Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
3
Replies

Troubleshooting interface traffic on port 120 using access-list mapped to interface

getaway51
Level 2
Level 2

‎02-23-2021 05:41 PM

Hi,

 

I have a WAN interface Gi0/0.

May I know I i wanted to check outgoing and incoming traffic in port 120, how does the inout/output config of access-list mapped to interface looks like? The objective is to prove tht router is forwarding traffic via port 120. I guessed also to prove other side (202.155.0.0/17 or ANY) is not sending traffic over via port 120 as well. 

 

Traffic Output

Source is WAN interface IP or exact IP is needed?

Destination is 202.155.0.0/17

Port is 120

 

Traffic Input

Source is 202.155.0.0/17 or ANY

Destination is Gi0/0 or exact IP is needed?

Port is 120

 

Many thanks guys!

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-24-2021 12:12 AM - edited ‎02-24-2021 12:18 AM

Hello @getaway51 ,

in writing IP ACLs even extended we need to use IP addresses

The second important aspect is that the port 120 has to follow the server side

 

So if the traffic is originated from your GE IP address TCP port 120

 

access-list 110 remark outgoing ACL

access-list 110 permit tcp host <Gi0/0-IP-address> eq 120 202.155.0.0 0.0.127.255

access-list 110 permit ip any any

 

access-list 111 remarki inbound ACL

access-list 111 permit tcp 202.155.0.0 0.0.127.255 host <Gi0/0-IP-address> eq 120

access_list 111 permi ip any any

 

if the TCP server were in the 202.155.0.0/17 the position of the eq 120 would be reversed (as noted above it follows the server side)

 

you then apply the ACLs to your GE

 

interface gi0/0

ip access-group 110 out

ip access-group 111 in

 

Hope to help

Giuseppe

 

0 Helpful

getaway51
Level 2
Level 2
In response to Giuseppe Larosa

‎02-24-2021 05:48 AM

Hi,

 

If unsure it is udp or tcp, can we apply both udp and tcp in the ACL like below?

 

access-list 111 remarki inbound ACL

access-list 111 permit tcp 202.155.0.0 0.0.127.255 host <Gi0/0-IP-address> eq 120

access-list 111 permit udp 202.155.0.0 0.0.127.255 host <Gi0/0-IP-address> eq 120

access_list 111 permi ip any any

 

Thanks!!

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to getaway51

‎02-24-2021 07:55 AM

Hello @getaway51 

yes you can  one line for TCP one line for UDP and the explicit permit any to avoid to black hole all other traffic.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card