.NODE

Filtering Based on Noncontiguous Ports

Problem

You want to filter noncontiguous ports efficiently.

Solution

To filter noncontiguous ports, use the following commands:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21
Router2(config-ext-nacl)#end
Router2#

Cisco introduced the ability to filter noncontiguous ports in IOS Version 12.3(7)T.

 

Discussion

Historically, Cisco's IOS has only supported the filtering of contiguous port numbers that use the range keyword:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended PORTRANGE 
Router2(config-ext-nacl)#permit tcp any any range 20 25 
Router2(config-ext-nacl)#end
Router2#

In this example, we permit traffic by using TCP ports 20-25 to pass the ACL, which reduces the number of ACL entries and processing required. However, the ability to filter on contiguous port numbers was generally of little use because the required ports were rarely contiguous.

If you needed to filter based on noncontiguous ports, then you had no choice but to add an ACL line for each port. The following example demonstrates how you would normally filter six noncontiguous ports:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 23
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 25
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 110
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 514
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 21 
Router2(config-ext-nacl)#end
Router2#

Notice that the example in our Solution section replaces six ACL entries with a single ACL entry. Both solutions achieve the desired result; however, being able to match more than one port per ACL entry greatly reduces ACL size and complexity.

See Also

Recipe 19.6

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index

show all menu





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net