Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list question

Hi seniors,Preparing for CCNA. Cannot differentiate exactly what is the difference between two statements below..

1.deny 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80

2.deny 172.16.16.0 0.0.0.255 eq 80 172.17.17.252 0.0.0.0

In what situation second one will be used ? Thanks for guidence. Tahir

10 REPLIES
New Member

Re: Access list question

The first statement denies traffic from 172.16.16.0/24 to anywhere port 80

The second statement denies traffic from 172.16.16.0/24 port 80 to anywhere

The first statement would block all traffic to any website on port 80 from 172.16.16.0/24 because of the 0.0.0.0 wildcard mask which matches everything.

The second would block any return traffic from a website running on port 80 on network 172.16.16.0/24.

I am not sure what the intended application of those commands is because I would use the "any" keyword instead of an ip and a 0.0.0.0 wildmask.

However I could be missing something.

Blue

Re: Access list question

Mr. Tahir:

deny 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80

denies http traffic to web server 172.17.17.252 from network 172.16.16.0

deny 172.16.16.0 0.0.0.255 eq 80 172.17.17.252 0.0.0.0

denies http traffic from network 172.16.16.0 to host 172.17.17.252

This second one doesn't really make sense. Typically, you will have web traffic coming from users on a network with a TCP port greater than 1024 and destined for the web server on TCP port 80 (http)...just like the first statement.

Also, with wildcard masks, 0.0.0.0 means a perfect match must be met. You can substitute that with the "host" keyword.

Example:

deny 172.16.16.0 0.0.0.255 host 172.17.17.252 eq 80

Tahir, there is really no mystery to access lists. There is a certain format that you must know so that you can understand what they are doing.

You will be best served by reading a good CCNA book and doing a lot of practice question. I would recommend a CCNA Study Guide by Richard Deal. His is excellent.

Good luck.

If I have helped you, please rate my post.

Thanks

Victor

Hall of Fame Super Silver

Re: Access list question

Sohail

I like the explanation that Victor gives. But let me supplement it by explaining from a slightly different perspective:

the essential difference between the two statements is that in the first the port 80 (HTTP or WWW) is the source port and in the second statement port 80 is the destination port.

This would correspond to the direction of the traffic. The first statement where port 80 is the source would represent traffic from the web server back to the station that originated it. The second statement where port 80 is the destination represents traffic from some source to the web server.

HTH

Rick

New Member

Re: Access list question

Yes that is true, I got confused when I wrote my reply. Sorry.

Blue

Re: Access list question

Rick:

"the essential difference between the two statements is that in the first the port 80 (HTTP or WWW) is the source port and in the second statement port 80 is the destination port."

You got it backwards.

In the first statement:

deny 172.16.16.0 0.0.0.255 172.17.17.252 eq 80

Port 80 is the destination port, not source. And its the reverse for the second statement.

The format for a TCP extended access list is:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]

{deny | permit} tcp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]] [established]

[precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name]

So, the access list...

access list 101 extended deny tcp 172.16.16.0 0.0.0.255 gt 1024 host 172.17.17.252 eq 80

...denies TCP traffic sourced from network 172.16.16.0, whose users have source ports greater than 1024 (this is done automatically by TCP and is expected, of course, since TCP ports less than 1024 are for "known" applications [www, smtp, etc] and reserved) and whose destination traffic is headed for a web server whose http application uses port 80.

Hall of Fame Super Silver

Re: Access list question

Victor is correct. I did have it backward. I was focused on the concept of source port and destination port and got the detail backwards. My apologies.

HTH

Rick

Blue

Re: Access list question

No biggie, Rick. Coming from you, I'm sure its a result of insufficient coffee this morning. Have a cup on me. :-) I just wanted to point it out so that Tahir doesnt get confused.

Hall of Fame Super Silver

Re: Access list question

Victor

I appreciate that it is no biggie.

It is one of the really good things about the forum that we have many sharp people reading the posts and responses and able to point out when something is said that is potentially misleading. Thanks to you for catching my goof. (drinking that cup of coffee as I type)

HTH

Rick

New Member

Re: Access list question

Thanks seriors, You all really cleared my concept for ACL.

Regards,

Super Bronze

Re: Access list question

As a sidebar, (if I remember correctly) Cisco ACLs sometimes can use, or will use, symbolics for some of the well known ports. So you might see, or might be able to enter, for example, WWW instead of 80 for the port value.

164
Views
5
Helpful
10
Replies