ACL for telneting to a specific port

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Oct 26 2004 - 08:27:04 GMT-3

• Next message: Kamal Khan: "R&S Lab Exam in Brussels/Dubai"
• Previous message: AdebolaA@mtnnigeria.net: "RE: EIGRP without passive interface"
• Next in thread: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Maybe reply: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Maybe reply: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi guys,

I want to create an acl which allows only telnets to port 3023.

In the example I just saw yesterday this required to lines as follows:

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq 3023

I tried this out and it works. But, if I use either entry by itself, it
doesn't work. It also doesn't work if the entries are in the reverse order ie
the eq 3023 entry comes before the eq telnet entry.

This example seems to break the rules of acl processing which I thought I knew
- each entry is evaluated from top to bottom INDEPENDENTLY. If an entry
permits the packet, stop processing the acl. If an entry denies the packet,
stop processing. If a packet doesn't match an entry, go to the next entry and
repeat.

Is the above acl an exception to the logic of acl processing as I understand
it or am I missing something?

Thanks, Tim

• Next message: Kamal Khan: "R&S Lab Exam in Brussels/Dubai"
• Previous message: AdebolaA@mtnnigeria.net: "RE: EIGRP without passive interface"
• Next in thread: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Maybe reply: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Maybe reply: Tony Schaffran: "RE: ACL for telneting to a specific port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:53 GMT-3