What is the difference between "permit tcp any any eq telnet" and "permit tcp any eq telnet any"?

  • I'm a CCNA student and during a LAB I found that for some rules on an incoming extended ACL using a rule like permit tcp any any eq (protocol) would work fine while on other rules I needed to use the format permit tcp any eq (protocol) any.

    Just wondering what the difference is?

  • permit tcp any any eq <protocol-port>
    

    Allows any traffic with a destination TCP port == protocol-port

    permit tcp any eq <protocol-port> any
    

    Allows any traffic with a source TCP port == protocol-port

    Example

    ACLs tend to use fixed ports for the server-side of a client-server connection. Typically, the client connects to a well-known port on a server; when you posted to Stack Exchange, your web-browser (client) connected to the Stack Exchange server on TCP port 80.

                POS1/0        Gi0/0
                  +-----------+
    Internet -----|   Router  |----- Webserver (listening on TCP/80)
                  +-----------+
    

    So pretend Stack Exchange was applying these ACLs to the router above, they could use this inbound on their POS1/0 interface; because traffic to the Stack Exhange webserver would be going to TCP/80

    ip access-list extended WEB_in
     permit tcp any any eq 80
     deny ip any any log
    

    They could apply this outbound on POS1/0, because traffic leaving the Stack Exhange webserver would be sourced from TCP/80

    ip access-list extended WEB_out
     permit tcp any eq 80 any
     deny ip any any log
    

    In this example, keep in mind that applying an ACL to "any eq 80" isn't terribly useful; normally you would limit it to specific IP addresses that you want to expose TCP 80 to the internet.

    Also note that ACLs like this are pretty stone-age from a security perspective... Stateful packet inspection is considered the standard approach to securing a network border. In Cisco IOS, you'd use ZBF to get stateful packet inspection

    Thanks Mike, That was really helpful. I understand that using "any any" is not best practice, I just used it for an example, I would be more specific in my actual ACLs. Thanks again.

    You're most welcome... good luck with your studies

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM