff at the router.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan
Sent: Wednesday, October 11, 2006 1:01 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 2950T-24 ACLs question.

> Two questions:
> a) Does the "access-list 100 permit ip 0.0.0.0 0.0.255.255 any" possibly
> permit more than just DHCP requests?  With 'ip route' the 0.0.0.0
> Describes a global catch-all, and so I'm wondering if I'm blocking
anything
> at all
> now.

That access-list will allow all IP traffic with a source address between 
0.0.0.0 and 0.0.255.255 to any destination.  DHCP discover requests are 
UDP with a source of 0.0.0.0 port 68 and a destination 255.255.255.255 
port 67.  You need to account for the return traffic as well as unicasts 
between the DHCP client and server for the offer, ack, lease renewal, 
etc.  What problem are you trying to solve with the ACL?

> - I think that would match 0.0.0.0 through 255.255.0.0 with the last two
> octets having to be 0.0.  So, you might allow a few IP's here and there
> if people are using aggregated blocks (216.211.0.0 might actually be in
> use, as an example).

The first two octets would have to be 0.0, the last could be anything. 
A "1" bit in a wildcard mask means "don't care", so the first two octets 
have to match the address of 0.0, the last two do not.

-- 
Jay Hennigan - CCIE #7880 - Network Administration - jay at west.net
NetLojix Communications, Inc.  -  http://www.netlojix.com/
WestNet:  Connecting you to the planet.  805 884-6323 - WB6RDV
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list