ACL -which protocol?

Hello all-I am slightly confused about which protocol I should use after the permit/deny statement. Am I correct in thinking if I am using FTP/Telnet/ I would use TCP-if using TFTP/SMTP I would use UDP-but could I also just use IP? to encompass all? TIA

Reply to
Loading thread data ...

"daytime" ha scritto nel messaggio news:


Only TFTP use an UDP transport; FTP (both control and data),Telnet and SMTP are all TCP.

You could use also "IP" access list to match L3 Addresses, but you loose the granularity that L4 UDP/TCP multiplexing (i.e. ports) offers. Using either "IP" or another protocol in ACLs depends upon what you want to restrict/allow.

Note that standard ACLs are "limited" only to IP.

Regards, Gabriele

Reply to
Gabriele Beltrame

IP encompasses all of TCP and UDP. When IP is the protocol specified in the access-list command, there are no port numbers specified. Examples:

permit ip any host

This permits any network traffic to on any TCP or UDP port.

permit ip host any

This permits any network traffic from on any TCP or UDP port.

permit tcp any host eq 53

This permits any network traffic to TCP port 53, but not on any other destination port on that host

permit udp any host eq 53

This permits any network traffic to UDP port 53, but not on any other destination port on that host

deny tcp any host eq 53 deny udp any host eq 53 permit ip any host deny ip any any*

This permits any network traffic to except on TCP port 53 or UDP port 53 but it does not permit network traffic to any other hosts.

  • As many of us have read, all access-lists end with an implicit deny so this line does not change the access-list functionality. This last line is used to visually see in a "show access-list" command how many matches there have been to this access-list line.

Challenge: What access-list would allow the following with minimal lines? Inside network users in and want to be able to web browse out to the Internet (access-list is from the private network outbound to the Internet) for HTTP and HTTPS only. DNS is permitted outbound for both TCP and UDP to the ISP subnet at from your inside DNS server at

=========== Scott Perry =========== Indianapolis, Indiana ________________________________________

Reply to
Scott Perry

Ok! access-list 100 permit ip any eq 80 ? (I dont know what HTTPS is) int s0 ip access-group 100 out access-list 101permit tcp host eq 53

dont know what interface to use for that one-many thanks for the explanation-had a go at a practice final and one of the questions was an applet to write a 3 line ACL permitting telnet. Please put some more example up!

Reply to

TCP is used for connection oriented protocol (3 way handshake required) and UDP is used for connectionless (no 3 way handshake required).

You can use IP and it will cover all TCP and UDP because IP runs on a lower layer. Over the Internet, you will use TCP/IP to make sure packets are delieverd. FTP, Telnet, SMTP all use TCP and TFTP (Trivial FTP) uses UDP.

So... to see which protocol is used... you can either do IP or use two lines with TCP and another with UDP... Then on the router do a "show access-list" to see which ports are getting hit. After a few days, you can remove the ones with zero hit counts.

I hope this helps. Matt

Reply to

Many,many thanks-you have explained it very well-I always wondered about why you should use TCP/UDP when IP would suffice-the granularity is I assume of vital importance when making your network as fast as possible. I owuld just to like to thank everyone for their comments-much appreciated .

Reply to
daytime Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.