Problem
You want to filter noncontiguous ports efficiently.
Solution
To filter noncontiguous ports, use the following commands:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21 Router2(config-ext-nacl)#end Router2#
|
Discussion
Historically, Cisco's IOS has only supported the filtering of contiguous port numbers that use the range keyword:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended PORTRANGE Router2(config-ext-nacl)#permit tcp any any range 20 25 Router2(config-ext-nacl)#end Router2#
In this example, we permit traffic by using TCP ports 20-25 to pass the ACL, which reduces the number of ACL entries and processing required. However, the ability to filter on contiguous port numbers was generally of little use because the required ports were rarely contiguous.
If you needed to filter based on noncontiguous ports, then you had no choice but to add an ACL line for each port. The following example demonstrates how you would normally filter six noncontiguous ports:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 23 Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 25 Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 110 Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 514 Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 21 Router2(config-ext-nacl)#end Router2#
Notice that the example in our Solution section replaces six ACL entries with a single ACL entry. Both solutions achieve the desired result; however, being able to match more than one port per ACL entry greatly reduces ACL size and complexity.
See Also
Recipe 19.6
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index