Including options for TCP and UDP traffic in extended ACLs
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
Syntax
{<deny | permit> tcp}
<SA> [comparison-operator <tcp-src-port>]
<DA> [comparison-operator <tcp-dest-port>]
[established]
[ack] [fin] [rst] [syn]
Syntax
{<deny | permit> udp}
<SA> [comparison-operator <udp-src-port>]
<DA> [comparison-operator <udp-dest-port>]
In an extended ACL using either
tcp
or
udp
as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match.
#deny tcp host 10.20.10.17 eq 23 host 10.20.10.155 established #permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet #deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162 comparison-operator <tcp/udp–src–port> range <start-port-nbr><end-port-nbr>
For a match with the ACE entry, the TCP or UDP source-port number a packet must be in the range of<start-port-nbr> to <end-port-nbr>.
Configuring ACEs that use the range comparison operator with extended ACLs
The port range comparison operator is handled by two different mechanisms in the switch. The switch first attempts to use the TCAM directly to install the port range using a key and mask operation within a single TCAM entry, but if this is not possible then the port range comparison operator must use one of the dedicated h/w range registers.
There are 14 hardware range registers per V1 module ( 60 for a V2 module) that can be used for port range ACEs. Once all the range registers are used up, no further port ranges that require use of the hardware range register (such as, ones that cannot be matched by TCAM alone) can be added and the switch returns an
Unable to create access control entry
message when modifying ACLs.
Use the following techniques to express port ranges with minimal use of the dedicated h/w application registers.
A port range that starts with an odd number always requires a hardware range register due to the TCAM mask operation.
A port range that ends with an even number also always requires a hardware range.
A configured port range can be referenced by multiple ACEs. However be aware that if a single port range that uses a hardware range register is applied as both a source and destination range within the list of ACEs, then two port range registers are actually used by this single port range.
To specify a TCP or UDP source port number in an ACE:
Select a comparison operator from the following list:
Comparison operators
eq <tcp/udp-port-nbr>
"Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to
<tcp/udp-port-nbr>
.gt <tcp/udp-port-nbr>
"Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than
<tcp/udp-port-nbr>
.lt <tcp/udp-port-nbr>
"Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than
<tcp/udp-port-nbr>
.neq <tcp/udp-port-nbr>
"Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to
<tcp/udp-port-nbr>
.range <start-port-nbr> <end-port-nbr>
For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range
<start-port-nbr>
<end-port-nbr>
.
Enter the port number or a well-known port name.
Port number or well-known port name
Use the TCP or UDP port number required by your application.
TCP — bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet
UDP — bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp
To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit www.iana.com.
comparison-operator <tcp-dest-port> established
comparison-operator <udp-dest-port>
This option, if used, is entered immediately after the
<DA>
entry.
To specify a TCP or UDP port number:
Select a comparison operator.
Enter the port number or a well-known port name.
Comparison operators and well-known port names
These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description.
[established]
This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a
deny
to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the
established
option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.
TCP control bits
In a given ACE for filtering TCP traffic you can configure one or more of these options:
[ack]
— Acknowledgment.[fin]
— Sender finished.[rst]
— Connection reset.[syn]
— TCP control bit: sequence number synchronize.
For more on using TCP control bits, see RFC 793.