Posted on October 23, 2019 9:31 pm
 |  Asked by Darrell Root
 |  73 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

I’m working on adding Arista support to my MacOS “Network Mom ACL Analyzer” tool. Unfortunately the Arista documentation does not have a full list of UDP/TCP/ICMP keywords and I don’t have physical access to an Arista box. Could someone give me the command completion of the following 3 commands in ACL configuration mode?

permit tcp any eq ?
permit udp any eq ?
permit icmp any any ?

Examples of port names would include stuff like: bfd, bfd-echo, bgp, bootps, submission, nfs, and so on.

Arista documentation reference: https://www.arista.com/en/um-eos/eos-section-24-7-acl-route-map-and-prefix-list-commands#ww1150997

0
Answered on October 22, 2019 10:47 pm

Hi Darrell,

Thank you for writing to the forum.

The list of UDP, TCP, ICMP keywords is nothing but the list of port numbers (or protocol names) that are well known. Some protocols are only TCP whereas some are UDP only. May I know which protocols would you like to permit?

Thanks,

Attachments:
0
Answered on October 24, 2019 4:56 am

From the Arista EOS CLI you can get a list of all predefined UDP/TDP port numbers, example below:

leaf1(config-acl-test)#permit tcp any any eq ?
acap Application Configuration Access Protocol (674)
acr-nema ACR-NEMA Digital Imaging and Communications in Medicine (104)
afpovertcp Apple Filing Protocol Over TCP (548)
arns A Remote Network Server System (384)
asip-webadmin AppleShare IP Web Administration (311)
at-rtmp AppleTalk Routing Maintenance (201)
aurp Appletalk Update-Based Routing Protocol (387)
bftp Background File Transfer Program (152)
bgmp Border Gateway Multicast Protocol (264)
bgp Border Gateway Protocol (179)
chargen Character Generator (19)
cisco-tdp Cisco Tag Distribution Protocol (711)
citadel Citadel (504)
clearcase Clearcase albd (371)
cmd Remote Shell/Rsh (514)
commerce Commerce Applications (542)
courier Remote Procedure Call (530)
csnet-ns CCSO Name Server Protocol (105)
cvx CVX (50003)
cvx-cluster CVX Cluster (50004)
daytime Daytime (13)
dhcp-failover2 DHCP Failover Protocol (847)
dhcpv6-client DHCPv6 Client (546)
dhcpv6-server DHCPv6 Server (547)
discard Discard (9)
domain Domain Name Service (53)
dsp Display Support Protocol (33)
echo Echo (7)
eco-dhcp ECO DHCP Fingerprint Streaming (50005)
eco-ipfix ECO IPFIX Record Streaming (50006)
efs Extended File Name Server (520)
epp Extensible Provision Protocol (700)
esro-gen Efficient Short Remote Operations (259)
exec Remote Process Execution/Rexec (512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
ftps FTPS Protocol (control) (990)
ftps-data FTPS Protocol (data) (989)
gnmi gNMI default port (6030)
godi Group Domain of Interpretation Protocol (848)
gopher Gopher (70)
gre Generic Routing Encapsulation (47)
ha-cluster Linux-HA Heartbeat (694)
hostname NIC hostname server (101)
hp-alarm-mgr HP Performance Data Alarm Manager (383)
http-alt Filemaker, Inc. -HTTP Alternate (591)
http-mgmt http-mgmt (280)
http-rpc-epmap HTTP RPC Ep Map (593)
https HTTP Secure (HTTPS) (443)
ident Ident Protocol (113)
ieee-mms-ssl IEEE Media Management System Over SSL (695)
imap Interim Mail Access Protocol (143)
imap3 Interactive Mail Access Protocol v3 (220)
imaps Internet Message Access Protocol over SSL (993)
ipp Internet Printing Protocol (631)
ipx Internetwork Packet Exchange (213)
