Access-list IP/TCP confusion

This ACL is asking to configure a named IP ACL that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0 to enter serial 0 on a router.

This ACL looks like this:

ip access-list extended barney permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www
interface serial 0
ip access-group barney in

Ok, my confusion is having "ip" and "tcp" in the first line of the ACL, when I thought it would always be either/or. And when I first read this question, I saw "IP", so I never put the "tcp" in the ACL. When do you know when to put IP in, TCP in, and/or both IP and TCP in together?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Netstudent

Use IP when you are only matching an IP or a range of IP's. Use TCP when you need to match an IP and a port like http,telnet,ssh ect....

You use tcp because these ports or applications use TCP as a transport layer protocol. You can also use UDP if you are matching an application that uses UDP like DNS queries/53.

I have never seen TCP and IP used in the same ACL entry, nor have I tried.

SanKuKaï

From my humble point of view, ip access-list does not exist. It is a mistake.

dtlokee

You are attempting to make a named access-list therefore you need to tell the CLI what type it is hence the "ip" at the beginning. When you use a numbered ACL it knows what L3 protocol it referrs to by the number, 1-99 standard IP access-list, 100-199 extended IP access list. So in reality when you use a number you are telling it the L3 protocol based on the number you supply

ex:

access-list 101 permit tcp any any eq 80

or

ip access-list extended barney
permit tcp any any eq 80

Netstudent

oh my bad I thought you were asking about after the permit statement. Duh!

Tricon7

dtlokee wrote:

You are attempting to make a named access-list therefore you need to tell the CLI what type it is hence the "ip" at the beginning. When you use a numbered ACL it knows what L3 protocol it referrs to by the number, 1-99 standard IP access-list, 100-199 extended IP access list. So in reality when you use a number you are telling it the L3 protocol based on the number you supply

ex:

access-list 101 permit tcp any any eq 80

or

ip access-list extended barney
permit tcp any any eq 80

That's makes quite a bit of sense. I see the reasoning behind it now. Thanks.

Tricon7

I've been trying to find some online practice for ACLs, but the only places I find in searches are "buy this and learn!" sites. Does anyone know where I could get some good practice ACL examples with answers?