say I have:
access-list 101 tcp deny any any eq 53 access-list 101 udp deny any any eq 53
Is there a way to combine this into a single entry in the access list ? Seems wasteful to have to duplicate access list entries to cover both TCP and UDP accesses.
JF Mezei schrieb:
No.
Hmmm....you can deny ip any any, so I would try:
access-list 101 deny ip any any eq 53
Never tried it....let me know if it works.
Nope, that's what I tested on IOS 12.4 mainline just before my reply, and the "eq" wasn't available.
It doesn't. Think about it - how would the router know which IP protocol this applies to? There are lots of other IP protocols in addition to TCP and UDP, and they don't all have port numbers.
The first answer here is correct - there is no way to combine these two entries into a single entry with the same effect.
Steinar Haug, Nethelp consulting, snipped-for-privacy@nethelp.no
Never used it, but I read about the new object group functionality, similar to one present on asa, starting from about 12.4(24)T ios release, maybe it helps? Bye, Tosh.
Good call, did not think of it that way. Written a ton of ACLs over the years, but never really thought about ip vs. a specific protocol in terms of the modifiers. Thx.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.