Including options for TCP and UDP traffic in extended ACLs

An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.

Syntax: 


<deny|permit> tcp


<SA> [comparison-operator <tcp-src-port>]


<DA> [comparison-operator <tcp-dest-port>]

Syntax: 


<deny|permit> udp


<SA> [comparison-operator <udp-src-port>]


<DA> [comparison-operator <udp-dest-port>]

In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match. 


[comparison-operator <tcp/udp-src-port>]

To specify a TCP or UDP source port number in an ACE:

(1) Select a comparison operator from the following list

and

(2) Enter the port number or a well-known port name.

Comparison operators

  • eq <tcp/udp-port-nbr>

    "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr> .

  • gt <tcp/udp-port-nbr>

    "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr> .

  • lt <tcp/udp-port-nbr>

    "Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr> .

  • neq <tcp/udp-port-nbr>

    "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr> .

  • range <start-port-nbr> <end-port-nbr>

    For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr> .

Port number or well-known port name:

Use the TCP or UDP port number required by your application.

The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:

  • TCP – bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

  • UDP – bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp

To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit http://www.iana.org/assignments/port-numbers. 


[comparison-operator <tcp-dest-port>]


[comparison-operator <udp-dest-port>]

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number;

  1. select a comparison operator

  2. enter the port number or a well-known port name