Correct Netmask for ACL?

rastapong · ‎06-21-2004

All:

I'm trying to put together an ACL that will allow a section of a subnet (192.168.17.11-20) to only communicate with a DHCP server (192.168.150.252), while allowing access anywhere for the rest (192.168.17.1-10 & 192.168.17.21-255).

Does this look right:

permit ip 192.37.17.0 0.0.0.9 any

permit ip 192.37.17.0 0.0.0.19 host 192.168.150.252

permit ip 192.37.17.0 0.0.0.255 any

I'm not sure about these netmasks...

thanx in advance!

pcomeaux · ‎06-21-2004

Please tell us more about the device you are trying to create this ACL on - is it a firewall or a router?

These ACLs would not work for either device, but if you let us know the device, we can help you with the syntax.

thanks

peter

rastapong · ‎06-21-2004

Oops - it is a router. Thanks!

pcomeaux · ‎06-22-2004

Given the range of addresses, here's an acl statement to accomplish what you described:

permit ip host 192.168.17.11 host 192.168.150.252

permit ip 192.168.17.12 0.0.0.3 host 192.168.150.252

permit ip 192.168.17.16 0.0.0.3 host 192.168.150.252

permit ip host 192.168.17.20 host 192.168.150.252

deny ip host 192.168.17.11 any

deny ip 192.168.17.12 0.0.0.3 any

deny ip 192.168.17.16 0.0.0.3 any

deny ip host 192.168.17.20 any

permit ip 192.168.17.0 0.0.0.255 any

I cannot think of a shorter way to compile this since the address are not easily summarizable.

Hope this helps,

peter

rastapong · ‎06-22-2004

Wow! I'm glad I asked for assistance. Have you seen any documentation that would help me understand the logic behind this? I've gone through numerous pdfs on access-lists, and about 4 Cisco Press books, but none have good examples of how to set up ranges like you did above. I have to do the same with some other subnets, but the ranges differ, and I would like to be able to do them on the fly.

Thanks for your help again Peter...

farancci · ‎08-05-2004

I dont think the following statements are necessary

deny ip host 192.168.17.11 any

deny ip 192.168.17.12 0.0.0.3 any

deny ip 192.168.17.16 0.0.0.3 any

deny ip host 192.168.17.20 any

pcomeaux · ‎08-05-2004

Here's his requirements:

1) allow (192.168.17.11-20) to only communicate with a DHCP server (192.168.150.252)

2) allow (192.168.17.1-10 & 192.168.17.21-255) to communicate with anywhere

The first 4 statements permits allow #1 to be partly satisfied (i.e. lets the hosts speak to the DHCP server)

permit ip host 192.168.17.11 host 192.168.150.252

permit ip 192.168.17.12 0.0.0.3 host 192.168.150.252

permit ip 192.168.17.16 0.0.0.3 host 192.168.150.252

permit ip host 192.168.17.20 host 192.168.150.252

The next 4 statements deny them from communicating to anything else as required in #1:

deny ip host 192.168.17.11 any

deny ip 192.168.17.12 0.0.0.3 any

deny ip 192.168.17.16 0.0.0.3 any

deny ip host 192.168.17.20 any

These deny statements are needed because the implicit deny will not apply to them because of the last statement.

The final statement lets the rest of the subnet communicate with anything:

permit ip 192.168.17.0 0.0.0.255 any

If the deny statements you mention are not included, requirement #1 is not completely satisfied, because the last permit statement would allow anything on the 192.168.17.0/24 subnet to communicate with anything else.

Please let me know if you think I may have overlooked one or more of his requirements.

thanks

peter

mostiguy · ‎08-06-2004

When the boxes are first powered on, won't they come up as 0.0.0.0, broadcasting to 255.255.255.255 on udp port 68 looking for a lease? Once they have a lease, and have an ip, then your ACL will permit them to renew it.

pcomeaux · ‎08-06-2004

Good catch - sounds like the 1st statement in the ACL should include a permit for the initial DHCP request to work (assuming 192.168.17.1 is the router):

permit udp any host 192.168.17.1 eq 68

To make this config complete, the same interface that the 192.168.17.1 ip address and access-list is applied to, will also need an IP Helper Address defined for the DHCP server, 192.168.150.252.

thanks!

peter