ACL - operators
When configuring ACLs in a Cisco IOS device, you can use certain operators to specify protocols, TCP or UDP port numbers, or services. These operators help in defining more granular access control entries. These operators are only available for extended ACLs. Here are the commonly used operators:
- eq - equals. Used to match a specific protocol or port number.
- lt - less than. Matches all ports less than the specified port number.
- gt - greater than. Matches all ports greater than the specified port number.
- neq - not equal. Matches all services except for the one specified.
- range - Matches a range of port numbers. You'll specify the start and end of the range.
Here's how you might use them in the context of an access-list configuration:
Example 1: Permitting HTTP traffic (port 80)
access-list 100 permit tcp any any eq 80
Example 2: Blocking all ports below 1024 except for HTTP (port 80)
access-list 100 deny tcp any any lt 1024 access-list 100 permit tcp any any eq 80
Example 3: Permitting a range of ports
access-list 100 permit tcp any any range 8000 9000
Remember, when working with extended access lists, the sequence and placement of ACL entries matter, as they are processed top-down. Once a match is found, the device will take the corresponding action (permit/deny) and won't process any subsequent lines for that packet. It's essential to consider this order when configuring multiple entries in an access list.