Options

ACL - when to use "any" keyword

Andrew NewmanAndrew Newman Member Posts: 23 ■□□□□□□□□□
Hi,
I'm looking at an ACL problem and I can't understand the consequences of using or not using the "any" keyword.
What does "access-list 103 deny tcp 172.16.8.0 0.0.3.255 any eq 80" achieve that "access-list 103 deny tcp 172.16.8.0 0.0.3.255 eq 80" doesn't? Is the use of the keyword "any" strictly necessary?

The aim is to prevent users between 172.16.8.0 and 172.16.11.255 from accessing the www.

Any clarification would be greatly appreciated.

Comments

  • Options
    SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    source network - 172.16.8.0 and 172.16.11.255
    destination network - any (web)
  • Options
    kaytauruskaytaurus Member Posts: 28 ■■■□□□□□□□
    1. I think the "access-list 103 deny tcp 172.16.8.0 0.0.3.255 eq 80" ACL entry is not complete. It lacks the destination network/wildcard and port no
    2. The "any" is a synonym for " i dont care". it can be any host source or any host destination depending on where its placed in the cmd line.

    To achieve your specification as specified above the " access-list 103 deny tcp 172.16.8.0 0.0.3.255 any eq 80" will suffice.

Sign In or Register to comment.