Solved: Re: History, benefit, using of gt and lt in ACL rule

mgae2m400 · ‎08-09-2020

As rules below:

10 access-list 102 permit tcp any host 192.168.1.100 eq ftp
20 access-list 102 permit tcp any host 192.168.1.100 gt 1023

What is History, benefit, using gt and lt (line 20)?

Is there meaning in ports sequence number?

Regards.

Rob Ingram · ‎08-09-2020

Hi,
"gt" = greater than, which in your example this is permitting all dynamic ports above 1023, so from tcp port 1023 - 65535. Normally you'd specify "eq" which specifies the exact port, but in some circumstances you may wish to permit the dynamic ports for some applications, such as MS RPC.

Sequence number is important, the ACL is processed top down, so first match takes precedence. If a packet matches seq #10, then it will be permitted and not process the rest of the ACL. It also helps with re-ordering the ACE.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html

HTH

View solution in original post

Rob Ingram · ‎08-09-2020

Hi,
"gt" = greater than, which in your example this is permitting all dynamic ports above 1023, so from tcp port 1023 - 65535. Normally you'd specify "eq" which specifies the exact port, but in some circumstances you may wish to permit the dynamic ports for some applications, such as MS RPC.

Sequence number is important, the ACL is processed top down, so first match takes precedence. If a packet matches seq #10, then it will be permitted and not process the rest of the ACL. It also helps with re-ordering the ACE.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html

HTH

r.heitmann · ‎01-16-2024

just to keep it exact:

"gt" = greater than, which in your example this is permitting all dynamic ports above 1023, so from tcp port 1024 - 65535.

...gt is not "equal or greater than", just "greater than"