access-list question

Answered Question
Mar 26th, 2008
User Badges:

I want to configure router map that will forward all 172.23.0.0 traffic out to particular interface. Which acl will cover all of the 172.23.0.0 traffic?

access-list 122 permit tcp 172.23.0.0 0.0.255.255 10.0.0.0 eq any

access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0

thanks for the help.

Correct Answer by Jon Marshall about 9 years 3 months ago

No it won't because you also have UDP ports, ICMP traffic etc. that are not covered by TCP. So if you want all traffic use "permit ip"


Also i meant to ask last time, do you want to do PBR for


all traffic from 172.23.0.0 0.0.255.255 to 10.0.0.0


or


all traffic from 172.23.0.0 0.0.255 255 to any IP address. If this one you need to modify your access-list


access-list 122 permit ip 172.23.0.0 0.0.255.255 any


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 03/26/2008 - 15:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you want all traffic from 172.23.0.0/16 to 10.0.0.0 then your second line but you need a subnet mask for 10.0.0.0 ie.


access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0


or do you just want all TCP ports ?


HTH


Jon



bsudol79p Wed, 03/26/2008 - 15:35
User Badges:

I want to the acl to cover all traffic from 172.23.0.0, so I am kind of confused what the difference is between using the ip and tcp in this case. If I choose the access-list 122 permit tcp 172.23.0.0 0.0.255.255 10.0.0.0 0.0.0.255 eq any won't that be the same as

access-list 122 permit ip 172.23.0.0 0.0.255.255 10.0.0.0 0.0.0.255

Correct Answer
Jon Marshall Wed, 03/26/2008 - 15:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No it won't because you also have UDP ports, ICMP traffic etc. that are not covered by TCP. So if you want all traffic use "permit ip"


Also i meant to ask last time, do you want to do PBR for


all traffic from 172.23.0.0 0.0.255.255 to 10.0.0.0


or


all traffic from 172.23.0.0 0.0.255 255 to any IP address. If this one you need to modify your access-list


access-list 122 permit ip 172.23.0.0 0.0.255.255 any


HTH


Jon

bsudol79p Wed, 03/26/2008 - 15:44
User Badges:

I just wanted to cover the 172.23.0.0 255.255.0 0 to 10.0.0.0 and not to any. Thanks for your help!!!!

Actions

This Discussion