cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
5
Helpful
6
Replies

ACL exzeption

Dvu77
Level 1
Level 1

Hello Guys 

For our soulution I had to block 3671 with a ACL rule on my 9300 switch. This worked so far.

 

access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
end

 

Then I wanted to put an exzeption for one ip  192.168.12.239 this didn't work. 


access-list 102 permit udp any 192.168.12.239 0.0.0.255 eq 3671
access-list 102 permit udp 192.168.12.239 0.0.0.255 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
or

access-list 102 deny udp any any eq 3671

access-list 102 permit udp any 192.168.12.239 0.0.0.255 eq 3671
access-list 102 permit udp 192.168.12.239 0.0.0.255 any eq 3671
access-list 102 permit ip any any

 

Can somebody tell me whats wrong, and how i can put an exzeption for this ip?

thx in advance

3 Accepted Solutions

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,
It is not clear from your ACLs if you are trying to permit 192.168.12.239 connecting with a source port of UDP/3671 or for any host to connect to 192.168.12.239 with a destination port of UDP/3671 .
Your ACLs suggest it is both cases.
Either way the wildcard mask you are using is infact permiting 192.168.12.0/24 , when in fact you need a host mask. This can be achieved with a host wildcard mask of 0.0.0.0 or using the host keyword in the ACE.

Depending on where 192.168.12.239 lies, the ACLs will look like:

!
access-list 102 permit udp any host 192.168.12.239 eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
!

...or...

!
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!

cheers,
Seb.

View solution in original post

Yes, the second would allow you to place the ACL in any direction on an interface in the path of the traffic flow and it would have the desired effect. Obviously an ACL should be positioned as close to the source of the traffic you are trying to block.

 

As for your question regarding allowing only an IP address with the last octect being 239, then a wildcard mask is required:

!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671
access-list 102 permit udp host 1.1.1.239 255.255.255.0 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
!

...although it looks like a valid netmask, this wildcard mask is telling the router ACL to ignore the first three octets and only match on the last (239).

 

cheers,

Seb.

 

View solution in original post

Just forgot fometing there was a slight difference... I had to put out the host command in line 2


!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!

 

View solution in original post

6 Replies 6

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Try with like:

access-list 102 permit udp host 192.168.12.239 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any

 

If the source is 192.168.12.239 for port number 3671

 

access-list 102 permit udp any  host 192.168.12.239 eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any

 

If the Destination is 192.168.12.239 for the port number 3671

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,
It is not clear from your ACLs if you are trying to permit 192.168.12.239 connecting with a source port of UDP/3671 or for any host to connect to 192.168.12.239 with a destination port of UDP/3671 .
Your ACLs suggest it is both cases.
Either way the wildcard mask you are using is infact permiting 192.168.12.0/24 , when in fact you need a host mask. This can be achieved with a host wildcard mask of 0.0.0.0 or using the host keyword in the ACE.

Depending on where 192.168.12.239 lies, the ACLs will look like:

!
access-list 102 permit udp any host 192.168.12.239 eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
!

...or...

!
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!

cheers,
Seb.

Thx first that works so far

access-list 102 permit udp host 192.168.12.239 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any

If I under stand it right, if I do this... it doesn't matter where it lies. Is that correct? 

access-list 102 permit udp any host 192.168.12.239 eq 3671
access-list 102 permit udp host 192.168.12.239 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any

 Is it possble to do some what like that... when I want to permit every host from every network with the adress xxx.xxx.xxx.239 doesn't matter which one?

 

access-list 102 permit udp any host xxx.xxx.xxx.239 eq 3671
access-list 102 permit udp host xxx.xxx.xxx.239 any eq 3671

access-list 102 deny udp any any eq 3671

access-list 102 permit ip any any

 

If that would work, i would have a acl witch fit for all our ports doesn't matter what network there is....

Yes, the second would allow you to place the ACL in any direction on an interface in the path of the traffic flow and it would have the desired effect. Obviously an ACL should be positioned as close to the source of the traffic you are trying to block.

 

As for your question regarding allowing only an IP address with the last octect being 239, then a wildcard mask is required:

!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671
access-list 102 permit udp host 1.1.1.239 255.255.255.0 any eq 3671
access-list 102 deny udp any any eq 3671
access-list 102 permit ip any any
!

...although it looks like a valid netmask, this wildcard mask is telling the router ACL to ignore the first three octets and only match on the last (239).

 

cheers,

Seb.

 

Thx Seb 

This solution worked compleately fine!

 

Just forgot fometing there was a slight difference... I had to put out the host command in line 2


!
access-list 102 permit udp any 1.1.1.239 255.255.255.0 eq 3671 access-list 102 permit udp 1.1.1.239 255.255.255.0 any eq 3671 access-list 102 deny udp any any eq 3671 access-list 102 permit ip any any
!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: