Example 1 is most common. Example 2 is a little more picky. Realistically a connect that is sourced to web or DNS should originate on a non-privledged port (>=1024) so this just makes sure of that. I don't go thru that kind of intensiveness in my ACL's........I feel that checking the destination port/address is good enough. Brian On Mon, 30 Oct 2000, GNOME wrote: > Hi All > > Which one of the access-list is normally use? > > Example 1 > --------------- > access-list 102 permit tcp any host 172.16.0.1 eq 80 > access-list 102 permit tcp any host 172.16.0.1 eq 53 > > > Example 2 > --------------- > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 > (notice the gt 1023) > > I saw from most of the books that Example 1 is common. I don't know what is > the normal practice generally > Appreciate if anyone can share with me his/her comments. Thanks alot > > Regards > Orion > [EMAIL PROTECTED] > > > > > _________________________________ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ----------------------------------------------- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]