Including options for TCP and UDP traffic in extended ACLs

An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.

Syntax 


{<deny | permit> tcp}


<SA> [comparison-operator <tcp-src-port>]


<DA> [comparison-operator <tcp-dest-port>]


[established]


[ack] [fin] [rst] [syn]

Syntax 


{<deny | permit> udp}


<SA> [comparison-operator <udp-src-port>]


<DA> [comparison-operator <udp-dest-port>]

In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match. 

#deny tcp host 10.20.10.17 eq 23 host 10.20.10.155 established
#permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet
#deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162
comparison-operator <tcp/udp–src–port>
range <start-port-nbr><end-port-nbr>

For a match with the ACE entry, the TCP or UDP source-port number a packet must be in the range of<start-port-nbr> to <end-port-nbr>.

Configuring ACEs that use the range comparison operator with extended ACLs

The port range comparison operator is handled by two different mechanisms in the switch. The switch first attempts to use the TCAM directly to install the port range using a key and mask operation within a single TCAM entry, but if this is not possible then the port range comparison operator must use one of the dedicated h/w range registers.

There are 14 hardware range registers per V1 module ( 60 for a V2 module) that can be used for port range ACEs. Once all the range registers are used up, no further port ranges that require use of the hardware range register (such as, ones that cannot be matched by TCAM alone) can be added and the switch returns an Unable to create access control entry message when modifying ACLs.

Use the following techniques to express port ranges with minimal use of the dedicated h/w application registers.

Procedure
  1. Using a TDP/UDP port range comparison operator

    Using the optional TCP or UDP port comparison operator 'RANGE' in extended ACL ACE or Class Filter statements might require that you use a hardware Application Port Range.

    The switch first performs three tests to determine if the range of ports can be met using "Don't Care" masking instead of a hardware Application Port Range. There are three parts to the test:

    1. The lowest N bits of binary representation of the start value are all zeroes.

    2. The lowest N bits of binary representation of the end value are all ones.

    3. The upper 16-N bits of both values are the same.

    If the range fails any of the three tests, a hardware Application Port Range is used.

    Port Range "Don't Care" masking is similar to IP address subnet masking. For example, an IPv4 subnet of 10.0.0.0 255.255.255.240, which represents a range of IP addresses from 10.0.0.240 through 10.0.0.255. When looking at the bottom byte of the address, the start value is 240 or binary 11110000. The end value is 255 or binary 11111111. These two values pass all three tests: the start value lower 4 bits are all zero, the end value lower 4 bits are all ones, and the upper bits are the same. Therefore, the range can be expressed in binary as 1111****, where * means "Don't Care".

    To avoid using a hardware Application Port Range, break a range into a series of sub-ranges that:

    • Are a power of two in length, to meet the first two tests.

    • Start on a multiple of that same power of two, but do not cross a larger power of two, to meet the last test.

    To do this:

    1. Find the largest power of two that is evenly divisible into the start value.

    2. Make the end value the start value plus the power of two minus one.

    3. Repeat using the end value plus one as the new start value until the entire range is covered.

    Examples

    To configure a 301 port destination TCP or UDP range from 6400 to 6700: 

    PERMIT TCP ANY ANY RANGE 6400 6700

    This can be converted to 4 maskable sub-ranges and a single port: 

    6400-6655 = length 256 (2**8) starting on a multiple of 256 (25 * 256)
6656-6687 = length 32 (2**5) starting on a multiple of 256 (26 * 256)
6688-6695 = length 8 (2**3) starting on a multiple of 8 (836 * 8)
6696-6699 = length 4 (2**2) starting on a multiple of 4 (1674 * 4)
6700

PERMIT TCP ANY ANY RANGE 6400 6655
PERMIT TCP ANY ANY RANGE 6656 6687
PERMIT TCP ANY ANY RANGE 6688 6695
PERMIT TCP ANY ANY RANGE 6696 6699
PERMIT TCP ANY ANY EQ 6700

    Another more complicated example of a 301 port range from 6300 to 6600 can be expressed as 6 maskable sub-ranges and a single port: 

    6300-6303 = length 4
6304-6335 = length 16
6336-6399 = length 64
6400-6527 = length 128
6528-6591 = length 64
6592-6599 = length 8
6600

    To configure a range 32 port range from 4080 to 4111, you must break it into two sub-ranges, even though is it an even power of two (32) in length because it crosses a higher power of two (4096 = 2**12): 

    4080-4095 = length of 16 starting on a multiple of 16 (255 * 16)
4096-4111 = length of 16 starting on a multiple of 16 (256 * 16)
  2. Using TDP/UDP port GT and LT comparison operators

    Using the optional TCP or UDP port Comparison Operators 'GT' and 'LT' in extended ACL ACE or Class Filter statements might also require that you use a hardware Application Port Range.

    To minimize the use of hardware Application Port Ranges, convert these operators into a range of ports, and apply the range technique described in the preceding section.

    1. Convert 'GT PORT' to 'RANGE PORT+1 65535'.

      For example, 'GT 4000' is the same as 'RANGE 4001 65535'.

    2. Convert 'LT PORT' to 'RANGE 0 PORT-1 65535'.

      For example, 'GE 4000' is the same as 'RANGE 0 3999'.

  3. Using the TDP/UDP port NE comparison operator

    The optional TCP or UDP port Comparison Operator 'NE' in ACL ACE or Class Filter statements always requires that you use a hardware Application Port Range. In this case, there is no technique to avoid using a hardware Application Port Range.

NOTE:

  • A port range that starts with an odd number always requires a hardware range register due to the TCAM mask operation.

  • A port range that ends with an even number also always requires a hardware range.

  • A configured port range can be referenced by multiple ACEs. However be aware that if a single port range that uses a hardware range register is applied as both a source and destination range within the list of ACEs, then two port range registers are actually used by this single port range.

To specify a TCP or UDP source port number in an ACE:

  • Select a comparison operator from the following list:

  • Comparison operators

    • eq <tcp/udp-port-nbr>

      "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr>.

    • gt <tcp/udp-port-nbr>

      "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr>.

    • lt <tcp/udp-port-nbr>

      "Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr>.

    • neq <tcp/udp-port-nbr>

      "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr>.

    • range <start-port-nbr> <end-port-nbr>

      For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr>.

  • Enter the port number or a well-known port name.

Port number or well-known port name

Use the TCP or UDP port number required by your application.

The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:

  • TCP — bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

  • UDP — bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp 


To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit www.iana.com.


comparison-operator <tcp-dest-port> established


comparison-operator <udp-dest-port>

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number:

  • Select a comparison operator.

  • Enter the port number or a well-known port name.

Comparison operators and well-known port names

These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description. 


[established]

This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a denyto inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.

TCP control bits

In a given ACE for filtering TCP traffic you can configure one or more of these options:

  • [ack] — Acknowledgment.
  • [fin] — Sender finished.
  • [rst] — Connection reset.
  • [syn] — TCP control bit: sequence number synchronize.

For more on using TCP control bits, see RFC 793.