Options

Access-list IP/TCP confusion

Tricon7Tricon7 Inactive Imported Users Posts: 238
in CCNA & CCENT
This ACL is asking to configure a named IP ACL that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0 to enter serial 0 on a router.

This ACL looks like this:

ip access-list extended barney permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www
interface serial 0
ip access-group barney in

Ok, my confusion is having "ip" and "tcp" in the first line of the ACL, when I thought it would always be either/or. And when I first read this question, I saw "IP", so I never put the "tcp" in the ACL. When do you know when to put IP in, TCP in, and/or both IP and TCP in together?
· Share on FacebookShare on Twitter

Comments

  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Use IP when you are only matching an IP or a range of IP's. Use TCP when you need to match an IP and a port like http,telnet,ssh ect....

    You use tcp because these ports or applications use TCP as a transport layer protocol. You can also use UDP if you are matching an application that uses UDP like DNS queries/53.

    I have never seen TCP and IP used in the same ACL entry, nor have I tried.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • Options
    SanKuKaïSanKuKaï Member Posts: 65 ■■□□□□□□□□
    From my humble point of view, ip access-list does not exist. It is a mistake.
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You are attempting to make a named access-list therefore you need to tell the CLI what type it is hence the "ip" at the beginning. When you use a numbered ACL it knows what L3 protocol it referrs to by the number, 1-99 standard IP access-list, 100-199 extended IP access list. So in reality when you use a number you are telling it the L3 protocol based on the number you supply

    ex:

    access-list 101 permit tcp any any eq 80

    or

    ip access-list extended barney
    permit tcp any any eq 80
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    oh my bad I thought you were asking about after the permit statement. Duh! icon_confused.gif
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • Options
    Tricon7Tricon7 Inactive Imported Users Posts: 238
    dtlokee wrote:
    You are attempting to make a named access-list therefore you need to tell the CLI what type it is hence the "ip" at the beginning. When you use a numbered ACL it knows what L3 protocol it referrs to by the number, 1-99 standard IP access-list, 100-199 extended IP access list. So in reality when you use a number you are telling it the L3 protocol based on the number you supply

    ex:

    access-list 101 permit tcp any any eq 80

    or

    ip access-list extended barney
    permit tcp any any eq 80

    That's makes quite a bit of sense. I see the reasoning behind it now. Thanks.
    · Share on FacebookShare on Twitter
  • Options
    Tricon7Tricon7 Inactive Imported Users Posts: 238
    I've been trying to find some online practice for ACLs, but the only places I find in searches are "buy this and learn!" sites. Does anyone know where I could get some good practice ACL examples with answers?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.