Filtering by Application
Problem
You want to filter access to certain applications.
Solution
Extended IP access-lists can also filter based on application information, such as protocol and port numbers:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 151 permit tcp any any eq www
Router1(config)#access-list 151 deny tcp any any gt 1023
Router1(config)#access-list 151 permit icmp any any
Router1(config)#access-list 151 permit udp any any eq ntp
Router1(config)#access-list 151 deny ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 151 in
Router1(config-if)#exit
Router1(config)#end
Router1#
Discussion
This example shows how to construct an Extended IP ACL to filter traffic based on application. In Recipe 19.1, we showed how to use Extended IP ACLs to match on any combination of source and/or destination IP addresses. But the Extended IP ACL also allows you to match on just about anything in the IP packet header.
The first argument after the permit or deny keyword represents the IP protocol number:
Router1(config)#access-list 151 permit tcp any any eq www
In this case, we want to match a TCP-based application, so we have used the keyword tcp in this position. This field represents the IP protocol number, which is an 8-bit value. TCP is protocol number 6, UDP is 17, and ICMP uses protocol number 1. The IANA has registered 134 different protocol numbers. You can find the complete list of registered IP protocols online at http://www.iana.org/assignments/protocol-numbers. Cisco supplies helpful mnemonics for several of these protocols, such as the tcp, udp, and icmp keywords used in the example, so you don't have to remember the protocol numbers. Table 19-2 shows all of the IP protocols for which Cisco supplies mnemonic keywords. You can always use the protocol number in decimal form if you prefer, but the router will replace it with the mnemonic in its configuration file.
Protocol number | Keyword | Description |
---|---|---|
1 | icmp | Internet Control Message Protocol |
2 | igmp | Internet Gateway Message Protocol |
4 | ipinip | IP in IP tunnel protocol |
6 | tcp | Transmission Control Protocol |
9 | igrp | Interior Gateway Routing Protocol |
17 | udp | User Datagram Protocol |
21 | nos | KA9Q tunnel protocol |
47 | gre | Generic Routing Encapsulation tunnel protocol |
50 | esp | IPSec Encapsulation Security Payload |
51 | ahp | IPSec Authenticating Header Protocol |
88 | eigrp | Enhanced Interior Gateway Routing Protocol |
89 | ospf | Open Shortest Path First routing protocol |
103 | pim | Protocol Independent Multicast protocol |
108 | pcp | IP Payload Compression Protocol |
And, as we showed in Recipe 19.1, you can match on any IP protocol number by simply using the keyword ip.
After the IP protocol number or keyword are the source and destination IP addresses. We described how to use these fields in Recipe 19.1. Recall that the address keyword any is a shorthand that stands for an address of 0.0.0.0 with a wildcard pattern of 255.255.255.255.
Following each address is an optional field where you can specify particular protocol information such as port numbers. In the following example, we match on TCP port 80, which is used by the HTTP protocol. The router has a set of mnemonics for TCP and UDP port numbers, which we list below. These are similar to the protocol number mnemonics mentioned in Table 19-2. In this case, the mnemonic for port 80 is www:
Router1(config)#access-list 151 permit tcp any any eq www
Notice that the keywords eq www appear after the destination IP address, rather than the source IP address. This is because we are looking for the destination TCP port number. If you need to match on a source port number instead, you could simply move these keywords to follow the source IP address:
Router1(config)#access-list 151 permit tcp any eq wwwany
And, of course, you can always match on both:
Router1(config)#access-list 151 permit tcp any eq wwwany eq www
Note, however, that this ACL will only score a correct match if both source and destination TCP port numbers match. If you wanted to match HTTP traffic between any two devices, and you didn't know which device had initiated the TCP session, you would need to include two separate lines like this:
Router1(config)#access-list 151 permit tcp any any eq www
Router1(config)#access-list 151 permit tcp any eq wwwany
You can see all of the possible mnemonic keywords simply by using the online help facility:
Router1(config)#access-list 151 permit tcp any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
Router1#
As with the IP protocol numbers listed in Table 19-2, you can substitute the decimal numerical value for any of these keywords, and the router will replace it with the keyword.
The IANA reserves the TCP port numbers 1024 and above for local and temporary applications. Many TCP implementations use these high numbered ports for source port numbers, and for temporary or ephemeral purposes. It is relatively common to see ACLs that restrict the use of these ports. We included a sample ACL rule in this recipe:
Router1(config)#access-list 151 deny tcp any any gt 1023
This command blocks all packets that have a destination port number greater than 1023 (that is, ports 1024 through 65535). Remember that TCP applications often use these high port numbers for source ports. So you need to be careful about traffic direction when you apply such an ACL.
There is a similar set of port numbers for UDP applications:
Router2(config)#access-list 151 permit udp any eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol
(500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
Router2(config)#
So, for example, you could block all Sun RPC traffic, which includes important but chatty applications such as Network File System (NFS) as follows:
Router1(config)#access-list 151 deny udp any eq sunrpc any
Router1(config)#access-list 151 deny udp any any eq sunrpc
Because we applied the UDP port number file separately to the source and destination ports, this will block RPC traffic going in either direction.
Once again, with UDP port numbers, as with TCP port numbers, the values from 1024 through 65535 are often used for temporary purposes such as source port numbers. So you can control the use of these port numbers with a similar ACL rule to the one we discussed above for high TCP port numbers:
Router1(config)#access-list 151 deny udp any any gt 1023