=?iso-8859-1?q?maine=20dude?= wrote: > > Please help... In the example :access-list 101 deny tcp host > 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 permit > ip any any Do the terms "tcp" and "ip" refer to the individual > protocols or the stack ?
They refer to the protocols. Don't worry too much about "the stack." The TCP/IP stack is just as elusive and harmful to learning as the OSI stack. (Just kidding. I think they are good for learning, actually, but you have to go beyond them, as you know.) > I assume they refer to the individual > protocols as you could substitute them with "udp" or "icmp" but > then surely the last statement would allow only the individual > "ip" protocol and therefore all other packets such as tcp , > udp, icmp would be filtered. Or does tcp , udp , icmp get > through because it is encapsulated in ip ? ( I hate the OSI > model ) -DJ The statement at the end (access-list 101 permit ip any any) is to avoid problems with the implicit deny at the end of every access list. If you don't put something like that, everything will be denied as soon as you have any access list. The good news is that you don't really have to be specific in that final statement if you don't want to be. You don't have to specify any IP addresses and you don't have to specify anything above IP. The other good news is that essentially everything (except ARP and IS-IS) in an IP network runs above IP. When you want to be more specific then you'll have to know things like the following info. The following protocols run directly above IP Protocol Protocol Number in Decimal ICMP 1 IGMP 2 IP 4 (IP-in-IP tunneling) TCP 6 IGRP 9 UDP 17 GRE 47 ESP 50 AH 51 EIGRP 88 OSPF 89 The following protocols run above TCP Service Port Number in Decimal FTP 21 for control, 20 for data Telnet 23 SMTP 25 DNS 53* Gopher 70 Finger 79 HTTP 80 POP 110 NNTP 119 NetBIOS 139* (Session) BGP 179 LDAP 389 SSL 443 NCP 524* AFP 548 * DNS uses TCP for large transfers, but otherwise uses UDP. * NCP and NetBIOS also use UDP for some purposes The following protocols use UDP: Service Port Number in Decimal DNS 53 DHCP 67 for the DHCP server, 68 for the DHCP client TFTP 69 RPC 111 NetBIOS 138 (Datagram) SNMP 161 AURP 387 SLP 427 RIP 520 NCP 524 One place to go to learn protocol types and port numbers is the Internet Assigned Numbers Authority documents. Unfortunatley, they tend to list every protocol as using TCP and UDP, since theoretically they could. So it takes experience to learn which one is really used in the real world. (Experience or reading my books! ;-) The IANA documents are here: http://www.iana.org And it also takes experience to learn about the protocols that "misbehave" in various ways. FTP is especially ugly. There's more info FTP here: http://www.troubleshootingnetworks.com/ftpinfo.html TFTP is almost impossible to permit, although possible to deny. This is because only the first packet uses a well-known port number (69). After that the packets go to and come from non well-known port numbers, meaning that you can't do a good permit access list. Deny works because TFTP won't work if you deny the first packet, which does use the well-known port number I'll have to do a white paper on that too, at some point! That's all for now! Good luck. Try to see it as fun, not frustrating! Priscilla Oppenheimer http://www.priscilla.com > > > > --------------------------------- > Get a bigger mailbox -- choose a size that fits your needs. > > http://uk.docs.yahoo.com/mail_storage.html > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51242&t=51235 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
