volume 1 section 13.2 - denying tacacs

From: Hobbs (deadheadblues@gmail.com)
Date: Sat Aug 16 2008 - 21:07:42 ART

• Next message: Zealist Hamamd: "BGP behavior for tracing routes"
• Previous message: Lala Lander: "Re: How do I simulate Up/down condition on a serial interface?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

The PG has the following answer for preventing a TACACS server from
authenticating clients:

ip access-list ext FilterOut
 10 deny tcp host 150.100.81.100 any eq tacacs time-range NoTACACS
 20 deny ip 150.100.81.0 0.0.0.255 any time-range 911
 30 permit ip any

But isn't the server listening on tacacs port? Don't we need to do it this
way switching the "any" and the "eq tacacs"

 10 deny tcp tcp host 150.100.81.100 eq tacacs any time-range NoTACACS.

thank you, please correct me if I am mistaken. The only other thing I can
think is that tacacs port is used for client and server side.

Blogs and organic groups at http://www.ccie.net

• Next message: Zealist Hamamd: "BGP behavior for tracing routes"
• Previous message: Lala Lander: "Re: How do I simulate Up/down condition on a serial interface?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART