10-10-2019 12:08 AM
Hello Guys
For our soulution I had to block 3671 with a ACL rule on my 9300 switch. This worked so far.
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
end
Then I wanted to put an exzeption for one ip 192.168.12.239 this didn't work.
access-list 102 permit udp any 192.168.12.239 0.0.0.255 eq 3671
access-list 102 permit udp 192.168.12.239 0.0.0.255 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
or
access-list 102 deny udp any any eq 3671
access-list 102 permit udp any 192.168.12.239 0.0.0.255 eq 3671
access-list 102 permit udp 192.168.12.239 0.0.0.255 any eq 3671
access-list 102 permit ip any any
Can somebody tell me whats wrong, and how i can put an exzeption for this ip?
thx in advance
Solved! Go to Solution.
10-10-2019 12:47 AM
Hi there,
It is not clear from your ACLs if you are trying to permit 192.168.12.239 connecting with a source port of UDP/3671 or for any host to connect to 192.168.12.239 with a destination port of UDP/3671 .
Your ACLs suggest it is both cases.
Either way the wildcard mask you are using is infact permiting 192.168.12.0/24 , when in fact you need a host mask. This can be achieved with a host wildcard mask of 0.0.0.0 or using the host keyword in the ACE.
Depending on where 192.168.12.239 lies, the ACLs will look like:
! access-list 102 permit udp any host 192.168.12.239 eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any !
...or...
!
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!
cheers,
Seb.
10-10-2019 03:38 AM
Yes, the second would allow you to place the ACL in any direction on an interface in the path of the traffic flow and it would have the desired effect. Obviously an ACL should be positioned as close to the source of the traffic you are trying to block.
As for your question regarding allowing only an IP address with the last octect being 239, then a wildcard mask is required:
! access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp host 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any !
...although it looks like a valid netmask, this wildcard mask is telling the router ACL to ignore the first three octets and only match on the last (239).
cheers,
Seb.
10-12-2019 02:50 AM
Just forgot fometing there was a slight difference... I had to put out the host command in line 2
!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!
10-10-2019 12:11 AM - edited 10-10-2019 05:26 AM
Hi,
Try with like:
access-list 102 permit udp host 192.168.12.239 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
If the source is 192.168.12.239 for port number 3671
access-list 102 permit udp any host 192.168.12.239 eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
If the Destination is 192.168.12.239 for the port number 3671
10-10-2019 12:47 AM
Hi there,
It is not clear from your ACLs if you are trying to permit 192.168.12.239 connecting with a source port of UDP/3671 or for any host to connect to 192.168.12.239 with a destination port of UDP/3671 .
Your ACLs suggest it is both cases.
Either way the wildcard mask you are using is infact permiting 192.168.12.0/24 , when in fact you need a host mask. This can be achieved with a host wildcard mask of 0.0.0.0 or using the host keyword in the ACE.
Depending on where 192.168.12.239 lies, the ACLs will look like:
! access-list 102 permit udp any host 192.168.12.239 eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any !
...or...
!
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!
cheers,
Seb.
10-10-2019 02:47 AM
Thx first that works so far
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
If I under stand it right, if I do this... it doesn't matter where it lies. Is that correct?
access-list 102 permit udp any host 192.168.12.239 eq 3671
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
Is it possble to do some what like that... when I want to permit every host from every network with the adress xxx.xxx.xxx.239 doesn't matter which one?
access-list 102 permit udp any host xxx.xxx.xxx.239 eq 3671
access-list 102 permit udp host xxx.xxx.xxx.239 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
If that would work, i would have a acl witch fit for all our ports doesn't matter what network there is....
10-10-2019 03:38 AM
Yes, the second would allow you to place the ACL in any direction on an interface in the path of the traffic flow and it would have the desired effect. Obviously an ACL should be positioned as close to the source of the traffic you are trying to block.
As for your question regarding allowing only an IP address with the last octect being 239, then a wildcard mask is required:
! access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp host 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any !
...although it looks like a valid netmask, this wildcard mask is telling the router ACL to ignore the first three octets and only match on the last (239).
cheers,
Seb.
10-12-2019 02:43 AM
Thx Seb
This solution worked compleately fine!
10-12-2019 02:50 AM
Just forgot fometing there was a slight difference... I had to put out the host command in line 2
!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide