Hi - in an extended TCP ACL - is there a way to permit or deny a range of port numbers in a single line? I know the port operators (gt, lt, eq, neq) - but they don't seem to accomplish this? Also - can someone recommend a good link for further info? Any help is greatly appreciated.
Yes there is a way to permit or deny a range of ports. There is now a range option in the configuration of extended access lists. Here is an example from one of our operational access lists which uses the range option:
access-list 121 deny tcp any range 0 65535 any range 0 65535 log-input
This particular example is used in part of our
RFP check and specifies a very wide range. Most of the time you would want a more narrow range.
You can configure a range on the source port, on the destination port, or on both (as this example does).
It works well.