nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

general ACL question

liven

when using an advanced access list is there any advantage specifying a protocol over a port?

I am not referring to the IP/TCP/UDP, but more along the lines of the application layer protocol.

For instance if you wanted to block web surfing

would it be better to do

eq 80

or

eq www

on a list like this:

access-list 199 deny tcp 172.16.10.0 0.0.0.255 eq ????

Wouldn't both www, or 80 work the same?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

r_durant

I think the only difference is that maybe (subject to correction) in some maybe newer IOS versions, if you enter eq 80, it will covert it to eq www...

However, I'm not sure if the older IOS versions support the eq www...

They should work the same, but for some reason I'm remembering that both dont work, depending on the IOS version...but I'm subject to correction as I said.

liven

well my frustration with this is the routersim sim questions...

I read the question and feel like i answer it perfectly and then when I click on the "grade" button I am getting like 50% of the question wrong.

NOW, I fully realize that a lot of this is the sim not working correctly. For instance it says I am don't enable interfaces 1/2 the time... Yet I can ping other devices from these supposedly shutdown interfaces.

And when I make ACL's routersim and I seem to put them on different interfaces in different directions 1/2 the time....

I am not nocking the product, but it is really making me second guess myself. SO, I think I am going to quit using them for now.

liven

r_durant wrote:

I think the only difference is that maybe (subject to correction) in some maybe newer IOS versions, if you enter eq 80, it will covert it to eq www...

However, I'm not sure if the older IOS versions support the eq www...

They should work the same, but for some reason I'm remembering that both dont work, depending on the IOS version...but I'm subject to correction as I said.

Not sure about the older versus newer OS thing, HOWEVER

I have noticed that port 80 will get translated into www or things of that nature.

Just don't want to get marked down for using the port number instead of the protocol name on the exam...

dtlokee

It will not get marked wrong either way. If you enter 80 it will be converted to "www" in the show run output (or show access-list). Some protocols don't have an alias in the IOS so you should still know your common port numbers, and the fact that protocols like TFTP and SNMP are UDP based instead of TCP, that can be a bummer when you type "permit tcp any any eq 69" to allow TFTP and find out you haven't.

liven

dtlokee wrote:

It will not get marked wrong either way. If you enter 80 it will be converted to "www" in the show run output (or show access-list). Some protocols don't have an alias in the IOS so you should still know your common port numbers, and the fact that protocols like TFTP and SNMP are UDP based instead of TCP, that can be a bummer when you type "permit tcp any any eq 69" to allow TFTP and find out you haven't.

Very good point, luckily from years of firewall and application admin experience I am pretty familiar with the port numbers. And that is why I tend to use them. I think I will just stick with that and then do the show running like you suggested to see if they are showing up correctly.

Thanks!