Re: Classifying incoming vs outgoing HTTP traffic from Dale Shaw on 2009-04-02 (Ccielab archives 04/2009)

From: Dale Shaw <dale.shaw_at_gmail.com>
Date: Fri, 3 Apr 2009 11:50:25 +1100

Hi,

On Fri, Apr 3, 2009 at 11:33 AM, Cisco Fanatic
<ebay_products_at_hotmail.com> wrote:
> Then what's the difference between
>
> 1) All HTTP traffic coming from Vlan 34.
> 4) All HTTP traffic going out to Vlan 34.
>
> ?? if you apply the access-list as you stated.

Nothing -- both 1) and 4) are handled -- HTTP requests (to tcp/80)
_and_ HTTP responses.

ip access-list extended V34_in
    ! HTTP responses from a server on Vlan34 to a client somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 eq www any
    ! HTTP requests from a client on Vlan34 to a server somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 any eq www

You could tighten it up a bit:

ip access-list extended V34_in
    ! HTTP responses from a server on Vlan34 to a client somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 eq www any gt 1023
    ! HTTP requests from a client on Vlan34 to a server somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 gt 1023 any eq www

Or even:

ip access-list extended V34_in
    ! HTTP responses from a server on Vlan34 to a client somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 eq www any gt 1023 established
    ! HTTP requests from a client on Vlan34 to a server somewhere else ("any")
    permit tcp 10.1.34.0 0.0.0.255 gt 1023 any eq www

It's really just poor wording in the question. TCP flows have an
inherent "direction". Connections are initiated from one end (the
source) and accepted on the other (the destination). I think it's best
to separate the terms "client" and "server" with "source" and
"destination". Of course, HTTP is a client-server protocol: the client
(source) always initiates a connection to the server (destination).

The TCP source port used by the HTTP client (web browser, typically)
is going to be >1023 (i.e. 1024-65535), and the TCP destination port
listening on the server is (almost always) going to be 80 (within the
"well known" range 0-1023).

So, if the question doesn't make it clear if you're expected to match
client-->server traffic ("HTTP requests"), server-->client traffic
("HTTP responses"), or both, you should ask the proctor!

TCP is a wonderful world of its own.

cheers,
Dale

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 03 2009 - 11:50:25 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART