Catalyst 2950 and ACLs

kpjungle · June 2008

Hi,

I was reading up on some ACL stuff, and came across this info from Cisco, regarding ACLs, and I cant quite get my head around it:

"In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All other combinations of system-defined and user-defined masks are allowed in security ACLs. "

I think it has to do with what they refer to as "masks", especially system-defined and user-defined masks. What part of the ACL is what they call a mask? is the system defined the ANY part of it, or am i missing something here?

And i take it, that this information regarding ACLs also cover routers?

This is the full URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1044050

scheistermeister · June 2008

I am pretty sure by mask they mean the matching condition.

kpjungle · June 2008

scheistermeister wrote:

I am pretty sure by mask they mean the matching condition.

Yeah, just a little unsure, since further down they give this example:

"This example shows the same mask in an ACL:

Switch (config)#ip access-list extended acl2

Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
"

Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?

scheistermeister · June 2008

Well they are still matching by host and port number. I do admit that Cisco has very odd ways of saying things.

kpjungle · June 2008

scheistermeister wrote:

Well they are still matching by host and port number. I do admit that Cisco has very odd ways of saying things.

You mean, that, the layout of the statement is the same, A host going to A service? and not necessarily the same host and same port numbers?

kpjungle · June 2008

Any ideas why a system-defined layer 4 statement cant come before a user-defined layer 3 statement though?

elegua · June 2008

kpjungle wrote:

scheistermeister wrote:

I am pretty sure by mask they mean the matching condition.

Yeah, just a little unsure, since further down they give this example:

"This example shows the same mask in an ACL:

Switch (config)#ip access-list extended acl2

Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
"

Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?

When you configure an Access List you can do it in differents ways, in this case:

permit tcp 10.1.1.1 0.0.0.0 any eq 80

permit tcp 20.1.1.1 0.0.0.0 any eq 23

what does this mean?, this mean match the exact ip address, same ACL but different layout:

permit tcp host 10.1.1.1 any eq 80

permit tcp host 20.1.1.1 any eq 23

scheistermeister said:

I am pretty sure by mask they mean the matching condition

He is 100% right.

Hope this help.

kpjungle · June 2008

elegua wrote:
kpjungle wrote:

scheistermeister wrote:

I am pretty sure by mask they mean the matching condition.

Yeah, just a little unsure, since further down they give this example:

"This example shows the same mask in an ACL:

Switch (config)#ip access-list extended acl2

Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80

Switch (config-ext-nacl)# permit tcp 20.1.1.1 0.0.0.0 any eq 23
"

Confusing that they have the same mask, even though its not the exact same matching condition (two different hosts, going to two different services), no?

When you configure an Access List you can do it in differents ways, in this case:
permit tcp 10.1.1.1 0.0.0.0 any eq 80
permit tcp 20.1.1.1 0.0.0.0 any eq 23
what does this mean?, this mean match the exact ip address, same ACL but different layout:
permit tcp host 10.1.1.1 any eq 80
permit tcp host 20.1.1.1 any eq 23
scheistermeister said:
I am pretty sure by mask they mean the matching condition
He is 100% right.

Hope this help.

Hehe, think im just really daft regarding this, but to me its just 1 ACL, with two statements, one statement saying, permit host 10.1.1.1 to access any hosts on destination port 80, the other permitting host 20.1.1.1 to access any host on destination port 23. The way I understand it until you guys smack it hard enough into my head

, is that the matching condition is the entire statement (source, destination, port). I hate when i dont get something

Thanks for taking the time

tech-airman · June 2008

kpjungle wrote:

Hi,

I was reading up on some ACL stuff, and came across this info from Cisco, regarding ACLs, and I cant quite get my head around it:

"In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All other combinations of system-defined and user-defined masks are allowed in security ACLs. "

I think it has to do with what they refer to as "masks", especially system-defined and user-defined masks. What part of the ACL is what they call a mask? is the system defined the ANY part of it, or am i missing something here?

And i take it, that this information regarding ACLs also cover routers?

This is the full URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1044050

kpjungle,

The answer to your question is a little higher up in that document. What that section is talking about is that you can't do the following:

Switch (config-ext-nacl)# deny tcp any any <---- System defined mask
Switch (config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <--- User defined mask

Another thing you can't do is, within the same access list, put a Layer 4 access list statement before a Layer 3 access statement like the following:

Switch (config-ext-nacl)# deny tcp any any eq 23 <---- Layer 4 access list statement
Switch (config-ext-nacl)# permit ip any any <--- Layer 3 access list statement

However you can do this:

Switch (config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <--- User defined mask
Switch (config-ext-nacl)# deny tcp any any <---- System defined mask

As far as your question about the term "mask" they are probably referring to is the "wildcard mask" since you never use a "subnet mask" with access list statements.

Source:

Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(9)EA1 - Configuring Network Security with ACLs - http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1050682

kpjungle · June 2008

Hi

Okay, now I think i get some of it. The mask which they are talking about is the wildcard mask, the system defined mask is the ANY part.

Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

deny tcp any any eq 80
permit ip any any

With this I mean, i dont want any hosts accessing anything on port 80, all other traffic is OK. Unfortunally I dont have an enhanced IOS to test out on my own 2950, i did however try it on a 3550, and when i made the ACL, it didnt complain (didnt try traffic through it though).

Howcome this is not "configurable" according to Cisco, and does this only go for 2950 switches, or routers as well (since they mention: "In an IP extended ACL....")?

Also, I cant find the section mentioned where I cant do the:

  Switch (Config-ext-nacl)# deny tcp any any <---- System defined layer 4
  Switch (Config-ext-nacl)# permit tcp any host 10.0.23.1 eq 80 <---- layer 4, but user defined

This code snippet I can understand (but cant find in the cisco text), since you would never reach the second ACL statement.

The entire thing just seems really weird to me, especially since I can come up with an example where I would use it.

FattyAcid · June 2008

kpjungle wrote:

Hi

Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

It's almost certainly a resource and/or optimization limitation in the packet classification engine in the FPGA/ASICs used in Catalyst 2950.

kpjungle · June 2008

FattyAcid wrote:

kpjungle wrote:

Hi

Only question(s) remaining is, why cant you do a layer-4 system defined mask and then a layer 3 user-defined mask? I can come up with an example where I want to do this, Fx.:

It's almost certainly a resource and/or optimization limitation in the packet classification engine in the FPGA/ASICs used in Catalyst 2950.

Thanks for the answer. Yeah, guess you really have to take into account where in the Cisco documentation you read stuff. The mentioned "Extended IP ACL's..." and I read it as a general thing concerning routers and all other Cisco ACL capable equipment. Until otherwise, Ill read it as counting only for the 2950 with Enhanced Image

Paul Boz · June 2008

A good rule of thumb with switches is that most all of them have different hardware capable of doing different things. Most switch processes (like matching via an ACL) will be up to the hardware. You can't assume that what a router can do and what a switch can do are interchangeable because routers primarily function in software where as switches function in hardware.

Catalyst 2950 and ACLs

Comments