ACL -which protocol?

ACL -which protocol?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 alt.certification.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
ACL -which protocol? daytime 06-14-2007
Posted by daytime on June 14, 2007, 3:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options


Hello all-I am slightly confused about which protocol I should use
after the permit/deny statement.
Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if
using TFTP/SMTP I would use UDP-but could I also just use IP? to
encompass all?
TIA


Posted by Gabriele Beltrame on June 14, 2007, 3:59 am
If you were  Registered and logged in, you could reply and use other advanced thread options



> Hello all-I am slightly confused about which protocol I should use
> after the permit/deny statement.
> Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if
> using TFTP/SMTP I would use UDP-but could I also just use IP? to
> encompass all?
> TIA
>

Hi,

Only TFTP use an UDP transport; FTP (both control and data),Telnet and SMTP
are all TCP.

You could use also "IP" access list to match L3 Addresses, but you loose the
granularity that L4 UDP/TCP multiplexing (i.e. ports) offers.
Using either "IP" or another protocol in ACLs depends upon what you want to
restrict/allow.

Note that standard ACLs are "limited" only to IP.

Regards,
Gabriele



Posted by Scott Perry on June 14, 2007, 9:10 am
If you were  Registered and logged in, you could reply and use other advanced thread options


IP encompasses all of TCP and UDP. When IP is the protocol specified in the
access-list command, there are no port numbers specified.
Examples:

permit ip any host 10.1.1.1

This permits any network traffic to 10.1.1.1 on any TCP or UDP port.

permit ip host 10.1.1.1 any

This permits any network traffic from 10.1.1.1 on any TCP or UDP port.

permit tcp any host 10.1.1.1 eq 53

This permits any network traffic to 10.1.1.1 TCP port 53, but not on any
other destination port on that host

permit udp any host 10.1.1.1 eq 53

This permits any network traffic to 10.1.1.1 UDP port 53, but not on any
other destination port on that host

deny tcp any host 10.1.1.1 eq 53
deny udp any host 10.1.1.1 eq 53
permit ip any host 10.1.1.1
deny ip any any*

This permits any network traffic to 10.1.1.1 except on TCP port 53 or UDP
port 53 but it does not permit network traffic to any other hosts.
* As many of us have read, all access-lists end with an implicit deny so
this line does not change the access-list functionality. This last line is
used to visually see in a "show access-list" command how many matches there
have been to this access-list line.

Challenge:
What access-list would allow the following with minimal lines? Inside
network users in 192.168.0.0/24 and 192.168.1.0/24 want to be able to web
browse out to the Internet (access-list is from the private network outbound
to the Internet) for HTTP and HTTPS only. DNS is permitted outbound for
both TCP and UDP to the ISP subnet at 10.20.0.0/16 from your inside DNS
server at 192.168.1.4.

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________



Posted by daytime on June 14, 2007, 6:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


> IP encompasses all of TCP and UDP. When IP is the protocol specified in the
> access-list command, there are no port numbers specified.
> Examples:
>
> permit ip any host 10.1.1.1
>
> This permits any network traffic to 10.1.1.1 on any TCP or UDP port.
>
> permit ip host 10.1.1.1 any
>
> This permits any network traffic from 10.1.1.1 on any TCP or UDP port.
>
> permit tcp any host 10.1.1.1 eq 53
>
> This permits any network traffic to 10.1.1.1 TCP port 53, but not on any
> other destination port on that host
>
> permit udp any host 10.1.1.1 eq 53
>
> This permits any network traffic to 10.1.1.1 UDP port 53, but not on any
> other destination port on that host
>
> deny tcp any host 10.1.1.1 eq 53
> deny udp any host 10.1.1.1 eq 53
> permit ip any host 10.1.1.1
> deny ip any any*
>
> This permits any network traffic to 10.1.1.1 except on TCP port 53 or UDP
> port 53 but it does not permit network traffic to any other hosts.
> * As many of us have read, all access-lists end with an implicit deny so
> this line does not change the access-list functionality. This last line is
> used to visually see in a "show access-list" command how many matches there
> have been to this access-list line.
>
> Challenge:
> What access-list would allow the following with minimal lines? Inside
> network users in 192.168.0.0/24 and 192.168.1.0/24 want to be able to web
> browse out to the Internet (access-list is from the private network outbound
> to the Internet) for HTTP and HTTPS only. DNS is permitted outbound for
> both TCP and UDP to the ISP subnet at 10.20.0.0/16 from your inside DNS
> server at 192.168.1.4.
>
> ===========
> Scott Perry
> ===========
> Indianapolis, Indiana
> ________________________________________

Ok!
access-list 100 permit ip 192.168.0.0 0.0.3.255 any eq 80 ? (I dont
know what HTTPS is)
int s0
ip access-group 100 out
access-list 101permit tcp host 192.168.1.4 10.20.0.0 0.0.255.255 eq 53

dont know what interface to use for that one-many thanks for the
explanation-had a go at a practice final and one of the questions was
an applet to write a 3 line ACL permitting telnet.
Please put some more example up!


Posted by Me on June 17, 2007, 10:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options


TCP is used for connection oriented protocol (3 way handshake required) and
UDP is used for connectionless (no 3 way handshake required).

You can use IP and it will cover all TCP and UDP because IP runs on a lower
layer. Over the Internet, you will use TCP/IP to make sure packets are
delieverd. FTP, Telnet, SMTP all use TCP and TFTP (Trivial FTP) uses UDP.

So... to see which protocol is used... you can either do IP or use two lines
with TCP and another with UDP... Then on the router do a "show access-list"
to see which ports are getting hit. After a few days, you can remove the
ones with zero hit counts.

I hope this helps.
Matt

> Hello all-I am slightly confused about which protocol I should use
> after the permit/deny statement.
> Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if
> using TFTP/SMTP I would use UDP-but could I also just use IP? to
> encompass all?
> TIA
>



Similar ThreadsPosted
Line protocol down? June 23, 2006, 12:54 pm
Routing Protocol Comparison April 26, 2005, 8:38 pm
Line Protocol Down - Very Basic Lab Setup March 19, 2006, 4:20 pm
CCDA Question - IETF protocol July 4, 2006, 9:44 am
Area border router Vs Designated Router in OSPF protocol November 2, 2006, 12:56 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map