RE: Extended ACL clarification.

From: Brian Dennis (brian@labforge.com)
Date: Tue Jun 17 2003 - 00:29:15 GMT-3

• Next message: Snow, Tim: "RE: Extended ACL clarification."
• Previous message: Frank// ZHAO FENG: "Re: Testking and Ace-It-certification CCIE material"
• Maybe in reply to: Jason Cash: "Extended ACL clarification."
• Next in thread: Snow, Tim: "RE: Extended ACL clarification."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Telnet will not originate from port 23. Think about it like this. If you
are using TCP port 23 as a source port for Telnet on R1, what will
happen when someone tries to telnet to R1?

I would highly recommend reading one of the following books.

Internetworking with TCP/IP Vol.1: Principles, Protocols, and
Architecture (4th Edition) by Douglas Comer

The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Monday, June 16, 2003 8:08 PM
To: ccielab@groupstudy.com
Subject: Extended ACL clarification.

A certain instructs:

Config R2 such that all telnet traffic sourced from the lo0 of R1 and
destined for the 172.29.80.0 subnet, will go thru R5.

R1 - Lo0 192.168.1.1/32

R2 - S0 172.29.100.2

R5 - S0 172.29.100.5

R1(e1)-----(e0)R2(s0)-----(s0)R5

My question is, is the following incorrect and does it accomplish the
same
thing as the solution:

interface Ethernet0

 description to R1 E0 (crossover)

 ip address 172.29.12.2 255.255.255.192

 ip policy route-map local23

!

route-map local23 permit 10

 match ip address 100

 set ip next-hop 172.29.100.5

!

access-list 100 permit tcp host 192.168.1.1 eq telnet 172.29.80.0
0.0.0.31

The solution provided was:

access-list 100 permit tcp host 192.168.1.1 172.29.80.0 0.0.0.31 eq
telnet

I guess I want to know the difference between the two. Would My
solution
provide the same result. I interpret mine to mean:

allow traffic from host 192.168.1.1 (tcp src. port 23) to goto subnet
172.29.80.0/27

I interpret the solution as:

allow traffic from host 192.168.1.1 to goto subnet 172.29.80.0/27 (tcp
dest.
port 23)

What ais the difference? Does telnet not originate from port 23 on
occasion? Is this where the problem would come into play. I get
confused
on src/dest. ports so any links to clear the confusion would be
appreciated.

• Next message: Snow, Tim: "RE: Extended ACL clarification."
• Previous message: Frank// ZHAO FENG: "Re: Testking and Ace-It-certification CCIE material"
• Maybe in reply to: Jason Cash: "Extended ACL clarification."
• Next in thread: Snow, Tim: "RE: Extended ACL clarification."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3