Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-list

Will these two commands will have same outcome or different:

For example, if I were to permit tftp traffic both ways, I could do

access-list 100 permit udp any any eq tftp or

access-list 100 permit udp any eq tftp any

Will these function differently or same?

Thanks,

3 REPLIES
Cisco Employee

Re: Access-list

> access-list 100 permit udp any any eq tftp

The above implies that the destination port in the UDP packet is tftp (69).

> access-list 100 permit udp any eq tftp any

The above command implies that the source port in the UDP packet is tftp (69).

These two commands do different things. Depending on which direction (inbound or outbound) the access-list is applied on the interface, there will either allow the originating TTP packets, or they'll allow the response TFTP packets.

New Member

Re: Access-list

Is the syntax for the second example valid? I thought extended access list syntax was :

access-list # permit/deny protocol source add mask destination add mask operand port

The second example puts the destonation add. at the end of the command, is this vaild?

Cisco Employee

Re: Access-list

The format of the ACL command is as follows:

acl # permit/deny prot

so

access-list 101 permit udp any eq tftp any

means the source port of the packet is tftp. By putting the "eq tftp" at the end of the line you're indicating this is the destination port in the packet. You can specify either or both or neither if you like, it depends on whether the packet you want to inspect is the initiator or the responder.

173
Views
5
Helpful
3
Replies