I think it is the normal practice because historically that was the only capability which routers had (filtering on destination ports) and as the IOS became more capable people were either unsure, or reluctant to change their ways. The second example is more secure, and to take it a step further (towards tighter security) I would filter on established too (where appropriate). The gt 1023 refers to the random high numbered port that a hosts assigns for the response to any packet sent to a well known port. Another observation of your example is that you are filtering on TCP port 53. TCP port 53 is only used for zone transfers between a 2ndry and a primary DNS server. Normal lookups, the type done by the majority of hosts on the net, use UDP port 53. Tom At 10:28 PM 10/30/2000 +0800, GNOME wrote: >Hi All > >Which one of the access-list is normally use? > >Example 1 >--------------- >access-list 102 permit tcp any host 172.16.0.1 eq 80 >access-list 102 permit tcp any host 172.16.0.1 eq 53 > > >Example 2 >--------------- >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 > (notice the gt 1023) > >I saw from most of the books that Example 1 is common. I don't know what is >the normal practice generally >Appreciate if anyone can share with me his/her comments. Thanks alot > >Regards >Orion >[EMAIL PROTECTED] > > > > >_________________________________ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > Tom Pruneau Trainer Network Operations GENUITY 3 Van de Graff Drive Burlington Ma. 01803 24 Hr. Network Operations Center 800-436-8489 If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri --------------------------------------------------------------------------- This email is composed of 82% post consumer recycled data bits --------------------------------------------------------------------------- "Once in a while you get shown the light in the strangest of places if you look at it right" _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
