Mike,

Thanks, but not quite what I had in mind.  I need to block individual ports not a range.  I'm trying to see if I can get away without doing a line for each port.

I did some more reasearch and I think the answer is to use the command sequence

config t

ip address-list extended [name]

deny tcp any any eq 23 79 509 3888

end

I would like to know if anyone has tried this and if it did or did not work

Thanks

Manny

PK,

Thanks, I'll give it a shot.

Manny

A couple of follow-on questions about access lists.

1. When using the ACCESS-LIST EXTENDED command to permit or deny noncontiguous ports, may I use an access-list-number from the appropriate range, or must I use an alpha-numeric address-list-name?

2. I must permit and deny both IPV4 and IPV6 services.  How do I do that if I can only use one access list per direction per port?  The on-line documentation appears to say that I need a separate ipv6 access-list and ipv6 access-class.

Thanks in advance for any help you can provide.

Manny

Thanks.

Another follow-on, since I have one chance to get this right.

I assume that using the access-class [name] in and ipv6 access-class [name] in commands on an interface that both will be checked.  Is this correct?

For example

interface serial 0/0

access-class [name] in

ipv6 access-class [name] in

! or

ipv6 traffic-filter [name] in

I'm assuming I can't use both. 

Is search order, i.e ipv4 - ipv6 or the inverse preferable?

Thanks in advance.

Manny

It is not the order. It is the packet rather.

If the packet hitting the interface is ipv6 that will be routed based on ipv6 it will be subject to the ipv6 ACL, the ipv4 if it is an ipv4 packet.

Rgs,

PK