Options

Access Lists - IP, TCP, and UDP

Tricon7Tricon7 Inactive Imported Users Posts: 238
I'm understanding ACLs much better now, but there's still a little ambiguity regarding when to use IP, TCP, and UDP (I already know ICMP). So, if you're not using a TCP/UDP port, the ACL will automatically be using IP? And if you use TCP, you'll be using a port which is a TCP port, and likewise for UDP? You would never use an ACL without inserting either IP, TCP, UDP, or ICMP, correct?

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    There are other types of ACLs besides the ones you have stated. Other types include igmp, eigrp, ospf and gre. There are many different types that can be configured, but they are beyond the scope of the CCNA.
    An expert is a man who has made all the mistakes which can be made.
  • Options
    Tricon7Tricon7 Inactive Imported Users Posts: 238
    There are other types of ACLs besides the ones you have stated. Other types include igmp, eigrp, ospf and gre. There are many different types that can be configured, but they are beyond the scope of the CCNA.

    The others don't concern me right now; only the ones covered in the CCNA material. Can anyone assist?
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Standard access-lists do not need a protocol keyword because they will default to IP. Also if you do not put a wildcard mask on a standard list, it will default to a single host. Obviously you need a mask to cover a range of IP;s.

    On extended ACL;s I think you must use a protocol. If you are covering a range of layer3 or a single layer3 IP and thats it, then you need the IP keyword.

    If you are trying to get more intelligent/specific and cover layer4 ports, then you would need the keyword TCP or UDP, depending on the port.


    EX. of Standard
    access-list access-list-number {deny | permit} source [source-wildcard] [log]
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • Options
    datchchadatchcha Member Posts: 265
    Netstudent wrote:
    Standard access-lists do not need a protocol keyword because they will default to IP. Also if you do not put a wildcard mask on a standard list, it will default to a single host. Obviously you need a mask to cover a range of IP;s.

    On extended ACL;s I think you must use a protocol. If you are covering a range of layer3 or a single layer3 IP and thats it, then you need the IP keyword.

    If you are trying to get more intelligent/specific and cover layer4 ports, then you would need the keyword TCP or UDP, depending on the port.


    EX. of Standard
    access-list access-list-number {deny | permit} source [source-wildcard] [log]

    When you run logging on the access-list, where are the logs stored (NVRAM ?) and in what type of format (.txt) ??

    Thanks Net.
    Arrakis
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    http://www.fredshack.com/docs/cisco_ios_basics.html

    Your answer is about 3/4 down the page. Look for the bolded word "BUFFER" and start reading that paragraph.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Sign In or Register to comment.