Catalyst 2950 and ACLs

kpjunglekpjungle Member Posts: 426
Hi,

I was reading up on some ACL stuff, and came across this info from Cisco, regarding ACLs, and I cant quite get my head around it:

"In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All other combinations of system-defined and user-defined masks are allowed in security ACLs. "

I think it has to do with what they refer to as "masks", especially system-defined and user-defined masks. What part of the ACL is what they call a mask? is the system defined the ANY part of it, or am i missing something here?

And i take it, that this information regarding ACLs also cover routers?

This is the full URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1044050
Studying for CCNP (All done)

Comments

  • scheistermeisterscheistermeister Member Posts: 748 ■□□□□□□□□□
    I am pretty sure by mask they mean the matching condition.
    Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
  • kpjunglekpjungle Member Posts: 426
    I am pretty sure by mask they mean the matching condition.

    Yeah, just a little unsure, since further down they give this example:

    "This example shows the same mask in an ACL:

    Switch (config)#ip access-list extended acl2

    Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

    Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
    "

    Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?
    Studying for CCNP (All done)
  • scheistermeisterscheistermeister Member Posts: 748 ■□□□□□□□□□
    Well they are still matching by host and port number. I do admit that Cisco has very odd ways of saying things.
    Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
  • kpjunglekpjungle Member Posts: 426
    Well they are still matching by host and port number. I do admit that Cisco has very odd ways of saying things.

    You mean, that, the layout of the statement is the same, A host going to A service? and not necessarily the same host and same port numbers?
    Studying for CCNP (All done)
  • kpjunglekpjungle Member Posts: 426
    Any ideas why a system-defined layer 4 statement cant come before a user-defined layer 3 statement though?
    Studying for CCNP (All done)
  • eleguaelegua Member Posts: 282
    kpjungle wrote:
    I am pretty sure by mask they mean the matching condition.

    Yeah, just a little unsure, since further down they give this example:

    "This example shows the same mask in an ACL:

    Switch (config)#ip access-list extended acl2

    Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

    Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
    "

    Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?

    When you configure an Access List you can do it in differents ways, in this case:
    permit tcp 10.1.1.1 0.0.0.0 any eq 80
    
    permit tcp 20.1.1.1 0.0.0.0 any eq 23
    

    what does this mean?, this mean match the exact ip address, same ACL but different layout:
    permit tcp host 10.1.1.1 any eq 80
    
    permit tcp host 20.1.1.1 any eq 23
    

    scheistermeister said:
    I am pretty sure by mask they mean the matching condition
    

    He is 100% right.

    Hope this help. icon_wink.gificon_wink.gif
  • kpjunglekpjungle Member Posts: 426
    elegua wrote:
    kpjungle wrote:
    I am pretty sure by mask they mean the matching condition.

    Yeah, just a little unsure, since further down they give this example:

    "This example shows the same mask in an ACL:

    Switch (config)#ip access-list extended acl2

    Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

    Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
    "

    Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?

    When you configure an Access List you can do it in differents ways, in this case:
    permit tcp 10.1.1.1 0.0.0.0 any eq 80
    
    permit tcp 20.1.1.1 0.0.0.0 any eq 23
    

    what does this mean?, this mean match the exact ip address, same ACL but different layout:
    permit tcp host 10.1.1.1 any eq 80
    
    permit tcp host 20.1.1.1 any eq 23
    

    scheistermeister said:
    I am pretty sure by mask they mean the matching condition
    

    He is 100% right.

    Hope this help. icon_wink.gificon_wink.gif

    Hehe, think im just really daft regarding this, but to me its just 1 ACL, with two statements, one statement saying, permit host 10.1.1.1 to access any hosts on destination port 80, the other permitting host 20.1.1.1 to access any host on destination port 23. The way I understand it until you guys smack it hard enough into my head :), is that the matching condition is the entire statement (source, destination, port). I hate when i dont get something :)

    Thanks for taking the time :)
    Studying for CCNP (All done)
  • tech-airmantech-airman Member Posts: 953
    kpjungle wrote:
    Hi,

    I was reading up on some ACL stuff, and came across this info from Cisco, regarding ACLs, and I cant quite get my head around it:

    "In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All other combinations of system-defined and user-defined masks are allowed in security ACLs. "

    I think it has to do with what they refer to as "masks", especially system-defined and user-defined masks. What part of the ACL is what they call a mask? is the system defined the ANY part of it, or am i missing something here?

    And i take it, that this information regarding ACLs also cover routers?

    This is the full URL:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1044050

    kpjungle,

    The answer to your question is a little higher up in that document. What that section is talking about is that you can't do the following:
    Switch (config-ext-nacl)# deny tcp any any <---- System defined mask
    Switch (config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <--- User defined mask
    

    Another thing you can't do is, within the same access list, put a Layer 4 access list statement before a Layer 3 access statement like the following:
    Switch (config-ext-nacl)# deny tcp any any eq 23 <---- Layer 4 access list statement
    Switch (config-ext-nacl)# permit ip any any <--- Layer 3 access list statement
    

    However you can do this:
    Switch (config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <--- User defined mask
    Switch (config-ext-nacl)# deny tcp any any <---- System defined mask
    

    As far as your question about the term "mask" they are probably referring to is the "wildcard mask" since you never use a "subnet mask" with access list statements.

    Source:
    1. Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(9)EA1 - Configuring Network Security with ACLs - http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1050682
  • kpjunglekpjungle Member Posts: 426
    Hi :)

    Okay, now I think i get some of it. The mask which they are talking about is the wildcard mask, the system defined mask is the ANY part.

    Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

    deny tcp any any eq 80
    permit ip any any

    With this I mean, i dont want any hosts accessing anything on port 80, all other traffic is OK. Unfortunally I dont have an enhanced IOS to test out on my own 2950, i did however try it on a 3550, and when i made the ACL, it didnt complain (didnt try traffic through it though).

    Howcome this is not "configurable" according to Cisco, and does this only go for 2950 switches, or routers as well (since they mention: "In an IP extended ACL....")?

    Also, I cant find the section mentioned where I cant do the:

      Switch (Config-ext-nacl)# deny tcp any any <---- System defined layer 4
      Switch (Config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <---- layer 4, but user defined
    

    This code snippet I can understand (but cant find in the cisco text), since you would never reach the second ACL statement.

    The entire thing just seems really weird to me, especially since I can come up with an example where I would use it.
    Studying for CCNP (All done)
  • FattyAcidFattyAcid Member Posts: 57 ■■□□□□□□□□
    kpjungle wrote:
    Hi :)

    Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

    It's almost certainly a resource and/or optimization limitation in the packet classification engine in the FPGA/ASICs used in Catalyst 2950.
  • kpjunglekpjungle Member Posts: 426
    FattyAcid wrote:
    kpjungle wrote:
    Hi :)

    Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

    It's almost certainly a resource and/or optimization limitation in the packet classification engine in the FPGA/ASICs used in Catalyst 2950.

    Thanks for the answer. Yeah, guess you really have to take into account where in the Cisco documentation you read stuff. The mentioned "Extended IP ACL's..." and I read it as a general thing concerning routers and all other Cisco ACL capable equipment. Until otherwise, Ill read it as counting only for the 2950 with Enhanced Image :)
    Studying for CCNP (All done)
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    A good rule of thumb with switches is that most all of them have different hardware capable of doing different things. Most switch processes (like matching via an ACL) will be up to the hardware. You can't assume that what a router can do and what a switch can do are interchangeable because routers primarily function in software where as switches function in hardware.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
Sign In or Register to comment.