Solved: Hi,thanks for your answers

Salja · ‎09-04-2014

Hi,

I am creating ACL on my Cisco 6500 Sup720-3BXL and some of entries are to block traffic sourced from tcp/udp port 0.

Anyway when I add these entries in ACL I can't see that port 0 has been specified in TCAM ACL.

ACL:

101 deny tcp any eq 0 any
102 deny udp any eq 0 any

TCAM ACL:

deny tcp any any
deny udp any any

Does this mean that with these two entries I am actually blocking all the traffic as I can't see port 0 specified in TCAM ACL or?

Thanks in advance!

Regards

Salja

Akash Agrawal · ‎09-05-2014

Hi Salja,

You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well

For example

R1_7606A#show ip access-lists TEST
Extended IP access list TEST
100 permit ip host 100.100.100.100 host 200.200.200.200
101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
102 deny udp any eq 0 any eq 0
103 permit ip any any (169 matches)
R1_7606A#

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip

* Global Defaults shared

Entries from Bank 0

permit ip host 100.100.100.100 host 200.200.200.200
deny tcp host 1.1.1.1 host 2.2.2.2
deny udp any any
permit ip any any

Entries from Bank 1

punt icmp any any eq 11
permit ip any any

R1_7606A#

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail

.

.--output omitted--

.

+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
V 17800 200.200.200.200 100.100.100.100 P=0 P=0 ------ 0 ---- 0 0 -- C-- 0-0
M 17801 255.255.255.255 255.255.255.255 0 0 ------ 0 ---- 0 0
R rslt: PERMIT_RESULT rtr_rslt: PERMIT_RESULT hit_cnt=0

V 17809 2.2.2.2 1.1.1.1 P=0 P=0 ------ 6 ---- 0 0 -- C-- 0-0 <<< src/dst ip/port details
M 17810 255.255.255.255 255.255.255.255 65535 65535 ------ 255 --X- 0 0 <<< mask for src/dst ip/port
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0

V 17818 0.0.0.0 0.0.0.0 P=0 P=0 ------ 17 ---- 0 0 -- C-- 0-0
M 17819 0.0.0.0 0.0.0.0 65535 65535 ------ 255 --X- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0

-- Pls dont forget to rate helpful posts--

Regards,

Akash

View solution in original post

InayathUlla Sharieff · ‎09-04-2014

Port 0 is reserved and should not be used for communication. Seems ACL is trying to prevent someone from sending traffic from/to port 0. A quick google seems to imply that if you specify port 0 in a socket a dynamic port will be chosen.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

I am able to see on my device;

C6K1(config)#access-list 102 deny udp any eq 0 any

C6K1(config)#do sh ip access-list 102
Extended IP access list 102
10 deny udp any eq 0 any>>. 0 displayed.

HTH

Regards

Inayath

Akash Agrawal · ‎09-05-2014

Hi Salja,

You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well

For example

R1_7606A#show ip access-lists TEST
Extended IP access list TEST
100 permit ip host 100.100.100.100 host 200.200.200.200
101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
102 deny udp any eq 0 any eq 0
103 permit ip any any (169 matches)
R1_7606A#

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip

* Global Defaults shared

Entries from Bank 0

permit ip host 100.100.100.100 host 200.200.200.200
deny tcp host 1.1.1.1 host 2.2.2.2
deny udp any any
permit ip any any

Entries from Bank 1

punt icmp any any eq 11
permit ip any any

R1_7606A#

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail

.

.--output omitted--

.

+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
V 17800 200.200.200.200 100.100.100.100 P=0 P=0 ------ 0 ---- 0 0 -- C-- 0-0
M 17801 255.255.255.255 255.255.255.255 0 0 ------ 0 ---- 0 0
R rslt: PERMIT_RESULT rtr_rslt: PERMIT_RESULT hit_cnt=0

V 17809 2.2.2.2 1.1.1.1 P=0 P=0 ------ 6 ---- 0 0 -- C-- 0-0 <<< src/dst ip/port details
M 17810 255.255.255.255 255.255.255.255 65535 65535 ------ 255 --X- 0 0 <<< mask for src/dst ip/port
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0

V 17818 0.0.0.0 0.0.0.0 P=0 P=0 ------ 17 ---- 0 0 -- C-- 0-0
M 17819 0.0.0.0 0.0.0.0 65535 65535 ------ 255 --X- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0

-- Pls dont forget to rate helpful posts--

Regards,

Akash

Salja · ‎09-05-2014

Hi,

thanks for your answers.

Well the idea was to protect the network from DDoS attack which was sourced from port 0.

After some further analyzing it turned out that the problem was because of fragmented packets as non-initial fragments have no L4(port) information and have ports 0 instead of right ports.

After blocking fragments the attack was blocked successfully but now I have fragments blocked in my network.

Any other suggestion how to solve the issue in the best way would be appreciated!

Thanks

Salja

Cisco 6500 ACL blocking port 0