Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16284
Views
10
Helpful
2
Replies

ACL'S IP, TCP

Go to solution
gurkamal01
Level 1
Level 1

‎09-12-2010 05:06 PM - edited ‎03-11-2019 11:39 AM

Hi there,

Please excuse me for this simple  question

I am confused about extended ACLS when we use  (permit|deny) for Protocol IP,TCP,UDP on an access list

I have 2 Examples below

1.  access-list 102 permit tcp  any  192.168.10.10

                           OR

      access-list 102 permit ip any 192.168.10.10

2.   access-list 103 deny tcp  any  192.168.20.10

                              OR

      access-list 103 deny ip any 192.168.20.10

Q1.  In example 1 i am permiting TCP and IP protocol from any to 192.168.10.10

       My Question what  is difference does it make if we either use TCP or IP in a permit acccess-list ie ( what is the meaning of using IP or TCP) and what impact        does it have?

Q2 Same goes for the access-list 103  what is difference in using TCP or IP in Deny statement and waht impact does it have?


Q3. If  iwant to block or permit traddic through access-list should i use IP or TCP in the Protocol field of access-list

My confusion is about IP,TCP and UDP

Please Help

I will appreciate any response

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-12-2010 05:15 PM

Everything is included under IP.

TCP, UDP, ICMP for examples are all under IP.

Q1. If you configure IP, that would already include TCP, hence, you do not need to configure TCP anymore if you already configure IP.

Q2. "deny tcp" will only deny TCP protocol, eg: telnet, smtp, http, while "deny IP" will include everything (TCP, UDP, ICMP proctocol), eg: telnet, smtp, http, dns, icmp, snmp, etc.

Q3. If you would like to deny everything, you should use "IP" instead of "TCP" only.

Hope that helps.

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-12-2010 06:19 PM

I believe that the answer from Halijenn is good and thought that a small example might help to clarify.With this access list line:

access-list 102 permit tcp  any  192.168.10.10

if you attempt to telnet to 192.168.10.10 it would be permitted but if you attempt to tftp that address it would be denied. Telnet is TCP port 23 and so is permitted but tftp uses UDP and so is not permitted. If you change the line to:

access-list 102 permit ip  any  192.168.10.10

then both telnet and tftp would be permitted.

And the same concept works in your example with access-list 103. If the deny statement specifies TCP then only TCP traffic is affected (but not UDP or ICMP or other types of IP traffic).

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-12-2010 05:15 PM

Everything is included under IP.

TCP, UDP, ICMP for examples are all under IP.

Q1. If you configure IP, that would already include TCP, hence, you do not need to configure TCP anymore if you already configure IP.

Q2. "deny tcp" will only deny TCP protocol, eg: telnet, smtp, http, while "deny IP" will include everything (TCP, UDP, ICMP proctocol), eg: telnet, smtp, http, dns, icmp, snmp, etc.

Q3. If you would like to deny everything, you should use "IP" instead of "TCP" only.

Hope that helps.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-12-2010 06:19 PM

I believe that the answer from Halijenn is good and thought that a small example might help to clarify.With this access list line:

access-list 102 permit tcp  any  192.168.10.10

if you attempt to telnet to 192.168.10.10 it would be permitted but if you attempt to tftp that address it would be denied. Telnet is TCP port 23 and so is permitted but tftp uses UDP and so is not permitted. If you change the line to:

access-list 102 permit ip  any  192.168.10.10

then both telnet and tftp would be permitted.

And the same concept works in your example with access-list 103. If the deny statement specifies TCP then only TCP traffic is affected (but not UDP or ICMP or other types of IP traffic).

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card