From: Brian Dennis (brian@5g.net)
Date: Wed Apr 23 2003 - 17:41:36 GMT-3
Technically they both deny everything ;-)
access-list 100 deny tcp any any eq 53
access-list 100 deny ip any any <-- implicit
-versus-
access-list 100 deny tcp any eq 53 any eq 53
access-list 100 deny ip any any <-- implicit
On a serious note I assume you meant "permit". If so the second one only
permits the source TCP port to be 53 while the first one permits any
source port.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ian Stong
Sent: Wednesday, April 23, 2003 12:41 PM
To: ccielab@groupstudy.com
Subject: IP extended access list question
What, if any, is the difference between the following 2 acl's?
access-list 100 deny tcp any any eq 53
-versus-
access-list 100 deny tcp any eq 53 any eq 53
IMHO they both only allow access to destination port 53 but what about
the
source port? Seems to me the first allows any source port whereas the
second allows only port 53 as the source port.
Thanks,
Ian
www.ccie4u.com
Rack Rentals and Lab Scenarios starting at $20
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:03 GMT-3