difference between using host and tcp/ip in access lists ?

Hi doing some acl lab sims,and what bugs me is in which scenarios ip is used also if ip is used does one specify wildcard mask or using host is enough and whats the difference between tcp protocol instead - since read if using one of these then need to specify eq www/telnet if using other its not needed if correct ?

also is there difference between using ip access-list ,then just using access-list ,since notice that in some practice sims its enough to type access-list (101 etc) but no need to write extended or standard.but when applying acl to interface you need to use ip access-group (nr),since it sort of contradicts what i have learned that usually doing acl one specifies ip acl standard or extended number protocol source destination,yet dont see how its ok to use just access-list but needing to use ip access-group when applying it.

Find more posts tagged with

Comments

GDaines

pinkiaiii wrote: »

Also is there difference between using ip access-list ,then just using access-list ?

I'd love to be the first to answer your full post but it's late, I'm going to bed, so I'll post again tomorrow.

The access-list command is used to create standard or extended access lists, while the ip access-list command is needed for named access lists (which can be standard or extended).

To confuse things, it's possible to create a named access list with the name '10' so if you don't know your commands it's easy to assume it's just an ordinary standard access list. Named access lists are used to get around the numeric limitations.

Use ip access-group to apply an ACL to an interface, or ip access-class to apply an ACL to a vty line. Can't tell you why the commands are named as they are.

GDaines

pinkiaiii wrote: »

Hi, doing some ACL lab sims and what bugs me is, in which scenarios is ip used? Also, is there difference between using ip access-list, then just using access-list, since I notice that in some practice sims it's enough to type access-list (101 etc) but no need to write extended or standard.

Use access-list to make a numbered access list, or ip access-list to make a named access list. Either can be standard or extended access lists. When creating a numbered access list, the number used determines if it's a standard (1-99, 1300-1999) or extended (100-199, 2000-2699) access list. However, as named access lists use names you have to tell it whether it's a standard or extended access list.

access-list 1 (standard)
access-list 120 (extended)
ip access-list <standard or extended> <name>

pinkiaiii wrote: »

When applying an ACL to an interface you need to use ip access-group <number or name> <in or out> since it sort of contradicts what i have learned that usually doing acl one specifies ip acl standard or extended number protocol source destination, yet don't see how it's ok to use just access-list but needing to use ip access-group when applying it.

In short I don't know why it's not always ip access-list for every type of ACL, and ip access-group to apply as it would keep some sort of consistency.

pinkiaiii wrote: »

If ip is used, does one specify wildcard mask or using host is enough?

If you don't include the 'host' switch it is implied that you're specifying a single host, and if you don't include a wildcard mask that's also implied to be 0.0.0.0 (ie the address must match exactly). All three of these commands do exactly the same:

R1(config)# access-list 1 deny host 172.16.30.2
R1(config)# access-list 1 deny 172.16.30.2
R1(config)# access-list 1 deny 172.16.30.2 0.0.0.0

If you want to block more than a single host you simply specify a network number and wildcard mask instead:

R1(config)# access-list 1 permit 172.16.0.0 0.0.255.255

Using any one of the first 3 lines along with the 4th line will permit anyone on the 172.16 network with the exception of client 30.2 while all other networks would be blocked by the implicit deny at the end of any access control list.

pinkiaiii wrote: »

And what's the difference between tcp protocol instead - since read if using one of these then need to specify eq www/telnet if using other its not needed if correct ?

To block specific protocols you have to use extended access lists as a standard access list can block nothing more than a source IP address or network. Examples are the easiest way to show you this:

access-list 101 {deny|permit} protocol source source-wildcard destination destination-wildcard
Determine first if this access list is to block or allow, specify the protocol by name or number that this applies to (specify ip for all protocols), next the source ip (or source network and wildcard mask), then the destination ip (or destination network address and wildcard mask). For both the source and/or destination you can use 0.0.0.0 255.255.255.255 to mean all/any address.

ICMP
access-list 102 {deny|permit} icmp source source-wildcard destination destination-wildcard

TCP
access-list 103 {deny|permit} tcp source source-wildcard [operator I]port[/I] destination destination-wildcard [operator I]port[/I]

UDP
access-list 104 {deny|permit} udp source source-wildcard [operator I]port[/I] destination destination-wildcard [operator I]port[/I]

For TCP and UDP ‘operator’ is likely to be ‘eq’ (equals) followed by a numerical value for the port number relating to the protocol you wish to deny/permit, but you could also use ‘lt’ (less than), ‘gt’ (greater than), ‘neq’ (not equal to), or ‘range’ specifying start and end port numbers, for example range 100 200.

pinkiaiii

thank you now remembered asking same question when started acl's that ip is used to name acls,also appreciate the description.Just one more question whats the difference between using tcp and say permit ip ? since as i understand ip covers both tcp/udp - thus would make more sense to use ip as safe bet,but not sure are there any dangers on using ip protocol then say tcp - if say one is blocking or permitting connection to telnet or ssh/www.

GDaines

pinkiaiii wrote: »

Just one more question whats the difference between using tcp and say permit ip ? since as i understand ip covers both tcp/udp - thus would make more sense to use ip as safe bet, but not sure are there any dangers on using ip protocol then say tcp - if say one is blocking or permitting connection to telnet or ssh/www.

ip blocks everything, tcp (or udp) require a protocol name or port number specifying to block just that protocol. You can use range to block a number of ports but I think in the real world you'll either block one or two specific protocols, or you'll block everything. Not sure if you omit the operator and port number whether every tcp (or udp) protocol would be blocked, something I'd have to lab to test. That said, it does show in brackets in the syntax example suggesting they probably are optional.