Access-lists ?

By it_amaan ·

This is my first post..
I need some details regarding access-lists in particular with protocol parameter.
In some cases, for denying a host it is used as ip while in other it is as tcp/udp.
what must be actually used for denying a host and a network?

Also, see the below lists;

access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log

Pls explain about the port nos used here.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Fregeus In reply to Access-lists ?

I'm sorry, but I don't understand the question. Can you rephrase?


Collapse -

only use the any statement

by CG IT In reply to Access-lists ?

which will deny any hosts

if you want to allow specific traffic or deny specific traffic, then you use different parameters to allow or deny such as TCP or UDP and types of TCP or UDP traffic.

in your access list statement, because you use the eq [equals] traffic that equals your parameter netbios-ns log means that only UDP traffic on port 137 will be denied.

your other deny statement is for Netbios datagrams over port 138.

BUT!! there is an inherent deny statement at the end of access lists. That means that unless allowed, all traffic is denied. So if you invoke an access list, there is a deny statement at the end even if you don't manually put it in there. So invoking an access-list, you have to create allowed statements or the inherent deny statement comes into play.

This is the opposite behavior seen in consumer level routers where the inherent access list statement is allow unless denied.

Collapse -

Yes, Right

by Mohammad Oweis In reply to only use the any stateme ...

Very clear explanation, but one more addition:
You can use IP instead of TCP or UDP to allow or deny all ports, like:
access-list 101 permit ip any any
You can put the ACL at the end to allow all other IP traffic.

Related Discussions

Related Forums