UDP and TCP Port Number Usage in ACL’s in Cisco IOS

As most of us know, a key to managing the Internet is knowledge of TCP and UDP port numbers. Cisco IOS uses Access Control Lists for many purposes, but in this tip, we will focus on TCP and UDP port numbers.

Port numbers are unique, well-known, registered or ephemeral numbers used by TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) applications. For example, a couple of well known application port numbers are Telnet uses port 23, and HTTP uses port 80 for Web traffic.

Well-known port numbers are 0 through 1023, registered port numbers are 1024 through 49151, and dynamic or private port numbers are 49152 through 65535. The Internet Assigned Numbers Authority (IANA) provides a complete list of these port numbers onwww.ietf.org. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns well-known and registered port numbers. The Cisco IOS does recognize many port numbers, so you don’t have to memorize all 65,535 possible ports.

Keep in mind that there’s a big difference between a port number and a protocol number – don’t confuse the two. A protocol number is a reserved number used to identify protocols. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is protocol number 89. IANA’s Web site also offers a list of the assigned protocol numbers.

Examining Supported Port Numbers

For example, a Cisco 2800 Series router using IOS 12.4, knows about 34 common port numbers.

Here’s the list:

Cell_pe1(config)# access-list 151 permit tcp any any eq ?

<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)

A couple of others we wish were on the list include HTTPS at port 443, RDP/Terminal Sever at port 3389, RTP at port 5004, and RTCP at port 5005.

Example Configurations

Let’s say you want to configure an ACL to deny all MSN Messenger traffic from any source. Here’s what you would need to do:

Cell_pe1(config)# access-list 175 deny tcp any any eq 1863

Cell_pe1(config)# access-list 175 permit ip any any
Cell_pe1(config)# interface e0/0
Cell_pe1(config)# ip access-group in

Let’s say that a month later, you decide to also stop Yahoo Instant Messenger traffic. Use the Edit ACL option in the Cisco IOS and add the denial of port 5050:

Cell_pe1(config)# ip access-list 175 ext
Cell_pe1(config-ext-nacl)# 15 deny tcp any any eq 5050

If you do a show ip access list, here is what the resulting ACL should look like:

Cell_pe1# show ip access-lists 175
Extended IP access list 175
10 deny tcp any any eq 1863
15 deny tcp any any eq 5050
20 permit ip any any

One final note, IOS sometimes uses an alpha abbreviation instead of the port numbers for common well known ports. You can use these in configs as well. Here are a few examples:

Cell_pe1# show ip access-lists 176
Extended IP access list 176
10 permit tcp any any eq www

Cell_pe1(config)# access-list 177 permit tcp any any eq tel

Where tel=telnet port 23, and www=HTTP port 80.

 

We hope this helps you understand and differentiate Port Numbers.

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top