Including options for TCP and UDP traffic in extended ACLs

An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.

Syntax:


<deny|permit> <tcp|udp>

<SA> [comparison-operator <tcp/udp-src-port>]

<DA> [comparison-operator <tcp-dest-port>][established]

[comparison-operator <udp-dest-port>]

In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match. For example:

#deny tcp host 10.20.10.17 eq 23 host 10.20.10.155 established
#permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet
#deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162

[comparison-operator <tcp/udp-src-port>]

To specify a TCP or UDP source port number in an ACE:

(1) Select a comparison operator from the following list

and

(2) Enter the port number or a well-known port name.

Comparison operators

  • eq <tcp/udp-port-nbr>

    "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr> .

  • gt <tcp/udp-port-nbr>

    "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr> .

  • lt <tcp/udp-port-nbr>

    "Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr> .

  • neq <tcp/udp-port-nbr>

    "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr> .

  • range <start-port-nbr> <end-port-nbr>

    For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr> .

Port number or well-known port name:

Use the TCP or UDP port number required by your application.

The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:
  • TCP – bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

  • UDP – bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp

To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit http://www.iana.org/assignments/port-numbers.


[comparison-operator <tcp-dest-port>][established]

[comparison-operator <udp-dest-port>]

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number;
  1. select a comparison operator

  2. enter the port number or a well-known port name

Comparison operators and well-known port names:

These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description.


[established]

This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a deny to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.