Re: Re : Basic ACL Q ....

From: Mohamed M Moustafa (mmma@gawab.com)
Date: Wed Sep 05 2007 - 15:07:34 ART

Hi,

I meant exactly what Ben said, you can match UDP port 520 (RIP) as source
or destination or both, as RIP uses this port as both source and
destination, on the other hand if it was BGP that we are talking about,
then TCP 179 is destination and not a source (as if a client/server
application), the source will be a high port number.

HTH,
Mohammed Mahmoud.

Ben <bmunyao@gmail.com> wrote on 5 Sep 2007, 08:48 PM:
Subject: Re: Re : Basic ACL Q ....
>ccie1101,
>
>He means both source/destination ports in RIP packets are udp/520. In other
>words the following solutions should all match rip traffic:
>
>1. access-l 100 permit udp host 192.10.1.2 eq rip any
>
>2. access-l 100 permit udp host 192.10.1.2 any eq rip
>
>3. access-l 100 permit udp host 192.10.1.2 eq rip any eq rip
>
>HTH
>
>Ben
>
>
>On 9/5/07, ccie1101 <ccie1101@gmail.com> wrote:
>>
>> Mohammed ,
>> So you are saying that if you do not specify the port number, it will
>know
>> it is rip ???
>>
>> *That a host with an IP address of **192.10.1.2* <http://10.20.30.40/>*54
>> is
>> to send rip updates to all host on its ethernet segment. *
>>
>> My answer :-
>> access-list 100 permit udp host 192.10.1.254 eq rip any
>>
>> The solution given is
>> access-list 100 permit udp host 192.10.1.254 any eq rip
>>
>> This would mean that we could write the acl as follows and rip
>information
>> will be passed from 192.10.1.254 to other host running rip on the segment
>> ?
>> access-list 100 permit udp host 192.10.1.254 any
>>
>> Is this what you are saying ?
>>
>> ccie1101.
>>
>>
>>
>> On 9/5/07, Mohamed M Moustafa <mmma@gawab.com> wrote:
>> >
>> > Hi,
>> >
>> > Both should work as RIP (unlike BGP) uses UDP port 520 as both the
>> source
>> > and the destination.
>> >
>> > BR,
>> > Mohammed Mahmoud.
>> >
>> >
>> > ccie1101 <ccie1101@gmail.com> wrote on 5 Sep 2007, 12:36 PM:
>> > Subject: Re : Basic ACL Q ....
>> > > Hi,
>> > > I have a basic question on ACL .... The question says :-
>> > >*That a host with an IP address of 192.10.1.2 <http://10.20.30.40/>54
>> is
>> > to
>> > >send rip updates to all host on its ethernet segment.*
>> > >
>> > > The way that I constructed the ACL is as follows :-
>> > >
>> > >access-list 100 permit udp host 192.10.1.254 eq rip any
>> > >access-list 100 deny ip any any
>> > >
>> > > The solution given was '*host 192.10.1.254 any eq rip*'
>> .....
>> > >
>> > >Pls enlighten,
>> > >**
>> > >Thank you,
>> > >
>> > >ccie1101.
>> > >
>> >
>>_______________________________________________________________________
>> > >Subscription information may be found at:
>> > >http://www.groupstudy.com/list/CCIELab.html
>> > >
>> >
>> > ---------------------------------------------
>> > Free POP3 Email from www.Gawab.com
>> > Sign up NOW and get your account @gawab.com!!
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

---------------------------------------------
Free POP3 Email from www.Gawab.com
Sign up NOW and get your account @gawab.com!!

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART