ACL help
ToddB
Member Posts: 149
in CCNA & CCENT
Confused on this. If I'm writing an acl to say permit 1 host 10.10.1.1 access to a special web-server 192.190.10.10 .
I thought I would write it.
access-list 100 permit ip host 10.10.1.1 host 192.190.10.10 (then write the other permits or deny statements) I just found another book which states I should write as a TCP instead of IP.
access-list 100 permit tcp host 10.10.1.1 host 192.190.10.10. Is 1 correct. On my lab-sim both work. Really what will the exam sim show if something like this comes up.
I thought I would write it.
access-list 100 permit ip host 10.10.1.1 host 192.190.10.10 (then write the other permits or deny statements) I just found another book which states I should write as a TCP instead of IP.
access-list 100 permit tcp host 10.10.1.1 host 192.190.10.10. Is 1 correct. On my lab-sim both work. Really what will the exam sim show if something like this comes up.
:thumbup:
Phil 4:6 "Be careful for nothing; but in every thing by prayer and supplication with thanksgiving let your requests be made known unto God."
Phil 4:6 "Be careful for nothing; but in every thing by prayer and supplication with thanksgiving let your requests be made known unto God."
Comments
-
ToddB Member Posts: 149I for got something What I seen was
access-list 100 permit tcp host 10.10.1.1 host 192.190.1.1 eq 80:thumbup:
Phil 4:6 "Be careful for nothing; but in every thing by prayer and supplication with thanksgiving let your requests be made known unto God." -
up2thetime Member Posts: 154I should write as a TCP instead of IP.
Using the keyword "ip" will permit all IP traffic from the source to destination. If you use the keyword "tcp" then services that use TCP will be permitted.
In the first case you are permitting IP traffic only, and anything that runs over IP will be allowed. In the second case, only TCP traffic is allowed. The "eq 80" specifies a destination port of 80. This is because services other than www utilize TCP.
Remember, IP can carry a number of different packets types, not just TCP.
Also remember that TCP is used by many applications, not just www. -
ayori Member Posts: 48 ■■□□□□□□□□up2thetime wrote: »Using the keyword "ip" will permit all IP traffic from the source to destination. If you use the keyword "tcp" then services that use TCP will be permitted.
In the first case you are permitting IP traffic only, and anything that runs over IP will be allowed. In the second case, only TCP traffic is allowed. The "eq 80" specifies a destination port of 80. This is because services other than www utilize TCP.
Remember, IP can carry a number of different packets types, not just TCP.
Also remember that TCP is used by many applications, not just www.
Agreed and just to add - you create ACLs based on the requirements. If the requirement states something like "permit the host 10.10.1.1 to access 192.190.10.10 on any ports, both TCP and UDP" then your statement with the keyword "ip" will work.
If the requirement is to permit ONLY HTTP access from 10.10.1.1 to 192.190.10.10, then your second tcp statement will work (HTTP uses TCP as its transport protocol and by default, on port 80). access-list 100 permit ip host 10.10.1.1 host 192.190.10.10 will also work however, you are permitting too much. What if you didn't want FTP, Telnet, or SSH access to 192.190.10.10?
It is also important that you understand the flow of traffic so that you could apply the access-list on the proper interface and intended direction (inbound or outbound). -
ToddB Member Posts: 149Thanks this site is great!:thumbup:
Phil 4:6 "Be careful for nothing; but in every thing by prayer and supplication with thanksgiving let your requests be made known unto God."