Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL syntax question

Hi,

I have a simple question about building extended ACLs. If I want to match on more than one non-contiguous port, can I just list them out in the ACL? For example, if I wanted to match on ports 80, 443 and 22, can I do it like this:

ip access-list extended Test

permit tcp any host 10.10.10.1 eq 80 443 22

And if I can do that, what's the limit on how many individual ports I can include? And does it match any or all? I'm guessing it will match on any of them.

Thanks.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

ACL syntax question

Venison,

It allows you to open ports to that host, but not the whole range. It's the equivalent of an OR operation and lets you consolidate your acls.

permit tcp any host 10.10.10.1 eq 443 7001

Same as:

permit tcp any host 10.10.10.1 eq 443

permit tcp any host 10.10.10.1 eq 7001

HTH,

John

HTH, John *** Please rate all useful posts ***
4 REPLIES
Hall of Fame Super Silver

Re: ACL syntax question

Hello Venison,

the eq port operator supports a single value so  you need multiple statements to match on multiple TCP ports. The range operator allows for an interval but it would permit all values in range.

"Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

>> The range operator requires two port numbers. All other operators require one port number."

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

Hope to help

Giuseppe

New Member

ACL syntax question

Hi Giuseppe,

Thanks for the reply. But if the eq operator only allows a single port number, why does it allow me to enter multiple port numbers. For example, see the output below. I created this on an operational router. It allowed me to enter two discontiguous port numbers:

router(config)#ip access-list extended Test

router(config-ext-nacl)#permit tcp any host 10.10.10.1 eq 443 7001

!

router#sh ip access-lists Test

Extended IP access list Test

    10 permit tcp any host 10.10.10.1 eq 443 7001

Any ideas?

Thanks.

ACL syntax question

Venison,

It allows you to open ports to that host, but not the whole range. It's the equivalent of an OR operation and lets you consolidate your acls.

permit tcp any host 10.10.10.1 eq 443 7001

Same as:

permit tcp any host 10.10.10.1 eq 443

permit tcp any host 10.10.10.1 eq 7001

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

ACL syntax question

Excellent! That's excatly what I needed it for.

Thanks very much.

566
Views
0
Helpful
4
Replies