Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering noncontiguous ports.

I have a need to block a large number of noncontigous tcp and udp ports for all hosts on the inbound side.  An example iI saw in O'reilly says that I can do this. with one command line, i.e.  "access-list 111 deny tcp any any eq 23 79 509 3888".  I'm running 12.4(24)T4. will this accually work?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Filtering noncontiguous ports.

That is going to work fine.

An alternative would be to use an object group that had all the ports you want.

I hope it helps.

PK

Cisco Employee

Re: Filtering noncontiguous ports.

If it works, please mark the question as answered for future users to benefit.

Regards,,

PK

Cisco Employee

Re: Filtering noncontiguous ports.

1. You can do either.

ip access-list extended

  permit tcp ...

or

access-list 101 permit tcp ....

2. You indeed need separate ipv6 and ipv4 ACLs. Both are applied on the interface. The syntax for ipv6 changes a little but it is mostly the same with the ipv6 in front of the command. If the router doesn't have ipv6 routing enabled, don't even worry about ipv6 as it is not going to route it.

I hope it helps.

PK

9 REPLIES
Cisco Employee

Re: Filtering noncontiguous ports.

Hello Manuel,

Thanks a lot for posting, yes, that will work, it is just permitting the traffic using a range of ports. The only thing is that it will use the range keyword and they will be 2 different ACE's

access-list 111 deny tcp any any range 23 79

access-list 111 deny tcp any any range 509 3888

Hope it helps

Mike

Mike
New Member

Re: Filtering noncontiguous ports.

Mike,

Thanks, but not quite what I had in mind.  I need to block individual ports not a range.  I'm trying to see if I can get away without doing a line for each port.

I did some more reasearch and I think the answer is to use the command sequence

config t

ip address-list extended [name]

deny tcp any any eq 23 79 509 3888

end

I would like to know if anyone has tried this and if it did or did not work

Thanks

Manny

Cisco Employee

Re: Filtering noncontiguous ports.

That is going to work fine.

An alternative would be to use an object group that had all the ports you want.

I hope it helps.

PK

New Member

Re: Filtering noncontiguous ports.

PK,

Thanks, I'll give it a shot.

Manny

Cisco Employee

Re: Filtering noncontiguous ports.

If it works, please mark the question as answered for future users to benefit.

Regards,,

PK

New Member

Re: Filtering noncontiguous ports.

A couple of follow-on questions about access lists.

1. When using the ACCESS-LIST EXTENDED command to permit or deny noncontiguous ports, may I use an access-list-number from the appropriate range, or must I use an alpha-numeric address-list-name?

2. I must permit and deny both IPV4 and IPV6 services.  How do I do that if I can only use one access list per direction per port?  The on-line documentation appears to say that I need a separate ipv6 access-list and ipv6 access-class.

Thanks in advance for any help you can provide.

Manny

Cisco Employee

Re: Filtering noncontiguous ports.

1. You can do either.

ip access-list extended

  permit tcp ...

or

access-list 101 permit tcp ....

2. You indeed need separate ipv6 and ipv4 ACLs. Both are applied on the interface. The syntax for ipv6 changes a little but it is mostly the same with the ipv6 in front of the command. If the router doesn't have ipv6 routing enabled, don't even worry about ipv6 as it is not going to route it.

I hope it helps.

PK

New Member

Re: Filtering noncontiguous ports.

Thanks.

Another follow-on, since I have one chance to get this right.

I assume that using the access-class [name] in and ipv6 access-class [name] in commands on an interface that both will be checked.  Is this correct?

For example

interface serial 0/0

access-class [name] in

ipv6 access-class [name] in

! or

ipv6 traffic-filter [name] in

I'm assuming I can't use both. 

Is search order, i.e ipv4 - ipv6 or the inverse preferable?

Thanks in advance.

Manny

Cisco Employee

Re: Filtering noncontiguous ports.

It is not the order. It is the packet rather.

If the packet hitting the interface is ipv6 that will be routed based on ipv6 it will be subject to the ipv6 ACL, the ipv4 if it is an ipv4 packet.

Rgs,

PK

300
Views
0
Helpful
9
Replies
CreatePlease to create content