Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Extended ACL

i am facing issue with acl. actually one of my customer reported an issue that he able to configure extended acl with multiport port number in single acl but when the same is going to configure on 6509 not taking the same. My query is that it is possible to configure the acl with multiport port number in single. I have tried also but not able to do the same i send the example of acl

ip access-list 100 permit tcp any any eq 80 20 21.Please help me out from this issue

Regards,

Himanshu Dobriyal

8 REPLIES
Hall of Fame Super Silver

Re: Extended ACL

Hello Himanshu,

you need to use the range keyword as in:

access-list 177 permit tcp any any range ?

to specify a range of tcp ports

like

access-list 177 permit tcp any any range 100 200

Hope to help

Giuseppe

New Member

Re: Extended ACL

Thanks for the reply however the same acl can be configured with eq keyword in 3745 routerand they want the same way to configure acl in 6509. Does any way to configure the same.

Hall of Fame Super Silver

Re: Extended ACL

Hello Himanshu,

as far as I know the correct way is to use the range keyword on all platforms.

Try to explain this to your customer.

Hope to help

Giuseppe

New Member

Re: Extended ACL

I may be wrong but from memory I think I have come across similar issues in the past.

Instead of doing "access-list 177 permit tcp any any range 100 200" you may need to do:

ip access-list 177

then you drop into Router(config-ext-nacl)# mode and from there you can do the ranges.

Note "ip access-list" rather than just access-list

ie

router(config)# ip access-list 177

router(config-ext-nacl)#permit tcp any any range 100 200

Forgive me if my memory serves me wrong though !

Cameron

Hall of Fame Super Silver

Re: Extended ACL

Hello Cameron,

what you suggest is a named ACL (config-ext-nacl) with name 177 I meant a numeric access-list extended.

This could explain the different options to express a range of ports.

Also as Joseph has noted there are big differences between a multilayer switch like 6500 and a software based router like C3745.

Some times customers ask or look at aspects that have no real technical meaning.

I admit that if the syntax is the same it is easier to read and compare configurations, but until network assessments are made by slow but flexible human beings these differences can be acceptable.

Hope to help

Giuseppe

Super Bronze

Re: Extended ACL

In your original post you mention a 6509 and in a later post a 3745. Since these do not run exactly the same IOS, the issue might be as simple as that. I.e. supported syntax for an extended ACL might be slightly different.

New Member

Re: Extended ACL

Hi Joseph,

Thanks for the reply but my concern is that ,is it possible to configure the acl in such pattern without considering the platform

Super Bronze

Re: Extended ACL

I understand your concern, but with different IOSs, I suspect there's no guarantee that all syntax will be exactly the same. However, in some cases you might be able to use a common syntax. For instance, if the two platforms don't share exactly the same multiport ACL syntax, then they might be able to share ACL syntax for mapping individual ports. I.e. you trade off a more advanced syntax, available on one platform, for syntax that can be use by both platforms. (I've done this myself while in a transition from one IOS version to a newer version, even on the same platform, to avoid supporting two different syntax versions for about the same function.)

272
Views
0
Helpful
8
Replies
CreatePlease to create content