Extended ACL

Unanswered Question
Aug 23rd, 2009

i am facing issue with acl. actually one of my customer reported an issue that he able to configure extended acl with multiport port number in single acl but when the same is going to configure on 6509 not taking the same. My query is that it is possible to configure the acl with multiport port number in single. I have tried also but not able to do the same i send the example of acl

ip access-list 100 permit tcp any any eq 80 20 21.Please help me out from this issue


Himanshu Dobriyal

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 08/24/2009 - 00:28

Hello Himanshu,

you need to use the range keyword as in:

access-list 177 permit tcp any any range ?

to specify a range of tcp ports


access-list 177 permit tcp any any range 100 200

Hope to help


vaibhav-g Mon, 08/24/2009 - 00:41

Thanks for the reply however the same acl can be configured with eq keyword in 3745 routerand they want the same way to configure acl in 6509. Does any way to configure the same.

Giuseppe Larosa Mon, 08/24/2009 - 01:02

Hello Himanshu,

as far as I know the correct way is to use the range keyword on all platforms.

Try to explain this to your customer.

Hope to help


cameron.moody Mon, 08/24/2009 - 01:56

I may be wrong but from memory I think I have come across similar issues in the past.

Instead of doing "access-list 177 permit tcp any any range 100 200" you may need to do:

ip access-list 177

then you drop into Router(config-ext-nacl)# mode and from there you can do the ranges.

Note "ip access-list" rather than just access-list


router(config)# ip access-list 177

router(config-ext-nacl)#permit tcp any any range 100 200

Forgive me if my memory serves me wrong though !


Giuseppe Larosa Mon, 08/24/2009 - 09:33

Hello Cameron,

what you suggest is a named ACL (config-ext-nacl) with name 177 I meant a numeric access-list extended.

This could explain the different options to express a range of ports.

Also as Joseph has noted there are big differences between a multilayer switch like 6500 and a software based router like C3745.

Some times customers ask or look at aspects that have no real technical meaning.

I admit that if the syntax is the same it is easier to read and compare configurations, but until network assessments are made by slow but flexible human beings these differences can be acceptable.

Hope to help


Joseph W. Doherty Mon, 08/24/2009 - 03:11

In your original post you mention a 6509 and in a later post a 3745. Since these do not run exactly the same IOS, the issue might be as simple as that. I.e. supported syntax for an extended ACL might be slightly different.

vaibhav-g Tue, 08/25/2009 - 19:57

Hi Joseph,

Thanks for the reply but my concern is that ,is it possible to configure the acl in such pattern without considering the platform

Joseph W. Doherty Wed, 08/26/2009 - 02:52

I understand your concern, but with different IOSs, I suspect there's no guarantee that all syntax will be exactly the same. However, in some cases you might be able to use a common syntax. For instance, if the two platforms don't share exactly the same multiport ACL syntax, then they might be able to share ACL syntax for mapping individual ports. I.e. you trade off a more advanced syntax, available on one platform, for syntax that can be use by both platforms. (I've done this myself while in a transition from one IOS version to a newer version, even on the same platform, to avoid supporting two different syntax versions for about the same function.)


This Discussion