Finding Feature Information
Prerequisites for Named ACL Support for Noncontiguous Ports on an Access Control Entry
Information About Named ACL Support for Noncontiguous Ports on an Access Control Entry
- Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
How to Configure Named ACL Support for Noncontiguous Ports on an Access Control Entry
- Configuring an Access Control Entry with Noncontiguous Ports
- Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
Configuration Examples for Named ACL Support for Noncontiguous Ports on an Access Control Entry
- Example: Creating an Access List Entry with Noncontiguous Ports
- Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports
Additional References for Named ACL Support for Noncontiguous Ports on an Access Control Entry
Feature Information for Named ACL Support for Noncontiguous Ports on an Access Control Entry

Named ACL Support for Noncontiguous Ports on an Access Control Entry

The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports.

Finding Feature Information
Prerequisites for Named ACL Support for Noncontiguous Ports on an Access Control Entry
Information About Named ACL Support for Noncontiguous Ports on an Access Control Entry
How to Configure Named ACL Support for Noncontiguous Ports on an Access Control Entry
Configuration Examples for Named ACL Support for Noncontiguous Ports on an Access Control Entry
Additional References for Named ACL Support for Noncontiguous Ports on an Access Control Entry
Feature Information for Named ACL Support for Noncontiguous Ports on an Access Control Entry

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Named ACL Support for Noncontiguous Ports on an Access Control Entry

Before you configure the ACL Support for Filtering IP Options feature, you must understand the concepts of the IP access lists.

"IP Access List Overview"
"Creating an IP Access List and Applying It to an Interface"

Information About Named ACL Support for Noncontiguous Ports on an Access Control Entry

Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature

This feature greatly reduces the number of access control entries (ACEs) required in an access control list to handle multiple entries for the same source address, destination address, and protocol. If you maintain large numbers of ACEs, use this feature to consolidate existing groups of access list entries wherever it is possible and when you create new access list entries. When you configure access list entries with noncontiguous ports, you will have fewer access list entries to maintain.

How to Configure Named ACL Support for Noncontiguous Ports on an Access Control Entry

Configuring an Access Control Entry with Noncontiguous Ports

Perform this task to create access list entries that use noncontiguous TCP or UDP port numbers. Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.

Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.

Note

The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be used only with named, extended ACLs.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list extended access-list-name

4. [sequence-number] permit tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

5. [sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

6. Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.

7. end

8. show ip access-lists access-list-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	ip access-list extended access-list-name Example: Device(config)# ip access-list extended acl-extd-1	Specifies the IP access list by name and enters named access list configuration mode.
Step 4	[sequence-number] permit tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established {match-any \| match-all} {+ \| -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Example: Device(config-ext-nacl)# permit tcp any eq telnet ftp any eq 450 679	Specifies a permit statement in named IP access list configuration mode. Operators include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port. The range operator requires two port numbers. You can configure up to 10 ports after the eq and neqoperators. All other operators require one port number. To filter UDP ports, use the UDP syntax of this command.
Step 5	[sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established {match-any \| match-all} {+ \| -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Example: Device(config-ext-nacl)# deny tcp any neq 45 565 632	(Optional) Specifies a deny statement in named access list configuration mode. Operators include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port. The range operator requires two port numbers. You can configure up to 10 ports after the eq and neqoperators. All other operators require one port number. To filter UDP ports, use the UDP syntax of this command.
Step 6	Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.	Allows you to revise the access list.
Step 7	end Example: Device(config-ext-nacl)# end	(Optional) Exits named access list configuration mode and returns to privileged EXEC mode.
Step 8	show ip access-lists access-list-name Example: Device# show ip access-lists kmd1	(Optional) Displays the contents of the access list.

Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry

Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list entry.

Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.

Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.

SUMMARY STEPS

1. enable

2. show ip access-lists access-list-name

3. configure terminal

4. ip access-list extended access-list-name

5. no [sequence-number] permit protocol source source-wildcard destination destination-wildcard[option option-name] [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]

6. [sequence-number] permit protocol source source-wildcard[operator port[port]] destination destination-wildcard[operator port[port]] [option option-name] [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]

7. Repeat Steps 5 and 6 as necessary, adding permit or deny statements to consolidate access list entries where possible. Use the no sequence-number command to delete an entry.

