ACLS question
Will.m
Registered Users Posts: 4 ■□□□□□□□□□
in CCNA & CCENT
I was assigned to make an extended access list with these specifications
A. Create 3-line extended ACLs on PHX-RTR-1 named PHX-LAN-1, PHX-LAN-2, and PHX-LAN-3 to prevent IP source address spoofing on these LANs. Only allow traffic that has a source address from the LAN it comes from. Allow DHCP requests:
1. Allow the IP Range for the LAN.
2. Allow BOOTPS.
3. Deny all other traffic.
the PHX-LAN-1 ip and subnet are 172.25.65.128 255.255.255.192
If I know how to do one I can do the rest so I wont bother you guys with PHX-LAN-2 or 3
my current ACL looks like this
Extended IP access list PHX-LAN-1
10 permit ip 172.25.65.128 0.0.0.63 any
20 permit udp 172.25.65.128 0.0.0.63 eq bootps any
30 deny ip any any
I don't know what I'm doing wrong. Any help very appreciated as ACLs are my weak spot!
A. Create 3-line extended ACLs on PHX-RTR-1 named PHX-LAN-1, PHX-LAN-2, and PHX-LAN-3 to prevent IP source address spoofing on these LANs. Only allow traffic that has a source address from the LAN it comes from. Allow DHCP requests:
1. Allow the IP Range for the LAN.
2. Allow BOOTPS.
3. Deny all other traffic.
the PHX-LAN-1 ip and subnet are 172.25.65.128 255.255.255.192
If I know how to do one I can do the rest so I wont bother you guys with PHX-LAN-2 or 3
my current ACL looks like this
Extended IP access list PHX-LAN-1
10 permit ip 172.25.65.128 0.0.0.63 any
20 permit udp 172.25.65.128 0.0.0.63 eq bootps any
30 deny ip any any
I don't know what I'm doing wrong. Any help very appreciated as ACLs are my weak spot!
Comments
-
rob42
Member Posts: 423
Tell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs?No longer an active member -
Will.m
Registered Users Posts: 4 ■□□□□□□□□□
Because I did great on the other 99% of the testTell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs? -
Javea1
Registered Users Posts: 2 ■□□□□□□□□□
Just played around with this in a lab. Here was my solution:
Create the ACL: PHX-RTR-1(config)#ip access-list extended PHX-LAN-1 1. Allow the IP range for the LAN: PHX-RTR-1(config-ext-nacl)#permit ip 172.25.65.128 0.0.0.63 any 2. Allow BOOTPS: PHX-RTR-1(config-ext-nacl)#permit udp host 0.0.0.0 host 255.255.255.255 eq bootps 3. Deny all other traffic: PHX-RTR-1(config-ext-nacl)#deny ip any any PHX-RTR-1(config-ext-nacl)#do show access-lists Extended IP access list PHX-LAN-1 10 permit ip 172.25.65.128 0.0.0.63 any (24 matches) 20 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps (6 matches) 30 deny ip any any (12 matches)
The mistake with your config is coming from sequence number 20 ("20 permit udp 172.25.65.128 0.0.0.63 eq bootps any"). When a host sends a DHCP Request, it doesn't yet have an IP address (this is why it's sending a DHCP Request asking for an IP address in the first place). The host sends this DHCP Request out as a broadcast with a source IP: 0.0.0.0 and destination IP: 255.255.255.255.
So, permitting a source IP address of 172.25.65.128 0.0.0.63 won't work, because your hosts have not yet received an IP address to begin with. To allow this DHCP traffic, you'll need to configure a rule to permit hosts with a source IP of 0.0.0.0 to destination IP 255.255.255.255 equal to UDP port 67 (BOOTPS).
Hope that makes sense.