Hello all-I am slightly confused about which protocol I should use after the permit/deny statement. Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if using TFTP/SMTP I would use UDP-but could I also just use IP? to encompass all? TIA
"daytime" ha scritto nel messaggio news: snipped-for-privacy@z28g2000prd.googlegroups.com...
Hi,
Only TFTP use an UDP transport; FTP (both control and data),Telnet and SMTP are all TCP.
You could use also "IP" access list to match L3 Addresses, but you loose the granularity that L4 UDP/TCP multiplexing (i.e. ports) offers. Using either "IP" or another protocol in ACLs depends upon what you want to restrict/allow.
Note that standard ACLs are "limited" only to IP.
Regards, Gabriele
IP encompasses all of TCP and UDP. When IP is the protocol specified in the access-list command, there are no port numbers specified. Examples:
permit ip any host 10.1.1.1
This permits any network traffic to 10.1.1.1 on any TCP or UDP port.
permit ip host 10.1.1.1 any
This permits any network traffic from 10.1.1.1 on any TCP or UDP port.
permit tcp any host 10.1.1.1 eq 53
This permits any network traffic to 10.1.1.1 TCP port 53, but not on any other destination port on that host
permit udp any host 10.1.1.1 eq 53
This permits any network traffic to 10.1.1.1 UDP port 53, but not on any other destination port on that host
deny tcp any host 10.1.1.1 eq 53 deny udp any host 10.1.1.1 eq 53 permit ip any host 10.1.1.1 deny ip any any*
This permits any network traffic to 10.1.1.1 except on TCP port 53 or UDP port 53 but it does not permit network traffic to any other hosts.
Challenge: What access-list would allow the following with minimal lines? Inside network users in 192.168.0.0/24 and 192.168.1.0/24 want to be able to web browse out to the Internet (access-list is from the private network outbound to the Internet) for HTTP and HTTPS only. DNS is permitted outbound for both TCP and UDP to the ISP subnet at 10.20.0.0/16 from your inside DNS server at 192.168.1.4.
=========== Scott Perry =========== Indianapolis, Indiana ________________________________________
Ok! access-list 100 permit ip 192.168.0.0 0.0.3.255 any eq 80 ? (I dont know what HTTPS is) int s0 ip access-group 100 out access-list 101permit tcp host 192.168.1.4 10.20.0.0 0.0.255.255 eq 53
dont know what interface to use for that one-many thanks for the explanation-had a go at a practice final and one of the questions was an applet to write a 3 line ACL permitting telnet. Please put some more example up!
TCP is used for connection oriented protocol (3 way handshake required) and UDP is used for connectionless (no 3 way handshake required).
You can use IP and it will cover all TCP and UDP because IP runs on a lower layer. Over the Internet, you will use TCP/IP to make sure packets are delieverd. FTP, Telnet, SMTP all use TCP and TFTP (Trivial FTP) uses UDP.
So... to see which protocol is used... you can either do IP or use two lines with TCP and another with UDP... Then on the router do a "show access-list" to see which ports are getting hit. After a few days, you can remove the ones with zero hit counts.
I hope this helps. Matt
Many,many thanks-you have explained it very well-I always wondered about why you should use TCP/UDP when IP would suffice-the granularity is I assume of vital importance when making your network as fast as possible. I owuld just to like to thank everyone for their comments-much appreciated .
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.