09-04-2014 02:09 PM - edited 03-04-2019 11:41 PM
Hi,
I am creating ACL on my Cisco 6500 Sup720-3BXL and some of entries are to block traffic sourced from tcp/udp port 0.
Anyway when I add these entries in ACL I can't see that port 0 has been specified in TCAM ACL.
ACL:
101 deny tcp any eq 0 any
102 deny udp any eq 0 any
TCAM ACL:
deny tcp any any
deny udp any any
Does this mean that with these two entries I am actually blocking all the traffic as I can't see port 0 specified in TCAM ACL or?
Thanks in advance!
Regards
Salja
Solved! Go to Solution.
09-05-2014 06:44 AM
Hi Salja,
You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well
For example
R1_7606A#show ip access-lists TEST
Extended IP access list TEST
100 permit ip host 100.100.100.100 host 200.200.200.200
101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
102 deny udp any eq 0 any eq 0
103 permit ip any any (169 matches)
R1_7606A#
R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip
* Global Defaults shared
Entries from Bank 0
permit ip host 100.100.100.100 host 200.200.200.200
deny tcp host 1.1.1.1 host 2.2.2.2
deny udp any any
permit ip any any
Entries from Bank 1
punt icmp any any eq 11
permit ip any any
R1_7606A#
R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail
.
.--output omitted--
.
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
V 17800 200.200.200.200 100.100.100.100 P=0 P=0 ------ 0 ---- 0 0 -- C-- 0-0
M 17801 255.255.255.255 255.255.255.255 0 0 ------ 0 ---- 0 0
R rslt: PERMIT_RESULT rtr_rslt: PERMIT_RESULT hit_cnt=0
V 17809 2.2.2.2 1.1.1.1 P=0 P=0 ------ 6 ---- 0 0 -- C-- 0-0 <<< src/dst ip/port details
M 17810 255.255.255.255 255.255.255.255 65535 65535 ------ 255 --X- 0 0 <<< mask for src/dst ip/port
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0
V 17818 0.0.0.0 0.0.0.0 P=0 P=0 ------ 17 ---- 0 0 -- C-- 0-0
M 17819 0.0.0.0 0.0.0.0 65535 65535 ------ 255 --X- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0
-- Pls dont forget to rate helpful posts--
Regards,
Akash
09-04-2014 06:59 PM
Port 0 is reserved and should not be used for communication. Seems ACL is trying to prevent someone from sending traffic from/to port 0. A quick google seems to imply that if you specify port 0 in a socket a dynamic port will be chosen.
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
I am able to see on my device;
C6K1(config)#access-list 102 deny udp any eq 0 any
C6K1(config)#do sh ip access-list 102
Extended IP access list 102
10 deny udp any eq 0 any>>. 0 displayed.
HTH
Regards
Inayath
09-05-2014 06:44 AM
Hi Salja,
You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well
For example
R1_7606A#show ip access-lists TEST
Extended IP access list TEST
100 permit ip host 100.100.100.100 host 200.200.200.200
101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
102 deny udp any eq 0 any eq 0
103 permit ip any any (169 matches)
R1_7606A#
R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip
* Global Defaults shared
Entries from Bank 0
permit ip host 100.100.100.100 host 200.200.200.200
deny tcp host 1.1.1.1 host 2.2.2.2
deny udp any any
permit ip any any
Entries from Bank 1
punt icmp any any eq 11
permit ip any any
R1_7606A#
R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail
.
.--output omitted--
.
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
V 17800 200.200.200.200 100.100.100.100 P=0 P=0 ------ 0 ---- 0 0 -- C-- 0-0
M 17801 255.255.255.255 255.255.255.255 0 0 ------ 0 ---- 0 0
R rslt: PERMIT_RESULT rtr_rslt: PERMIT_RESULT hit_cnt=0
V 17809 2.2.2.2 1.1.1.1 P=0 P=0 ------ 6 ---- 0 0 -- C-- 0-0 <<< src/dst ip/port details
M 17810 255.255.255.255 255.255.255.255 65535 65535 ------ 255 --X- 0 0 <<< mask for src/dst ip/port
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0
V 17818 0.0.0.0 0.0.0.0 P=0 P=0 ------ 17 ---- 0 0 -- C-- 0-0
M 17819 0.0.0.0 0.0.0.0 65535 65535 ------ 255 --X- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0
-- Pls dont forget to rate helpful posts--
Regards,
Akash
09-05-2014 09:24 AM
Hi,
thanks for your answers.
Well the idea was to protect the network from DDoS attack which was sourced from port 0.
After some further analyzing it turned out that the problem was because of fragmented packets as non-initial fragments have no L4(port) information and have ports 0 instead of right ports.
After blocking fragments the attack was blocked successfully but now I have fragments blocked in my network.
Any other suggestion how to solve the issue in the best way would be appreciated!
Thanks
Salja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide