ACL to block single UDP port

james.smart1 · ‎02-17-2016

Hello,

I am a novice at this, but I need to create an ACL to block a particular UDP port and allow all other traffic. This is on a small private network in a lab.

I tried this, but it doesn't work:

Switch#show access-lists
Extended IP access list Block_PTP
    permit ip any any
    permit tcp any any
    permit udp any any
    deny udp any eq 319 any eq 319
Switch#

All traffic still seemed to get through.

Any advice would be appreciated.

Thanks,

Jim

chsarkar · ‎02-18-2016

hi Jim,

Try below config and apply to the interface.. Should work

Switch#show access-lists
Extended IP access list Block_PTP

deny udp any eq 319 any eq 319
permit tcp any any
permit udp any any

permit ip any any
Switch#

Cheers !

HTH

***Rate this post as solution, so that others can benefit...

Jon Marshall · ‎02-18-2016

Jim

It is unlikely that both the source and destination ports will be 319.

Try "deny udp any any eq 319"

and make sure it goes before the permit lines.

By the way "permit ip any any" covers both TCP and UDP so you don't need the specific lines permitting TCP and UDP.

Jon

Richard Burts · ‎02-18-2016

Jim

Jon makes good points. Let me add a little explanation and perhaps it will make better sense. In Cisco processing of access list statements is done sequentially in order and when a match is found then it does not process any more lines of the access list. So when you first line is permit ip any any then that will always match and no other lines will be processed - and all traffic is permitted. When you put the deny udp statement before the permit statements then it will check the UDP statement first and would be able to deny that traffic.

HTH

Rick

HTH

Rick