ACL

Answered Question
Mar 13th, 2009

Hi,

according the config, I have two questions about the ACL

1. the ACL in group C should be invalid, should not it?. the Local traffic should not pass through router.

2. the group E, what is the router behavior if the setting is "gt 1023"? does the router change the port to 1024 for 1st session; 1025 for second session; 1026 for 3rd session .....?

rdgs

R1

interface FastEthernet0/0.11

encapsulation dot1Q 11

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.14

encapsulation dot1Q 14

ip address 192.168.14.1 255.255.255.0

!

interface FastEthernet0/0.101

encapsulation dot1Q 101

ip address 192.168.101.1 255.255.255.0

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

ip access-group 153 out

speed 100

full-duplex

! group A

access-list 153 permit tcp 192.168.102.0 0.0.0.255 host 192.168.3.121

access-list 153 permit udp host 192.168.1.49 eq syslog host 192.168.2.121 gt 1023

access-list 153 permit tcp host 192.168.14.211 host 192.168.2.121

access-list 153 permit tcp host 192.168.15.221 host 192.168.3.121

!group B

access-list 153 permit tcp 192.168.0.0 0.0.255.255 gt 1023 host 192.168.2.121 eq 6400

access-list 153 permit tcp 192.168.0.0 0.0.255.255 eq 6400 host 192.168.2.121 gt 1023

!group C

access-list 153 permit tcp host 192.168.2.24 gt 1023 host 192.168.2.121 eq 6400

access-list 153 permit tcp host 192.168.2.24 eq 6400 host 192.168.2.121 gt 1023

!group D

access-list 153 permit tcp host 192.168.3.24 gt 1023 host 192.168.2.121 eq 6400

! group E

access-list 153 permit tcp host 192.168.3.24 eq 6400 host 192.168.2.121 gt 1023

!group F

access-list 153 permit tcp host 192.168.5.26 gt 1023 host 192.168.2.121 eq 6400

access-list 153 permit tcp host 192.168.5.26 eq 6400 host 192.168.2.121 gt 1023

access-list 153 permit tcp host 192.168.5.26 gt 1023 host 192.168.3.121 eq 6400

access-list 153 permit tcp host 192.168.5.26 eq 6400 host 192.168.3.121 gt 1023

access-list 153 permit tcp host 192.168.5.28 gt 1023 host 192.168.2.121 eq 6400

I have this problem too.
0 votes
Correct Answer by Istvan_Rabai about 7 years 10 months ago

Hi Anita,

Group C:

In normal circumstances these types of packets do not cross the router.

This traffic is sourced on the 192.168.2.0/24 subnet and destined to the same subnet. So hosts on this subnet will speak to each other directly without passing through the router.

Group E:

gt 1023 means the acl allows packets with destination port numbers greater than 1023.

Allows 1024, 1025, 1026...etc, but disallows 1023, 1022, 1021...etc.

Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Istvan_Rabai Sat, 03/14/2009 - 00:08

Hi Anita,

Group C:

In normal circumstances these types of packets do not cross the router.

This traffic is sourced on the 192.168.2.0/24 subnet and destined to the same subnet. So hosts on this subnet will speak to each other directly without passing through the router.

Group E:

gt 1023 means the acl allows packets with destination port numbers greater than 1023.

Allows 1024, 1025, 1026...etc, but disallows 1023, 1022, 1021...etc.

Cheers:

Istvan

Actions

This Discussion