Including options for TCP and UDP traffic in extended ACLs
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.
Syntax:
<deny|permit> tcp
<SA> [comparison-operator <tcp-src-port>]
<DA> [comparison-operator <tcp-dest-port>]
Syntax:
<deny|permit> udp
<SA> [comparison-operator <udp-src-port>]
<DA> [comparison-operator <udp-dest-port>]
In an extended ACL using either tcp
or udp
as
the packet protocol type, you can optionally use TCP or UDP source
and/or destination port numbers or ranges of numbers to further define
the criteria for a match.
[comparison-operator <tcp/udp-src-port>]
To specify a TCP or UDP source port number in an ACE:
(1) Select a comparison operator from the following list
and
(2) Enter the port number or a well-known port name.
Comparison operators
eq <tcp/udp-port-nbr>
"Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to
<tcp/udp-port-nbr>
.gt <tcp/udp-port-nbr>
"Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than
<tcp/udp-port-nbr>
.lt <tcp/udp-port-nbr>
"Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than
<tcp/udp-port-nbr>
.neq <tcp/udp-port-nbr>
"Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to
<tcp/udp-port-nbr>
.range <start-port-nbr> <end-port-nbr>
For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range
<start-port-nbr>
<end-port-nbr>
.
Port number or well-known port name:
Use the TCP or UDP port number required by your application.
TCP – bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet
UDP – bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp
To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit http://www.iana.org/assignments/port-numbers.
[comparison-operator <tcp-dest-port>]
[comparison-operator <udp-dest-port>]
This option, if used, is entered immediately
after the <DA>
entry.
select a comparison operator
enter the port number or a well-known port name