From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Mar 02 2003 - 16:03:07 GMT-3
Thanks for the recognition - just don't tell anybody I do as much for my own
benefit as everyone else's since it helps me keep everything straight in my
head. Plus, if there's a mistake in my understanding somebody smarter than
me will surely flag me on it and make sure I don't make the same mistake
during the lab.
Jim
----- Original Message -----
From: "Scott M. Livingston" <scottl@sprinthosting.net>
To: "'ccie2be'" <ccie2be@nyc.rr.com>
Sent: Sunday, March 02, 2003 1:39 PM
Subject: RE: The difference between these access-lists
> Very nice explanation! Thanks for doing this for everyone!
>
> scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Sunday, March 02, 2003 8:51 AM
> To: Group Study; Fan Shan
> Subject: Re: The difference between these access-lists
>
> Hi,
>
> The way I understand it, the 1st "any" refers to the source ip address.
> If
> you don't specify a source port, then all ports are permitted. The 2nd
> "any" refers to the destination ip address and likewise if you don't
> specify
> a port, all destination ports are permitted.
>
> So, in the 1st a/c statement, the router will permit packets that come
> from
> any host and that are going to any host as long as the packet is going
> to
> the telnet service.
>
> In the 2nd a/c statement, the router will look at both the source ip
> address
> and source port. Since you say "any" source ip address and "any"
> destination ip address but you also say the source port must eq telnet,
> any
> packet that's coming from the telnet process on any host that's going to
> any
> host will be permitted.
>
> In the 3rd statement, the established keyword means that only response
> telnet packets are permitted. In other words, the router will look at
> the
> 1st packet of a tcp session and then look inside that packet at the
> source
> port. If the source port equals telnet, the packet will be allowed.
> The
> router won't care what the source or destination ip address is because
> of
> the any any. You need to keep in mind that the router knows when a
> packet
> is the initial packet of a tcp session because of the flags that tcp
> sets
> when it starts a session. As a practical matter this makes sense when
> the
> objective is to allow hosts inside your network to initiate telnet
> sessions
> to any host but deny hosts outside your network from initiating a telnet
> session to any hosts inside your network. To make this work properly,
> you
> need to make sure you're applying the a/c list to the appropriate
> interface.
>
> For example, say your router has only an ethernet and serial interface
> where
> the ethernet interface is the inside of your network and the serial
> interface is the outside network. In this case, you would apply the a/c
> list to the serial interface in the inward direction. When a packet
> comes
> into the serial interface from the cable connected to the serial
> interface,
> the router examines the packet. If the packet is going to the telnet
> process AND the tcp flags indicate that this is a response tcp, the
> packet
> is permitted, otherwise the packet is dropped. Since the router in this
> case only has 2 interfaces, you could achieve the same results by
> applying
> the filter to the ethernet interface in the outward direction.
>
> To see how this works, consider what happens when a host on the outside
> attempts to start a telnet session. When the packet arrives at the
> serial
> interface the router only looks the destination ip address because
> there's
> no filter applied to the serial interface. After the router determines
> the
> packet is destined to a host on the ethernet segment, it routes the
> packet
> to the ethernet interface. Since there's a filter on the ethernet
> interface
> in the outward direction, the router will first examine the packet.
> When
> the router sees the tcp flags, it will see that this packet is the first
> packet of a telnet seesion and will drop the packet.
>
> Regarding the 2nd group of a/c list statements, the same logic applies.
> However, by themselves these a/c list statements don't make much sense
> because there's an implicit deny statement at the end of every a/c list.
> So, if you used either of these statements alone, you would in essense
> block
> all user traffic.
>
> HOpe this helps. Jim
>
> ----- Original Message -----
> From: "Fan Shan" <fansh@publicf.bta.net.cn>
> To: <ccielab@groupstudy.com>
> Sent: Sunday, March 02, 2003 6:34 AM
> Subject: The difference between these access-lists
>
>
> > Can someone explain the detail about the differnce of these
> access-lists:
> >
> > access-list 100 permit tcp any any eq telnet
> >
> > access-list 100 permit tcp any eq telnet any
> >
> > access-list 100 permit tcp any any telnet established
> >
> > And if BGP is permitted, does I need to configure both
> >
> > access-list 100 permit tcp any any eq bgp
> > and
> > acccess-list 100 permit tcp any eq bgp any
> >
> > or only one of them?
> >
> > Thx
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:30 GMT-3