ACL Fun...

Recently a "seasoned" "Level2" network engineer, who will remain nameless, was tasked with creating a routable vlan. The nodes apart of this vlan should have IP addresses statically set within the 192.168.25.0/24 network. These nodes should only be able to reach public addressing, they should not be able to access private addresses as defined in RFC1918.

Below was an ACL applied inward on the VLAN's SVI. As I find this to be foundational knowledge, I ask those studying for CCENT/CCNA what you think this ACL is blocking?

Extended IP access list 125
    10 deny ip any 0.0.0.0 255.0.0.0
    20 deny ip any 0.0.0.0 255.255.0.0
    30 permit ip any any (6657989 matches)

Find more posts tagged with

Comments

NetworkNewb

Does that end up blocking anything? He obviously screwed up the wildcard mask

hurricane1091

Monkerz wrote: »
Recently a "seasoned" "Level2" network engineer, who will remain nameless, was tasked with creating a routable vlan. The nodes apart of this vlan should have IP addresses statically set within the 192.168.25.0/24 network. These nodes should only be able to reach public addressing, they should not be able to access private addresses as defined in RFC1918.

Below was an ACL applied inward on the VLAN's SVI. As I find this to be foundational knowledge, I ask those studying for CCENT/CCNA what you think this ACL is blocking?
Extended IP access list 125
    10 deny ip any 0.0.0.0 255.0.0.0
    20 deny ip any 0.0.0.0 255.255.0.0
    30 permit ip any any (6657989 matches)

Interesting thought process.

Would the proper way to do it be to do deny ip 192.168.25.0 0.0.0.255 x.x.x.x. x.x.x.x. (private IP range, multiple entries possibly) then do a permit statement with the 192.168.25.0 0.0.0.255 any? On the SVI inbound?

satishtech

What is the correct answer ?

Heero

Monkerz wrote: »

Extended IP access list 125
    10 deny ip any 0.0.0.0 255.0.0.0
    20 deny ip any 0.0.0.0 255.255.0.0
    30 permit ip any any (6657989 matches)

Edit because I think I interpreted this wrong, I need to eat. This is the most retarded ACL I think I have ever seen though.

Okay now that I looked at it again, line 20 blocks access to any IP with the last 3 octets being zero, so x.0.0.0, X being any value.

Then line 20 blocks access to any IP with the last two octets as 0, so x.x.0.0.

Most of the time an address ending in zero is the network address and there would be no reason to send traffic to/from it, but it could be a valid IP in any subnet that is /23 or greater. Or on a /32 loopback. Or on a /31 p2p link.

Monkerz

I read your first reply and thought about replying, but gave it a few minutes and made coffee. Come back and you nail it. Lines of this ACL could be useful in denying summary route advertisements, but not in what was asked of the guy. That being said, need a job? Haha, just kidding....it looks like I have much to teach.

hurricane1091

Monkerz wrote: »

I read your first reply and thought about replying, but gave it a few minutes and made coffee. Come back and you nail it. Lines of this ACL could be useful in denying summary route advertisements, but not in what was asked of the guy. That being said, need a job? Haha, just kidding....it looks like I have much to teach.

I'm confused because shouldn't there be a wildcard mask instead of a netmask? I don't have any real world experience doing this stuff except for labbing on sims doing ACLs on Routers, but I thought routers (and I'm guessing L3 switches???) used wildcard masks. Like, I see it as denying traffing from anywhere to 0.0.0.0, matching 255.0.0.0 which doesn't make sense because that isn't a wildcard mask. That would be saying block traffic from anywhere going to 0.X.X.X, no? I'm interested, please explain.

Monkerz

They are wildcard masks. Look at the mask from the bit level. A 0 is relevant (must match exactly), and a 1 doesn't matter.

The exact same way you can match on any IP address containing a say 5 in the second octet with a 128 in the forth octet by using an example of:

0.5.0.128 255.0.255.0

hurricane1091

Monkerz wrote: »

They are wildcard masks. Look at the mask from the bit level. A 0 is relevant (must match exactly), and a 1 doesn't matter.

Okay. Zeros have to match though. I've never seen a wildcard mask start with 255 but end with 0 I thought? Like, if you wanted to permit 192.168.25.0/24 to go to anywhere, you would do 192.168.25.0 0.0.0.255, which is saying 192.168.25.X

Monkerz

I edited my post above, check it out. If you really want to blow your mind, Google discontiguous wildcard masks. The more advanced you get in your studies, you will find that you can match on anything you want.

hurricane1091

Monkerz wrote: »

I edited my post above, check it out. If you really want to blow your mind, Google discontiguous wildcard masks. The more advanced you get in your studies, you will find that you can match on anything you want.

I will. I read your above post. I've never thought about it like that. It makes sense! I've never come across it in my studies yet, but I'll look up discontiguous wildcard mask. Thanks!