ACLS question

Will.mWill.m Posts: 4Registered Users ■□□□□□□□□□
I was assigned to make an extended access list with these specifications

A. Create 3-line extended ACLs on PHX-RTR-1 named PHX-LAN-1, PHX-LAN-2, and PHX-LAN-3 to prevent IP source address spoofing on these LANs. Only allow traffic that has a source address from the LAN it comes from. Allow DHCP requests:
1. Allow the IP Range for the LAN.
2. Allow BOOTPS.
3. Deny all other traffic.

the PHX-LAN-1 ip and subnet are 172.25.65.128 255.255.255.192

If I know how to do one I can do the rest so I wont bother you guys with PHX-LAN-2 or 3

my current ACL looks like this

Extended IP access list PHX-LAN-1
10 permit ip 172.25.65.128 0.0.0.63 any
20 permit udp 172.25.65.128 0.0.0.63 eq bootps any
30 deny ip any any

I don't know what I'm doing wrong. Any help very appreciated as ACLs are my weak spot!

Comments

  • rob42rob42 Posts: 423Member
    Tell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs?
    No longer an active member
  • Will.mWill.m Posts: 4Registered Users ■□□□□□□□□□
    rob42 wrote: »
    Tell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs?
    Because I did great on the other 99% of the test
  • Javea1Javea1 Posts: 2Registered Users ■□□□□□□□□□
    Just played around with this in a lab. Here was my solution:
    Create the ACL:
    PHX-RTR-1(config)#ip access-list extended PHX-LAN-1
    
    1. Allow the IP range for the LAN:
    PHX-RTR-1(config-ext-nacl)#permit ip 172.25.65.128 0.0.0.63 any
    
    2. Allow BOOTPS:
    PHX-RTR-1(config-ext-nacl)#permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
    
    3. Deny all other traffic:
    PHX-RTR-1(config-ext-nacl)#deny ip any any
    
    PHX-RTR-1(config-ext-nacl)#do show access-lists
    Extended IP access list PHX-LAN-1
        10 permit ip 172.25.65.128 0.0.0.63 any (24 matches)
        20 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps (6 matches)
        30 deny ip any any (12 matches)
    

    The mistake with your config is coming from sequence number 20 ("20 permit udp 172.25.65.128 0.0.0.63 eq bootps any"). When a host sends a DHCP Request, it doesn't yet have an IP address (this is why it's sending a DHCP Request asking for an IP address in the first place). The host sends this DHCP Request out as a broadcast with a source IP: 0.0.0.0 and destination IP: 255.255.255.255.

    So, permitting a source IP address of 172.25.65.128 0.0.0.63 won't work, because your hosts have not yet received an IP address to begin with. To allow this DHCP traffic, you'll need to configure a rule to permit hosts with a source IP of 0.0.0.0 to destination IP 255.255.255.255 equal to UDP port 67 (BOOTPS).

    Hope that makes sense.
Sign In or Register to comment.