ACL help please

Heloo- can anyone tell me what diffrence it makes using access-list 101 permit tcp or access-list 101 permit ip TIA I asked my tutor who said it makes no diffrence?

Reply to
gregg johnstone
Loading thread data ...

"access-list 101 permit tcp " won't permit udp

"access-list 101 permit ip" permits both tcp and udp services

Aubrey

Reply to
Aubrey Adams

Reply to
gregg johnstone

Wow, your tutor says, it makes no difference? very bad tutor...

Remember the OSI model?

layer5 BGP layer4 TCP, UDP layer3 IP, OSPF layer2 ethernet, Frame_relay, etc layer1 physics

If you say "permit IP", you permit any layer 'above and including the IP layer'. So, that would mean you permit any IP protocol (TCP, UDP, ESP, AH, etc)

If you say "permit TCP", you permit any layer 'above and including the TCP layer'. So, that would mean you permit: any TCP protocol (BGP, telnet, HTTP, etc). But you will not permit UDP, ESP, DOMAIN, TFTP, etc)

In short IP includes TCP, TCP does not include IP.

FW

Reply to
NO_spamm

Look at what protocols each of those applications use. Do they use 'tcp' or 'udp? With DNS are you interested in 'queries' (which use udp) or zone transfers (which use tcp)? Though Windows will also use tcp for queries if it has many to send.

BernieM

Reply to
BernieM

OSPF sits on top of IP - protocol nr 89.

Reply to
John Agosta

Another lousy tutor that makes me feel so sorry for his students.

Here is an example, so you can tell the difference:

Gobal mode: access-l 101 deny tcp any "ip address" eq 25 access-l 101 permit ip any any

Interface: ip access-group 101 in (out)

Notice that 25 is a TCP port

The Dude

Reply to
The Dude

Thanks guys- I have a little more Ledge now.

Reply to
gregg johnstone

Yes, I typed too quickly. I know that. I tried to make clear that there is a difference between permit ip and permit tcp.

FW

Reply to
NO_spamm

He is badly wrong. The first will only permit tcp, the second will permit UDP and ICMP as well.

Reply to
Paul Matthews

Reply to
gregg johnstone

TCP/IP model has 4 layers:

Application Host-to-Host Internet Network Access

OSI Model has 7 layers:

Application Presentation Session Transport Network Data Link (which has 2 sublayers: LLC and MAC) Physical

The Dude

Reply to
The Dude

TCP/IP _ OSI _ | Application | Application--------------------- | Presentation | ------ Handled by the application/software |_ Session _| Transport------------------------ -> Transport Internetwork ------------------ ->_ Network _ Network Interface --------------| Data Link | ---------- Handled by the NIC (network interface |_ Physical _| card)

H> > Thanks for that -clarification is essential

Reply to
Holleran.Kevin

Good information

We buy sell all Cisco, Discount up to 80% off on New Used Cisco. LinkWaves Corp

29980 Technology Drive, Suite 6 Murrieta, CA 92563
formatting link

BernieM wrote:

Reply to
LinkWaves

Thanks for that guys,but I still dont undrstand why it matches layers

3-7-can you dumb it down a little please?
Reply to
gregg johnstone

There's no reason. TCP/IP predates ISO's OSI model quite a bit. OSI model was a just a twinkle in someone's eyes when TCP/IP was up and running.

OSI is DEAD DEAD DEAD DEAD. It's completely dead model and is only useful for passing idiotic tests that insists on testing dead technology that is of no use.

So just memorize the OSI model and move on. Dump the knowledge after you take the test. DOD Model (tcp/ip) is more than adequate for troubleshooting, thinking logically etc.

Reply to
Hansang Bae

So is it just a Cisco question? I am sure I read another test where it said it matched diffrent layers ? Fair enough ,thanks for the heads up./.

Reply to
gregg johnstone

Everyone uses it. I had it show up on every test I ever took (Novell, MS, CNX, Sniffer, CCNx/IE etc.etc...ad nauseum)

Really quite annoying...to tell you the truth! :)

Reply to
Hansang Bae

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.