general ACL question
liven
Member Posts: 918
in CCNA & CCENT
when using an advanced access list is there any advantage specifying a protocol over a port?
I am not referring to the IP/TCP/UDP, but more along the lines of the application layer protocol.
For instance if you wanted to block web surfing
would it be better to do
eq 80
or
eq www
on a list like this:
access-list 199 deny tcp 172.16.10.0 0.0.0.255 eq ????
Wouldn't both www, or 80 work the same?
I am not referring to the IP/TCP/UDP, but more along the lines of the application layer protocol.
For instance if you wanted to block web surfing
would it be better to do
eq 80
or
eq www
on a list like this:
access-list 199 deny tcp 172.16.10.0 0.0.0.255 eq ????
Wouldn't both www, or 80 work the same?
encrypt the encryption, never mind my brain hurts.
Comments
-
r_durant
Member Posts: 486 ■■■□□□□□□□
I think the only difference is that maybe (subject to correction) in some maybe newer IOS versions, if you enter eq 80, it will covert it to eq www...
However, I'm not sure if the older IOS versions support the eq www...
They should work the same, but for some reason I'm remembering that both dont work, depending on the IOS version...but I'm subject to correction as I said.CCNA (Expired...), MCSE, CWNA, BSc Computer Science
Working on renewing CCNA! -
liven
Member Posts: 918
well my frustration with this is the routersim sim questions...
I read the question and feel like i answer it perfectly and then when I click on the "grade" button I am getting like 50% of the question wrong.
NOW, I fully realize that a lot of this is the sim not working correctly. For instance it says I am don't enable interfaces 1/2 the time... Yet I can ping other devices from these supposedly shutdown interfaces.
And when I make ACL's routersim and I seem to put them on different interfaces in different directions 1/2 the time....
I am not nocking the product, but it is really making me second guess myself. SO, I think I am going to quit using them for now.encrypt the encryption, never mind my brain hurts. -
liven
Member Posts: 918
r_durant wrote:I think the only difference is that maybe (subject to correction) in some maybe newer IOS versions, if you enter eq 80, it will covert it to eq www...
However, I'm not sure if the older IOS versions support the eq www...
They should work the same, but for some reason I'm remembering that both dont work, depending on the IOS version...but I'm subject to correction as I said.
Not sure about the older versus newer OS thing, HOWEVER
I have noticed that port 80 will get translated into www or things of that nature.
Just don't want to get marked down for using the port number instead of the protocol name on the exam...encrypt the encryption, never mind my brain hurts. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
It will not get marked wrong either way. If you enter 80 it will be converted to "www" in the show run output (or show access-list). Some protocols don't have an alias in the IOS so you should still know your common port numbers, and the fact that protocols like TFTP and SNMP are UDP based instead of TCP, that can be a bummer when you type "permit tcp any any eq 69" to allow TFTP and find out you haven't.The only easy day was yesterday! -
liven
Member Posts: 918
dtlokee wrote:It will not get marked wrong either way. If you enter 80 it will be converted to "www" in the show run output (or show access-list). Some protocols don't have an alias in the IOS so you should still know your common port numbers, and the fact that protocols like TFTP and SNMP are UDP based instead of TCP, that can be a bummer when you type "permit tcp any any eq 69" to allow TFTP and find out you haven't.
Very good point, luckily from years of firewall and application admin experience I am pretty familiar with the port numbers. And that is why I tend to use them. I think I will just stick with that and then do the show running like you suggested to see if they are showing up correctly.
Thanks!encrypt the encryption, never mind my brain hurts.