Access Security Guide K/KA/KB.15.15
This option can be used after the DA to generate an Event Log message if:
• The action is deny. Not applicable to permit.
• There is a match.
• ACL logging is enabled. See “Enabling ACL logging on the switch” (page 294).
Including options for TCP and UDP traffic in extended ACLs
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria
for either the source or destination, or both. Use of TCP criteria also allows the established option
for controlling TCP connection traffic.
Syntax:
<deny | permit >tcp
< SA > [ comparison-operator < tcp-src-port >]
< DA > [comparison-operator < tcp-dest-port >]
[established]
[ack] [fin] [ rst ] [syn]
Syntax:
<deny | permit> udp
< SA > [comparison-operator < udp-src-port >]
< DA > [comparison-operator < udp-dest-port >]
In an extended ACL using either tcp or udp as the packet protocol type, you can
optionally use TCP or UDP source and/or destination port numbers or ranges of
numbers to further define the criteria for a match. For example:
#deny tcp host 10.20.10.17 eq 23 host 10.20.10.155
established
#permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet
#deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162
[comparison-operator < tcp/udp–src–port >]
To specify a TCP or UDP source port number in an ACE:
(1) Select a comparison operator from the following list
and
(2) Enter the port number or a well-known port name.
Comparison operators
• eq < tcp/udp-port-nbr >
"Equal To"; to have a match with the ACE entry, the TCP or UDP source port
number in a packet must be equal to <tcp/udp-port-nbr >.
• gt < tcp/udp-port-nbr >
"Greater Than"; to have a match with the ACE entry, the TCP or UDP source
port number in a packet must be greater than <tcp/udp-port-nbr >.
• lt < tcp/udp-port-nbr >
"Less Than"; to have a match with the ACE entry, the TCP or UDP source port
number in a packet must be less than <tcp/udp-port-nbr >.
Configuring 267