From: Anthony Pace (anthonypace@xxxxxxxxxxx)
Date: Tue Jul 09 2002 - 22:47:28 GMT-3
What is the different syntaxes used in the extended ACL and which
protocols use which?
I know bgp filters use source/bits-to-match and the dest is specifiying
MASK on route
RIP uses neighbor/wildcard-on-neighbor and the dest is routes/wildcard.
Which of these tow do other protocols use when using ACL's as route
filters?
Anthony PAce
On Thu, 27 Jun 2002 09:19:03 +1000, "Jason Sinclair"
<sinclairj@powertel.com.au> said:
> Gary,
>
> That's exactly right. When working with extended IP access lists
> remember
> the format:
>
> Source source port destination destination port
>
> Thus if a port is specified from the source the originating connection
> must
> be from that port and vice versa.
>
> Cheers,
>
> Jason Sinclair CCIE #9100
> Manager, Network Control Centre
> POWERTEL
> 55 Clarence Street,
> SYDNEY NSW 2000
> AUSTRALIA
> office: + 61 2 8264 3820
> mobile: + 61 416 105 858
> email: sinclairj@powertel.com.au
>
> -----Original Message-----
> From: gary braver [mailto:gbraver@attbi.com]
> Sent: Thursday, 27 June 2002 09:01
> To: 'Jason Sinclair'; Danny.Wang@alderwoods.com;
> ccielab@groupstudy.com
> Subject: RE: ip access-list
>
> Still a little confused about this.
>
> to simplify lets change the specifc destination host to any. So what
> is the
> difference???
> access-list 101 permit tcp any eq domain any
> this permits any connection originating from tcp port 53 to access any
> host
> ???
>
> access-list 101 permit tcp any any eq domain
> this permits any connection originating from any host via tcp to any
> host on
> tcp port 53 ???
>
> thanks
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Jason Sinclair
> Sent: Wednesday, June 26, 2002 12:30 AM
> To: 'Danny.Wang@alderwoods.com'; ccielab@groupstudy.com
> Subject: RE: ip access-list
>
>
> Danny,
>
> Let's break them down:
>
> access-list 101 permit tcp any eq domain host 205.12.54.254
> this permits any connection originating from tcp port 53 to access the
> host
> 205.12.54.254 on any tcp port
> access-list 101 permit tcp any host 205.12.54.254 eq domain
> this permits any connection originating from any host via tcp to the
> host
> 205.12.54.254 on tcp port 53
>
> access-list 102 permit tcp any any eq www established
> this permits any host access to any other host on port 80 as long as
> the ACK
> or RST bit is set
> access-list 102 permit tcp any eq www any established
> this permits any source address wit a source port of 80 to connect to
> anything and any port as long as the ACK or RST bit is set
>
> access-list 100 permit udp any eq domain host 209.54.12.254
> access-list 100 permit udp any eq domain host 209.54.12.254 eq domain
> Same as the first pair except UDP ports.
> Cheers,
>
> Jason Sinclair CCIE #9100
> Manager, Network Control Centre
> POWERTEL
> 55 Clarence Street,
> SYDNEY NSW 2000
> AUSTRALIA
> office: + 61 2 8264 3820
> mobile: + 61 416 105 858
> email: sinclairj@powertel.com.au
>
> -----Original Message-----
> From: Danny.Wang@alderwoods.com [mailto:Danny.Wang@alderwoods.com]
> Sent: Wednesday, 26 June 2002 13:47
> To: ccielab@groupstudy.com
> Subject: ip access-list
>
> Could anyone explain a little bit the following access list pair if
> there's
> any difference?
>
> access-list 101 permit tcp any eq domain host 205.12.54.254
> access-list 101 permit tcp any host 205.12.54.254 eq domain
>
> access-list 102 permit tcp any any eq www established
> access-list 102 permit tcp any eq www any established
>
> access-list 100 permit udp any eq domain host 209.54.12.254
> access-list 100 permit udp any eq domain host 209.54.12.254 eq domain
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:24 GMT-3