Networking

Why you need to know Cisco IOS ACL port numbers

When working with the Cisco IOS, it's very important to know your TCP and UDP port numbers. This is especially true when creating IOS access control lists (ACLs). Let's take a closer look.

What's a port number?

Most of you likely know what port numbers are, but here's a brief overview just in case: Port numbers are unique, well-known numbers used by TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) applications. For example, Telnet uses port 23, and HTTP uses port 80 for Web traffic.

Well-known port numbers are 0 through 1023, registered port numbers are 1024 through 49151, and dynamic or private port numbers are 49152 through 65535. The Internet Assigned Numbers Authority (IANA) provides a complete list of these port numbers on its Web site. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns well-known and registered port numbers.

Keep in mind that there's a big difference between a port number and a protocol number — don't confuse the two. A protocol number is a reserved number used to identify protocols. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is protocol number 89. IANA's Web site offers a complete list of assigned protocol numbers.

What does this have to do with the Cisco IOS?

There are various places in the Cisco IOS where you would use a port number. Most often, I find myself using port numbers when configuring IOS ACLs. The Cisco IOS does recognize many port numbers, so you don't have to memorize all 65,535 possible ports.

On my Cisco 2800 Series router using IOS 12.4, the IOS knows about 34 common port numbers. Here's the list:

Router(config)# access-list 151 permit tcp any any eq ?

   <0-65535>    Port number

   bgp          Border Gateway Protocol (179)

   chargen      Character generator (19)

   cmd          Remote commands (rcmd, 514)

   daytime      Daytime (13)

   discard      Discard (9)

   domain       Domain Name Service (53)

   drip         Dynamic Routing Information Protocol (3949)

   echo         Echo (7)

   exec         Exec (rsh, 512)

   finger       Finger (79)

   ftp          File Transfer Protocol (21)

   ftp-data     FTP data connections (20)

   gopher       Gopher (70)

   hostname     NIC hostname server (101)

   ident        Ident Protocol (113)

   irc          Internet Relay Chat (194)

   klogin       Kerberos login (543)

   kshell       Kerberos shell (544)

   login        Login (rlogin, 513)

   lpd          Printer service (515)

   nntp         Network News Transport Protocol (119)

   pim-auto-rp  PIM Auto-RP (496)

   pop2         Post Office Protocol v2 (109)

   pop3         Post Office Protocol v3 (110)

   smtp         Simple Mail Transport Protocol (25)

   sunrpc       Sun Remote Procedure Call (111)

   syslog       Syslog (514)

   tacacs       TAC Access Control System (49)

   talk         Talk (517)

   telnet       Telnet (23)

   time         Time (37)

   uucp         Unix-to-Unix Copy Program (540)

   whois        Nicname (43)

   www          World Wide Web (HTTP, 80) Router(config)# access-list 151 permit tcp any any eq

You'll notice some familiar and frequently used ports in this list, including:

  • WWW — port 80
  • Telnet — port 23
  • SMTP — port 25
  • FTP and FTP-data — ports 21 and 20
  • Domain (actually DNS) — port53
  • BGP — port 179

However, the remainder of the ports is depressingly outdated. Who uses UUCP anymore? In my opinion, Cisco really needs to update this list by removing old and unused applications and adding new ones. For example, the first two applications that I would add would be HTTPS at port 443 and RDP/Terminal Sever at port 3389. Which ones would you add?

When do I need to know a port number?

While 34 ports may seem like a lot, in reality, it's very few compared to the 50,000 or so potentially registered port numbers. Because of this, you need to know many of the port numbers you'll configure inside an ACL.

For example, let's say I want to configure an ACL to deny all AOL AIM (Instant Messenger) traffic from any source. Here's what I would do:

Router(config)# access-list 152 deny tcp any any eq 5190

Port 5190 is the registered port for AOL AIM. I would then permit other traffic and apply the ACL, as shown below:

Router(config)# access-list 152 permit ip any any

Router(config)# interface fa0/0

Router(config)# ip access-group in

Now, let's say that a month later, I decide I want to also stop MSN Messenger traffic. I could use the Edit ACL option in the Cisco IOS and add the denial of port 1863, as shown below:

Router(config)# ip access-list 152 ext
Router(config-ext-nacl)# 15 deny  tcp any any eq 1863

In the end, here's my ACL:

Router# show ip access-lists 152

Extended IP access list 152

     10 deny tcp any any eq 5190

     15 deny tcp any any eq 1863

     20 permit ip any any

Router#

Notice how it shows the port numbers as the numbers I entered. However, if I enter an ACL using one of the port numbers known by the Cisco IOS, it translates that port number to the alpha abbreviation, as shown below:

Router(config)# access-list 158 permit tcp any any eq 80

Router(config)#

Router(config)#^Z

Router# show ip access-lists 158

Extended IP access list 158

     10 permit tcp any any eq www

Router#

In addition, you can also enter an ACL using the known Cisco alpha abbreviations. For example, I can represent port 23 by entering tel (for Telnet), as shown below:

Router(config)# access-list 157 permit tcp any any eq tel

There are other times that you need to know port numbers. While the Cisco IOS knew about port 23 in our example, that isn't always the case. Recently, I used the debug ip packet detail command on my Telnet connection to a router. As you can see from the output below, it says that the destination port number is 23 — not telnet(23):

Aug 24: IP: s=10.1.1.1 (Serial0/2/0), d=10.2.2.2, len 42, rcvd 4
Aug 24: TCP src=4672, dst=23, seq=4227579056, ack=1459609700, win=64636 ACK PSH

This is yet another reason to memorize common port numbers — it saves time. In addition, if you're studying for Cisco certification exams such as the CCNA or CCNP, it's very likely you'll need to know common TCP/UDP port numbers.

Summary

TCP and UDP port numbers are very important in networking in general and when working with the Cisco IOS. While the Cisco IOS can help you translate some ports, it's still important to know the port numbers in use today — or at least know how to quickly find them.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Editor's Picks

Free Newsletters, In your Inbox