cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
5
Helpful
3
Replies

Basic ACL question

jamesawoodward
Level 1
Level 1

Hi - in an extended TCP ACL - is there a way to permit or deny a range of port numbers in a single line? I know the port operators (gt, lt, eq, neq) - but they don't seem to accomplish this? Also - can someone recommend a good link for further info? Any help is greatly appreciated.

Jim Woodward

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Jim

Yes there is a way to permit or deny a range of ports. There is now a range option in the configuration of extended access lists. Here is an example from one of our operational access lists which uses the range option:

access-list 121 deny tcp any range 0 65535 any range 0 65535 log-input

This particular example is used in part of our

RFP check and specifies a very wide range. Most of the time you would want a more narrow range.

You can configure a range on the source port, on the destination port, or on both (as this example does).

It works well.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Jim

Yes there is a way to permit or deny a range of ports. There is now a range option in the configuration of extended access lists. Here is an example from one of our operational access lists which uses the range option:

access-list 121 deny tcp any range 0 65535 any range 0 65535 log-input

This particular example is used in part of our

RFP check and specifies a very wide range. Most of the time you would want a more narrow range.

You can configure a range on the source port, on the destination port, or on both (as this example does).

It works well.

HTH

Rick

HTH

Rick

Thank you very much!!

Jim

Jim

I am glad that my answer was helpful in resolving your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response which did resolve the question.

The forum is an excellent place to learn more about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco