ACL -which protocol?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello all-I am slightly confused about which protocol I should use
after the permit/deny statement.
Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if
using TFTP/SMTP I would use UDP-but could I also just use IP? to
encompass all?
TIA


Re: ACL -which protocol?

Quoted text here. Click to load it

Hi,

Only TFTP use an UDP transport; FTP (both control and data),Telnet and SMTP
are all TCP.

You could use also "IP" access list to match L3 Addresses, but you loose the
granularity that L4 UDP/TCP multiplexing (i.e. ports) offers.
Using either "IP" or another protocol in ACLs depends upon what you want to
restrict/allow.

Note that standard ACLs are "limited" only to IP.

Regards,
Gabriele



Re: ACL -which protocol?
IP encompasses all of TCP and UDP.  When IP is the protocol specified in the
access-list command, there are no port numbers specified.
Examples:

permit ip any host 10.1.1.1

This permits any network traffic to 10.1.1.1 on any TCP or UDP port.

permit ip host 10.1.1.1 any

This permits any network traffic from 10.1.1.1 on any TCP or UDP port.

permit tcp any host 10.1.1.1 eq 53

This permits any network traffic to 10.1.1.1 TCP port 53, but not on any
other destination port on that host

permit udp any host 10.1.1.1 eq 53

This permits any network traffic to 10.1.1.1 UDP port 53, but not on any
other destination port on that host

deny tcp any host 10.1.1.1 eq 53
deny udp any host 10.1.1.1 eq 53
permit ip any host 10.1.1.1
deny ip any any*

This permits any network traffic to 10.1.1.1 except on TCP port 53 or UDP
port 53 but it does not permit network traffic to any other hosts.
* As many of us have read, all access-lists end with an implicit deny so
this line does not change the access-list functionality.  This last line is
used to visually see in a "show access-list" command how many matches there
have been to this access-list line.

Challenge:
What access-list would allow the following with minimal lines?  Inside
network users in 192.168.0.0/24 and 192.168.1.0/24 want to be able to web
browse out to the Internet (access-list is from the private network outbound
to the Internet) for HTTP and HTTPS only.  DNS is permitted outbound for
both TCP and UDP to the ISP subnet at 10.20.0.0/16 from your inside DNS
server at 192.168.1.4.

     ===========
     Scott Perry
     ===========
Indianapolis, Indiana
________________________________________



Re: ACL -which protocol?
Quoted text here. Click to load it

Ok!
access-list 100 permit ip 192.168.0.0 0.0.3.255 any eq 80 ? (I dont
know what HTTPS is)
int s0
ip access-group 100 out
access-list 101permit tcp host 192.168.1.4 10.20.0.0 0.0.255.255 eq 53

dont know what interface to use for that one-many thanks for the
explanation-had a go at a practice final and one of the questions was
an applet to write a 3 line ACL permitting telnet.
Please put some more example up!


Re: ACL -which protocol?
TCP is used for connection oriented protocol (3 way handshake required) and
UDP is used for connectionless (no 3 way handshake required).

You can use IP and it will cover all TCP and UDP because IP runs on a lower
layer.  Over the Internet, you will use TCP/IP to make sure packets are
delieverd.  FTP, Telnet, SMTP all use TCP and TFTP (Trivial FTP) uses UDP.

So... to see which protocol is used... you can either do IP or use two lines
with TCP and another with UDP... Then on the router do a "show access-list"
to see which ports are getting hit.  After a few days, you can remove the
ones with zero hit counts.

I hope this helps.
Matt

Quoted text here. Click to load it



Re: ACL -which protocol?
Quoted text here. Click to load it

Many,many thanks-you have explained it very well-I always wondered
about why you should use TCP/UDP when IP would suffice-the granularity
is I assume of vital importance when making your network as fast as
possible.
I owuld just to like to thank everyone for their comments-much
appreciated .


Site Timeline