Re: SMTP access list
Title: SMTP access list I think you need to have the 3rd line because if you do not, then all other traffic will be denied. ""Shahir Boshra"" <[EMAIL PROTECTED]> wrote in message 8khoes$ch4$[EMAIL PROTECTED]">news:8khoes$ch4$[EMAIL PROTECTED]... Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources & carrying smtp will be allowed. Note that the last 2 lines are unnecessary, as the implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
Title: SMTP access list Hi Nope, as soon as a match in the list is made, it is processed, and no longer considered by the ACL. So in your example a packet with a source address of 193.128.233.177 on TCP port 25 it would forwarded/routed to the IP/forwarding interface. HTH-- John Hardman, MCSE+I, CCNAArrisTech/CCS-IS SysAdmin ""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
Title: SMTP access list Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources & carrying smtp will be allowed. Note that the last 2 lines are unnecessary, as the implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
the algorithm is designed to exit the moment it finds a match. so, as soon as there is a match, the remaining lines of the access-list are never looked at. > "Deloso, Elmer G." wrote: > > Hi, all. > Just to verify my understanding of extended access-lists: this > continues to parse the entries even > after a match has already been found, so if the first few lines have a > "permit" and later down the last few lines it encounters a "deny", > what does the router do? > > Example: > access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log > access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log > access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log > . > . > . > . > access-list 176 deny ip 193.0.0.0 0.255.255.255 any log > access-list 176 deny ip 203.0.0.0 0.255.255.255 any log > > Any help would be greatly appreciated. > > Elmer Deloso ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SMTP access list
No, once the router finds a match, it quits examining the access-list and either permits or denies the packet. Even if there are lines later in the list that would also be a match the router stops with the first match it finds. >Hi, all. >Just to verify my understanding of extended access-lists: this continues to >parse the entries even >after a match has already been found, so if the first few lines have a >"permit" and later down the last few lines it encounters a "deny", what >does >the router do? >Example: >access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log >access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log >access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log >. >. >. >. >access-list 176 deny ip 193.0.0.0 0.255.255.255 any log >access-list 176 deny ip 203.0.0.0 0.255.255.255 any log > >Any help would be greatly appreciated. > >Elmer Deloso > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SMTP access list
Title: SMTP access list Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources & carrying smtp will be allowed. Note that the last 2 lines are unnecessary, as the implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
