Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
4
Replies

ACL syntax question

Go to solution
Venison Mogambi
Level 1
Level 1

‎05-02-2012 09:24 AM - edited ‎03-07-2019 06:27 AM

Hi,

I have a simple question about building extended ACLs. If I want to match on more than one non-contiguous port, can I just list them out in the ACL? For example, if I wanted to match on ports 80, 443 and 22, can I do it like this:

ip access-list extended Test

permit tcp any host 10.10.10.1 eq 80 443 22

And if I can do that, what's the limit on how many individual ports I can include? And does it match any or all? I'm guessing it will match on any of them.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Venison Mogambi

‎05-02-2012 10:38 AM

Venison,

It allows you to open ports to that host, but not the whole range. It's the equivalent of an OR operation and lets you consolidate your acls.

permit tcp any host 10.10.10.1 eq 443 7001

Same as:

permit tcp any host 10.10.10.1 eq 443

permit tcp any host 10.10.10.1 eq 7001

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-02-2012 10:06 AM

Hello Venison,

the eq port operator supports a single value so  you need multiple statements to match on multiple TCP ports. The range operator allows for an interval but it would permit all values in range.

"Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

>> The range operator requires two port numbers. All other operators require one port number."

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

Hope to help

Giuseppe

0 Helpful

Go to solution
Venison Mogambi
Level 1
Level 1
In response to Giuseppe Larosa

‎05-02-2012 10:21 AM

Hi Giuseppe,

Thanks for the reply. But if the eq operator only allows a single port number, why does it allow me to enter multiple port numbers. For example, see the output below. I created this on an operational router. It allowed me to enter two discontiguous port numbers:

router(config)#ip access-list extended Test

router(config-ext-nacl)#permit tcp any host 10.10.10.1 eq 443 7001

!

router#sh ip access-lists Test

Extended IP access list Test

    10 permit tcp any host 10.10.10.1 eq 443 7001

Any ideas?

Thanks.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Venison Mogambi

‎05-02-2012 10:38 AM

Venison,

It allows you to open ports to that host, but not the whole range. It's the equivalent of an OR operation and lets you consolidate your acls.

permit tcp any host 10.10.10.1 eq 443 7001

Same as:

permit tcp any host 10.10.10.1 eq 443

permit tcp any host 10.10.10.1 eq 7001

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Venison Mogambi
Level 1
Level 1
In response to John Blakley

‎05-02-2012 11:07 AM

Excellent! That's excatly what I needed it for.

Thanks very much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card