ACLS question

I was assigned to make an extended access list with these specifications

A. Create 3-line extended ACLs on PHX-RTR-1 named PHX-LAN-1, PHX-LAN-2, and PHX-LAN-3 to prevent IP source address spoofing on these LANs. Only allow traffic that has a source address from the LAN it comes from. Allow DHCP requests:
1. Allow the IP Range for the LAN.
2. Allow BOOTPS.
3. Deny all other traffic.

the PHX-LAN-1 ip and subnet are 172.25.65.128 255.255.255.192

If I know how to do one I can do the rest so I wont bother you guys with PHX-LAN-2 or 3

my current ACL looks like this

Extended IP access list PHX-LAN-1
10 permit ip 172.25.65.128 0.0.0.63 any
20 permit udp 172.25.65.128 0.0.0.63 eq bootps any
30 deny ip any any

I don't know what I'm doing wrong. Any help very appreciated as ACLs are my weak spot!

Find more posts tagged with

Comments

rob42

Tell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs?

Will.m

rob42 wrote: »

Tell me, if you would, how did you manage to get your CCNA if you don't understand the basics of ACLs?

Because I did great on the other 99% of the test

Javea1

Just played around with this in a lab. Here was my solution:

Create the ACL:
PHX-RTR-1(config)#ip access-list extended PHX-LAN-1

1. Allow the IP range for the LAN:
PHX-RTR-1(config-ext-nacl)#permit ip 172.25.65.128 0.0.0.63 any

2. Allow BOOTPS:
PHX-RTR-1(config-ext-nacl)#permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

3. Deny all other traffic:
PHX-RTR-1(config-ext-nacl)#deny ip any any

PHX-RTR-1(config-ext-nacl)#do show access-lists
Extended IP access list PHX-LAN-1
    10 permit ip 172.25.65.128 0.0.0.63 any (24 matches)
    20 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps (6 matches)
    30 deny ip any any (12 matches)

The mistake with your config is coming from sequence number 20 ("20 permit udp 172.25.65.128 0.0.0.63 eq bootps any"). When a host sends a DHCP Request, it doesn't yet have an IP address (this is why it's sending a DHCP Request asking for an IP address in the first place). The host sends this DHCP Request out as a broadcast with a source IP: 0.0.0.0 and destination IP: 255.255.255.255.

So, permitting a source IP address of 172.25.65.128 0.0.0.63 won't work, because your hosts have not yet received an IP address to begin with. To allow this DHCP traffic, you'll need to configure a rule to permit hosts with a source IP of 0.0.0.0 to destination IP 255.255.255.255 equal to UDP port 67 (BOOTPS).

Hope that makes sense.