06-21-2004 09:46 AM - edited 02-20-2020 09:24 PM
All:
I'm trying to put together an ACL that will allow a section of a subnet (192.168.17.11-20) to only communicate with a DHCP server (192.168.150.252), while allowing access anywhere for the rest (192.168.17.1-10 & 192.168.17.21-255).
Does this look right:
permit ip 192.37.17.0 0.0.0.9 any
permit ip 192.37.17.0 0.0.0.19 host 192.168.150.252
permit ip 192.37.17.0 0.0.0.255 any
I'm not sure about these netmasks...
thanx in advance!
06-21-2004 06:43 PM
Please tell us more about the device you are trying to create this ACL on - is it a firewall or a router?
These ACLs would not work for either device, but if you let us know the device, we can help you with the syntax.
thanks
peter
06-21-2004 07:50 PM
Oops - it is a router. Thanks!
06-22-2004 05:10 AM
Given the range of addresses, here's an acl statement to accomplish what you described:
permit ip host 192.168.17.11 host 192.168.150.252
permit ip 192.168.17.12 0.0.0.3 host 192.168.150.252
permit ip 192.168.17.16 0.0.0.3 host 192.168.150.252
permit ip host 192.168.17.20 host 192.168.150.252
deny ip host 192.168.17.11 any
deny ip 192.168.17.12 0.0.0.3 any
deny ip 192.168.17.16 0.0.0.3 any
deny ip host 192.168.17.20 any
permit ip 192.168.17.0 0.0.0.255 any
I cannot think of a shorter way to compile this since the address are not easily summarizable.
Hope this helps,
peter
06-22-2004 07:08 AM
Wow! I'm glad I asked for assistance. Have you seen any documentation that would help me understand the logic behind this? I've gone through numerous pdfs on access-lists, and about 4 Cisco Press books, but none have good examples of how to set up ranges like you did above. I have to do the same with some other subnets, but the ranges differ, and I would like to be able to do them on the fly.
Thanks for your help again Peter...
08-05-2004 12:33 PM
I dont think the following statements are necessary
deny ip host 192.168.17.11 any
deny ip 192.168.17.12 0.0.0.3 any
deny ip 192.168.17.16 0.0.0.3 any
deny ip host 192.168.17.20 any
08-05-2004 06:31 PM
Here's his requirements:
1) allow (192.168.17.11-20) to only communicate with a DHCP server (192.168.150.252)
2) allow (192.168.17.1-10 & 192.168.17.21-255) to communicate with anywhere
The first 4 statements permits allow #1 to be partly satisfied (i.e. lets the hosts speak to the DHCP server)
permit ip host 192.168.17.11 host 192.168.150.252
permit ip 192.168.17.12 0.0.0.3 host 192.168.150.252
permit ip 192.168.17.16 0.0.0.3 host 192.168.150.252
permit ip host 192.168.17.20 host 192.168.150.252
The next 4 statements deny them from communicating to anything else as required in #1:
deny ip host 192.168.17.11 any
deny ip 192.168.17.12 0.0.0.3 any
deny ip 192.168.17.16 0.0.0.3 any
deny ip host 192.168.17.20 any
These deny statements are needed because the implicit deny will not apply to them because of the last statement.
The final statement lets the rest of the subnet communicate with anything:
permit ip 192.168.17.0 0.0.0.255 any
If the deny statements you mention are not included, requirement #1 is not completely satisfied, because the last permit statement would allow anything on the 192.168.17.0/24 subnet to communicate with anything else.
Please let me know if you think I may have overlooked one or more of his requirements.
thanks
peter
08-06-2004 05:21 AM
When the boxes are first powered on, won't they come up as 0.0.0.0, broadcasting to 255.255.255.255 on udp port 68 looking for a lease? Once they have a lease, and have an ip, then your ACL will permit them to renew it.
08-06-2004 09:18 AM
Good catch - sounds like the 1st statement in the ACL should include a permit for the initial DHCP request to work (assuming 192.168.17.1 is the router):
permit udp any host 192.168.17.1 eq 68
To make this config complete, the same interface that the 192.168.17.1 ip address and access-list is applied to, will also need an IP Helper Address defined for the DHCP server, 192.168.150.252.
thanks!
peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide