Wired Intelligent Edge (Campus Switching and Routing)

Problem:

Unable to execute ACL statement that contains a TCP/UDP port range.

Unable to execute predefined ACL's on port or VLAN.

Unable to deploy ACL that contains a port range.

Troubleshooting:

1. Check the ACE that uses the below things.
   1. Does the ACE contain GT or LT comparison operators?
   2. Does the ACE contain a NE comparison operator?
   3. Does the ACE contain a range operator?

2. If the answer is yes to the first parameter.
   1. Try to convert the same operator to range.
   2. If conversion is not an option then use the GT or LT operator

3. If the answer is yes to the third parameter.
   1. Then try and get the port numbers to follow the below rules
      1. The lowest N bits of binary representation of the start value are all zeroes
      2. The lowest N bits of binary representation of the end value are all ones.
      3. The upper 16-N bits of both values are the same
         1. Where N can be anything from 1 – 16
         2. 16 because the TCP/UDP ports are represented using 16 bits.

2. But why?
   1. Whenever the ACE’s contain the comparison or GT/LT or NE operators then the switch uses a special hardware resource apart from the regular ACL resource which is called Application port Range (APR).
   2.  It is a hardware resource and is very scarce.
   3. Thus the resource needs to be used very cautiously and should be avoided as much as possible.

3. When does the switch use this resource?
   1. When the condition is 3 (a) is not met
   2. When the condition is 2 (b) is met
   3. When 1 (a) is true

4. How to optimally use this resources?
   1. When the operator NE is used there is no escaping the usage of the APR resource
   2. If the range command is command is used try to fit the port ranges according to the conditions mentioned in 3 (a)
      1. If a reasonable amount of ports are not allowing you to use this condition then use appropriate statements prior to the ACE for those port numbers since ACL’s use sequential execution.
   3. If the GT or LT operator is used then try and squeeze the ACE’s to a port range meeting condition 3 (a)

5. Why are we stressing so much on 3 (a)?

3 (a) specifies a certain set of statements which goes ahead and spares a resource if all the conditions specified in it is met. The switch uses something called as Don’t care mask which would be used instead of an APR resource. The Don’t care mask works more or like subnetting which summarizes an entire range of IP addresses with a single network statement.

        For example in a routing table if we have statement that says forward traffic destined to 192.168.1.0/24 to 192.168.10.1 the switch would go ahead and use this for hosts within the range 192.168.1.1 – 192.168.1.254.

        In a similar way the switch can use the same logic for the TCP/UDP ports on a ACE that contains the range parameter if the conditions are met.

If you want to block all the traffic destined to TCP port 1000 to 1007. The switch would not use a resource to apply the ACE.

Why?

                1000 in binary is 0000001111101000

                1007 in binary is 0000001111101111

The condition is met here because the following reasons

1. Lower bound port (1000) starting from the 3^rd bit (from LSB) is all Zero’s
2. Upper bound port (1007) starting from the 3^rd bit (from LSB) is all One’s
3. The upper (16 – 3) = 13 bits on both upper and lower bound ports are the same.

Example 2:

If you want to block all traffic destined to TCP port 1000 to 1008. Then the switch would use a resource to apply the ACE.

Why?

                1000 in binary is 0000001111101000

                1008 in binary is 0000001111110000

Since none of the conditions match the following ACE would use an APR resource.

But there is a way around.

                Use the range command to block all the traffic destined to TCP port 1000 to 1007 and use a single ACE to deny traffic for 1008.

There is a mathematical way to solve the difference between huge numbers. For instance 6400 to 6700.

Step 1: Calculate the difference between the 2 ports, 6700 – 6400 = 300. The start value is always the lower bound address.

Step 2: Use the start value and find a highest power of 2 (2**x) which could be used to divide the start value to get a quotient whose value is a whole number. Remember the 2**x should never exceed the difference between the 2 values.

Step 3: Use (2**x  - 1) calculated in Step 2 and add it to the Start value. The new value we have right now can be called Y. Y+1 is now the new start value.

Step 4: Now use Y+1 and perform all the steps again till you reach the Last value (6700). The difference should be calculated between Y+1 and the last value.

Example: 6700 – 6400

1. 300 is the difference so 2**x needs to be lower than 300.
2. 6400/(2**8) = 25 (whole number). Now we need to add(2**8 - 1) 255 to 6400 = 6655
3. Now use 6655+1 as the new start value and perform all the steps again
4. 6656/(2**5) = 208. Now add (2**5 - 1) to 6656 = 6687.
5. So on and so forth until you reach a point where you can no longer divide due to the restriction of the difference.

But all of these do have some restrictions to it.

1. A port range that starts with an odd number always requires a hardware range register due to the TCAM mask operation.
2. A port range that ends with an even number also always requires a hardware range.
3. A configured port range can be referenced by multiple ACEs. However be aware that if a single port range that uses a hardware range register is applied as both a source and destination range within the list of ACEs, then two port range registers are actually used by this single port range.