Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 6500 ACL blocking port 0

Hi,

I am creating ACL on my Cisco 6500 Sup720-3BXL and some of entries are to block traffic sourced from tcp/udp port 0.

Anyway when I add these entries in ACL I can't see that port 0 has been specified in TCAM ACL.

ACL:

101 deny tcp any eq 0 any 
102 deny udp any eq 0 any

TCAM ACL:

 deny   tcp any any
 deny   udp any any

 

Does this mean that with these two entries I am actually blocking all the traffic as I can't see port 0 specified in TCAM ACL or?

 

Thanks in advance!

Regards

Salja

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Salja, You wont see port

Hi Salja,

 

You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well

 

For example

 

R1_7606A#show ip access-lists TEST
Extended IP access list TEST
    100 permit ip host 100.100.100.100 host 200.200.200.200
    101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
    102 deny udp any eq 0 any eq 0
    103 permit ip any any (169 matches)
R1_7606A#

 

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip 

* Global Defaults shared


Entries from Bank 0

    permit       ip host 100.100.100.100 host 200.200.200.200
    deny         tcp host 1.1.1.1 host 2.2.2.2
    deny         udp any any
    permit       ip any any

Entries from Bank 1

    punt         icmp any any eq 11
    permit       ip any any

R1_7606A#

 

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail

.

.--output omitted--

.

+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index|  Dest Ip Addr | Source Ip Addr|     DPort     |     SPort     | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
 V 17800 200.200.200.200 100.100.100.100       P=0             P=0        ------   0 ---- 0   0 -- C-- 0-0   
 M 17801 255.255.255.255 255.255.255.255         0               0        ------   0 ---- 0   0              
 R rslt: PERMIT_RESULT                 rtr_rslt: PERMIT_RESULT                       hit_cnt=0   

 V 17809         2.2.2.2         1.1.1.1       P=0             P=0        ------   6 ---- 0   0 -- C-- 0-0   <<< src/dst ip/port details
 M 17810 255.255.255.255 255.255.255.255         65535           65535    ------ 255 --X- 0   0              <<< mask for src/dst ip/port
 R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=0   

 V 17818         0.0.0.0         0.0.0.0       P=0             P=0        ------  17 ---- 0   0 -- C-- 0-0   
 M 17819         0.0.0.0         0.0.0.0         65535           65535    ------ 255 --X- 0   0              
 R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=0   

 

-- Pls dont forget to rate helpful posts--

Regards,

Akash

3 REPLIES
Cisco Employee

Port 0 is reserved and should

Port 0 is reserved and should not be used for communication. Seems ACL is trying to prevent someone from sending traffic from/to port 0. A quick google seems to imply that if you specify port 0 in a socket a dynamic port will be chosen.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

 

I am able to see on my device;

C6K1(config)#access-list 102 deny udp any eq 0 any

C6K1(config)#do sh ip access-list 102
Extended IP access list 102
    10 deny udp any eq 0 any>>. 0 displayed.

 

HTH

Regards

Inayath

 

Cisco Employee

Hi Salja, You wont see port

Hi Salja,

 

You wont see port details in output of command "show tcam interface <interface> acl in ip" but if you add keyword detail in last then it shows port details as well

 

For example

 

R1_7606A#show ip access-lists TEST
Extended IP access list TEST
    100 permit ip host 100.100.100.100 host 200.200.200.200
    101 deny tcp host 1.1.1.1 eq 0 host 2.2.2.2 eq 0
    102 deny udp any eq 0 any eq 0
    103 permit ip any any (169 matches)
R1_7606A#

 

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip 

* Global Defaults shared


Entries from Bank 0

    permit       ip host 100.100.100.100 host 200.200.200.200
    deny         tcp host 1.1.1.1 host 2.2.2.2
    deny         udp any any
    permit       ip any any

Entries from Bank 1

    punt         icmp any any eq 11
    permit       ip any any

R1_7606A#

 

R1_7606A#show tcam inter GigabitEthernet4/0/0 acl in ip detail

.

.--output omitted--

.

+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index|  Dest Ip Addr | Source Ip Addr|     DPort     |     SPort     | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
 V 17800 200.200.200.200 100.100.100.100       P=0             P=0        ------   0 ---- 0   0 -- C-- 0-0   
 M 17801 255.255.255.255 255.255.255.255         0               0        ------   0 ---- 0   0              
 R rslt: PERMIT_RESULT                 rtr_rslt: PERMIT_RESULT                       hit_cnt=0   

 V 17809         2.2.2.2         1.1.1.1       P=0             P=0        ------   6 ---- 0   0 -- C-- 0-0   <<< src/dst ip/port details
 M 17810 255.255.255.255 255.255.255.255         65535           65535    ------ 255 --X- 0   0              <<< mask for src/dst ip/port
 R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=0   

 V 17818         0.0.0.0         0.0.0.0       P=0             P=0        ------  17 ---- 0   0 -- C-- 0-0   
 M 17819         0.0.0.0         0.0.0.0         65535           65535    ------ 255 --X- 0   0              
 R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=0   

 

-- Pls dont forget to rate helpful posts--

Regards,

Akash

New Member

Hi,thanks for your answers

Hi,

thanks for your answers.

Well the idea was to protect the network from DDoS attack which was sourced from port 0.

After some further analyzing it turned out that the problem was because of fragmented packets as non-initial fragments have no L4(port) information and have ports 0 instead of right ports.

After blocking fragments the attack was blocked successfully but now I have fragments blocked in my network.

Any other suggestion how to solve the issue in the best way would be appreciated!

 

Thanks

Salja

336
Views
0
Helpful
3
Replies
CreatePlease login to create content