From: Scott Strobeck (scott@strobeck.net)
Date: Thu Jul 31 2008 - 13:07:44 ART
Alan,
Don't forget that return traffic will have a specific port. . . For
example, if R1 telnets to R2, then to match this traffic would be "tcp
any any eq 23". However, if you wanted to block that traffic with an
outbound access-group toward R1, for example, you would have to match
the return traffic with "tcp any eq 23 any".
Another example is if you were to asked apply an inbound access-group,
for example. If you're running bgp on that link, then you would have to
have both 'permit tcp any any eq bgp' and 'permit tcp any eq bgp any',
Since both boxes will be both sourcing and replying to bgp packets.
Scott
Alan Chng wrote:
> Hi All,
>
> Has anyone used access-list to filter traffic on Layer 2 (e.g.
> MAC addresses)? If so, where are these typically implemented in a network?
>
> Node_108(config)#access-list 700 permit ?
> H.H.H 48-bit hardware address
>
> Secondly, does anyone filter ip access-lists on source ports? (I've only
> ever done it with destination ports since source ports are typically
> dynamically assigned by O/S)
>
> Any advice is greatly appreciated.
>
> Regards,
> Alan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:58 ART