8. end

9. show ip access-lists access-list-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip access-lists access-list-name Example: Device# show ip access-lists mylist1	(Optional) Displays the contents of the IP access list. Review the output to see if you can consolidate any access list entries.
Step 3	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 4	ip access-list extended access-list-name Example: Device(config)# ip access-list extended mylist1	Specifies the IP access list by name and enters named access list configuration mode.
Step 5	no [sequence-number] permit protocol source source-wildcard destination destination-wildcard[option option-name] [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments] Example: Device(config-ext-nacl)# no 10	Removes the redundant access list entry that can be consolidated. Repeat this step to remove entries to be consolidated because only the port numbers differ. After this step is repeated to remove the access list entries 20, 30, and 40, for example, those entries are removed because they will be consolidated into one permit statement. If a sequence-number is specified, the rest of the command syntax is optional.
Step 6	[sequence-number] permit protocol source source-wildcard[operator port[port]] destination destination-wildcard[operator port[port]] [option option-name] [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments] Example: Device(config-ext-nacl)# permit tcp any neq 45 565 632 any eq 23 45 34 43	Specifies a permit statement in named access list configuration mode. In this instance, a group of access list entries with noncontiguous ports was consolidated into one permit statement. You can configure up to 10 ports after the eq and neq operators.
Step 7	Repeat Steps 5 and 6 as necessary, adding permit or deny statements to consolidate access list entries where possible. Use the no sequence-number command to delete an entry.	Allows you to revise the access list.
Step 8	end Example: Device(config-std-nacl)# end	(Optional) Exits named access list configuration mode and returns to privileged EXEC mode.
Step 9	show ip access-lists access-list-name Example: Device# show ip access-lists mylist1	(Optional) Displays the contents of the access list.

Configuration Examples for Named ACL Support for Noncontiguous Ports on an Access Control Entry

Example: Creating an Access List Entry with Noncontiguous Ports

The following access list entry can be created because up to ten ports can be entered after the eq and neq operators:

ip access-list extended aaa
 permit tcp any eq telnet ftp any eq 23 45 34
 end

Enter the show access-lists command to display the newly created access list entry.

Device# show access-lists aaa

Extended IP access list aaa
 10 permit tcp any eq telnet ftp any eq 23 45 34

Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports

The show access-lists command is used to display a group of access list entries for the access list named abc:

Device# show access-lists abc
Extended IP access list abc
 10 permit tcp any eq telnet any eq 450
 20 permit tcp any eq telnet any eq 679
 30 permit tcp any eq ftp any eq 450 
 40 permit tcp any eq ftp any eq 679

Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:

ip access-list extended abc
 no 10
 no 20
 no 30
 no 40
 permit tcp any eq telnet ftp any eq 450 679
 end

When the show access-lists command is reentered, the consolidated access list entry is displayed:

Device# show access-lists abc
Extended IP access list abc
 10 permit tcp any eq telnet ftp any eq 450 679

Additional References for Named ACL Support for Noncontiguous Ports on an Access Control Entry

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Commands List, All Releases
Security commands	Cisco IOS Security Command Reference: Commands A to C Cisco IOS Security Command Reference: Commands D to L Cisco IOS Security Command Reference: Commands M to R Cisco IOS Security Command Reference: Commands S to Z
Overview information about access lists	"IP Access List Overview"

Table 1 Standards and RFCs
Standards/RFCs	Title
RFC 791	Internet Protocol
RFC 793	Transmission Control Protocol

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http://www.cisco.com/cisco/web/support/index.html

Feature Information for Named ACL Support for Noncontiguous Ports on an Access Control Entry

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 2 Feature Information for ACL Support for Filtering IP Options
Feature Name	Releases	Feature Information
Named ACL Support for Noncontiguous Ports on an Access Control Entry	Cisco IOS 15.2(2)E	The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports.

Security Configuration Guide: Access Control Lists, Cisco IOS Release 15E

Bias-Free Language

Book Title

Security Configuration Guide: Access Control Lists, Cisco IOS Release 15E

Chapter Title