Access Lists - IP, TCP, and UDP

I'm understanding ACLs much better now, but there's still a little ambiguity regarding when to use IP, TCP, and UDP (I already know ICMP). So, if you're not using a TCP/UDP port, the ACL will automatically be using IP? And if you use TCP, you'll be using a port which is a TCP port, and likewise for UDP? You would never use an ACL without inserting either IP, TCP, UDP, or ICMP, correct?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

There are other types of ACLs besides the ones you have stated. Other types include igmp, eigrp, ospf and gre. There are many different types that can be configured, but they are beyond the scope of the CCNA.

Tricon7

networker050184 wrote:

There are other types of ACLs besides the ones you have stated. Other types include igmp, eigrp, ospf and gre. There are many different types that can be configured, but they are beyond the scope of the CCNA.

The others don't concern me right now; only the ones covered in the CCNA material. Can anyone assist?

Netstudent

Standard access-lists do not need a protocol keyword because they will default to IP. Also if you do not put a wildcard mask on a standard list, it will default to a single host. Obviously you need a mask to cover a range of IP;s.

On extended ACL;s I think you must use a protocol. If you are covering a range of layer3 or a single layer3 IP and thats it, then you need the IP keyword.

If you are trying to get more intelligent/specific and cover layer4 ports, then you would need the keyword TCP or UDP, depending on the port.

EX. of Standard

access-list access-list-number {deny | permit} source [source-wildcard] [log]

datchcha

Netstudent wrote:

Standard access-lists do not need a protocol keyword because they will default to IP. Also if you do not put a wildcard mask on a standard list, it will default to a single host. Obviously you need a mask to cover a range of IP;s.

On extended ACL;s I think you must use a protocol. If you are covering a range of layer3 or a single layer3 IP and thats it, then you need the IP keyword.

If you are trying to get more intelligent/specific and cover layer4 ports, then you would need the keyword TCP or UDP, depending on the port.

EX. of Standard

access-list access-list-number {deny | permit} source [source-wildcard] [log]

When you run logging on the access-list, where are the logs stored (NVRAM ?) and in what type of format (.txt) ??

Thanks Net.

Netstudent

http://www.fredshack.com/docs/cisco_ios_basics.html

Your answer is about 3/4 down the page. Look for the bolded word "BUFFER" and start reading that paragraph.