RE: Selecting the correct protocol ports in acl's

From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Jun 17 2005 - 15:15:12 GMT-3

• Next message: John Matus: "privilage level"
• Previous message: john matijevic: "Re: multlink frame-relay"
• Maybe in reply to: ccie2be: "Selecting the correct protocol ports in acl's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey James,

I don't discount MQC at all and if I have the choice I would always use
that.

But, that's not really the question here.

Assume the instructions say to configure an acl to filter ldap traffic to
and from a server located on vlan X going to host A

server -- vlan X --- e0 R1 ---rest of network --- host A

If, off-hand, I don't know the port number to use, I can just do a show ip
nbar port-map to find out.

I happen not to know much about ldap. From the show ip nbar command I see
it uses port udp and tcp port 389.

Now, when I go to configure this acl outbound on e0, what should this acl
look like?

access-list 100 deny tcp host A eq 389 server

or

access-list 100 deny tcp host A server eq 389

If ldap follows the same model as smtp, then the 2nd acl statement is
correct. But, not knowing the details of ldap, I wouldn't be sure.

My gut tells me to follow the same model as smtp.

What do you think?

TIA, Tim

-----Original Message-----
From: James Matrisciano [mailto:jmatrisciano@kenttech.com]
Sent: Friday, June 17, 2005 12:58 PM
To: ccie2be; Group Study
Subject: RE: Selecting the correct protocol ports in acl's

do not discount modular QoS with NBAR. Usering the match protocol command
will allow you to match on traffic if you do not know the port.

jm

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
ccie2be
Sent: Friday, June 17, 2005 11:21 AM
To: Group Study
Subject: Selecting the correct protocol ports in acl's

Hi guys,
 
If I need to create an acl for a certain type of traffic, say, smtp, I
happen to know which ports to use.
 
In the case of smtp, traffic from the smtp server uses a source port of 25
and traffic to the smtp server uses a dest port of 25.
 
But, assuming I didn't know the specifics of a given protocol, can I
generalize that for this other protocol, it would work the same way as smtp?
 
IOW, if port X is the destination port used TO reach a given application,
then port X becomes the source for traffic FROM this application?
 
Does this generalization hold up equally well for UDP based apps as for TCP
apps?
 
TIA, Tim

• Next message: John Matus: "privilage level"
• Previous message: john matijevic: "Re: multlink frame-relay"
• Maybe in reply to: ccie2be: "Selecting the correct protocol ports in acl's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3