by Hmm. I'm not trying to prioritize traffic, per se. What I am trying toQuote:>> priority-list <list> protocol ip <queue> ip tcp <port>
>> This will assign all packets with TCP source or destination port equal
>> to <port> to the specified <queue>. You can also use "ip udp" for
>> prioritizing UDP packets.
do is only allow certain types of TCP connections (in certain directions)
through the IGS. For example:
"inbound" -->
|
<---> IGS <--->| a.l. = access list
a.l. a.l. |
101 100 |- host (address a.b.c.d)
|
<-- "outbound"
access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0 eq 21
access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0 eq 20
Will permit "inbound" traffic from any source address/port to port 20/21 on host
a.b.c.d. If there are no extended access lists on the "outbound" port, things
work fine. If there are, then you need to explicitely allow the connection
to succeed. For the sake of this example, I will put an access list on
the outbound port, although they aren't needed for what I am trying to
accomplish.
Now, say that you want to permit "outbound" connections from host a.b.c.d to
any destination address, ports 20 & 21:
access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 20
access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 21
To allow for the "reverse" half of this connection, you need to add the
following rule to access-list 100:
access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 20 a.b.c.d 0.0.0.0
access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 21 a.b.c.d 0.0.0.0
Currently, I can't do this. The only way I can allow the connection to
succeed (given the current syntax) is to use:
access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0
which is basically pointless. It allows any host, any port to connect to
host a.b.c.d, any port. This is undesirable.
So, the $64 K question is: Can I filter on source port in 8.3(1)?
--
--
Adobe Systems Incorporated, Mountain View, CA adobe!timg