Re: Access-list

abbas.ali · ‎03-04-2003

Will these two commands will have same outcome or different:

For example, if I were to permit tftp traffic both ways, I could do

access-list 100 permit udp any any eq tftp or

access-list 100 permit udp any eq tftp any

Will these function differently or same?

Thanks,

gfullage · ‎03-04-2003

> access-list 100 permit udp any any eq tftp

The above implies that the destination port in the UDP packet is tftp (69).

> access-list 100 permit udp any eq tftp any

The above command implies that the source port in the UDP packet is tftp (69).

These two commands do different things. Depending on which direction (inbound or outbound) the access-list is applied on the interface, there will either allow the originating TTP packets, or they'll allow the response TFTP packets.

Slowmo · ‎03-11-2003

Is the syntax for the second example valid? I thought extended access list syntax was :

access-list # permit/deny protocol source add mask destination add mask operand port

The second example puts the destonation add. at the end of the command, is this vaild?

gfullage · ‎03-11-2003

The format of the ACL command is as follows:

acl # permit/deny prot

so

access-list 101 permit udp any eq tftp any

means the source port of the packet is tftp. By putting the "eq tftp" at the end of the line you're indicating this is the destination port in the packet. You can specify either or both or neither if you like, it depends on whether the packet you want to inspect is the initiator or the responder.