irc Internet Relay Chat (194)
iris-beep Internet Registry Information Service Over BEEP (702)
iscsi Internet Small Computers Systems Interface (860)
isi-gl ISI Graphics Language (55)
iso-tsap ISO-TSAP Class 0 (102)
kerberos Kerberos Authentication System (88)
kerberos-adm Kerberos Administration (749)
klogin Kerberos login (543)
kpasswd Kerberos Change/Set Password (464)
kshell Kerberos shell (544)
la-maint IMP Logical Address Maintenance (51)
lanz Lanz Streaming (50001)
ldap Lightweight Directory Access Protocol (389)
ldaps LDAP Over TLS/SSH (636)
ldp Label Distribution Protocol (646)
lmp Link Management Protocol (701)
login Rlogin (513)
lpd Line Printer Daemon (515)
mac-srvr-admin MacOS Server Admin (660)
matip-type-a MATIP Type A (350)
matip-type-b MATIP Type B (351)
microsoft-ds Microsoft-DS SMB File Sharing (445)
mlag MLAG Protocol (4432)
mlag-arp-sync ARP file transfer server port (50002)
mpp Netix Message Posting Protocol (218)
ms-sql-m Microsoft SQL Monitor (1434)
ms-sql-s Microsoft SQL Server (1433)
msdp Multicast Source Discovery Protocol (639)
msexch-routing MS Exchange Routing (691)
msg-icp MSG ICP (29)
msp Message Send Protocol (18)
nas Netnews Administration System (991)
nat Nat Sync Protocol (4532)
ncp NetWare Core Protocol (524)
netconf-ssh NETCONF over SSH (830)
netrjs-1 Remote Job Service (71)
netrjs-2 Remote Job Service (72)
netrjs-3 Remote Job Service (73)
netrjs-4 Remote Job Service (74)
netwnews Readnews (532)
new-rwho new-who (550)
nfs Network File System (2049)
nntp Network News Transport Protocol (119)
nntps Network News Transfer Protocol Over TSL/SSH (563)
nsw-fe NSW User System FE (27)
odmr On Demand Mail Retry (366)
openvpn OpenVPN (1194)
pim-auto-rp PIM Auto-RP (496)
pkix-timestamp PKIX Timestamp (318)
pkt-krb-ipsec Internet Protocol Security (1293)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
pop3s Post Office Protocol 3 over TLS/SSL (995)
pptp Microsoft Point-to-Point Tunneling Protocol (1723)
print-srv Network PostScript (170)
ptp-event Precision Time Protocol Event (319)
ptp-general Precision Time Protocol General (320)
qmtp The Quick Mail Transfer Protocol (209)
qotd Quote of the Day (17)
radius Radius Authentication Protocol (1812)
radius-acct Radius Accounting Protocol (1813)
re-mail-ck Remote Mail Checking Protocol (50)
remotefs RFS Server (556)
repcmd SupportSoft Nexus Remote Command (641)
rje Remote Job Entry (5)
rlp Resource Location Protocol (39)
rlzdbase RLZ DBase (635)
rmc Remote Monitoring and Control Protocol (657)
rpc2portmap Rpc2portmap (369)
rsync rysnc File Synchronization Protocol (873)
rtelnet Remote Telnet Service (107)
rtsp Real Time Streaming Protocol (554)
sgmp Simple Gateway Monitoring Protocol (153)
silc Secure Internet Live Conferencing (706)
smtp Simple Mail Transport Protocol (25)
smux SNMP Unix Multiplexer (199)
snagas SNA Gateway Access Server (108)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
snpp Simple Network Paging Protocol (444)
sqlserv SQL Services (118)
sqlsrv SQL Service (156)
ssh Secure Shell Protocol (22)
submission Email Message Submission (587)
sunrpc Sun Remote Procedure Call (111)
svrloc Server Location Protocol (427)
systat Active users (11)
tacacs TAC Access Control System (49)
talk Talk (517)
tbrpf Topology Broadcast based on Reverse-Path Forwarding Protocol (712)
tcpmux TCP Port Service Multiplexer (1)
tcpnethaspsrv Aladdin Knowledge Systems Hasp services, TCP/IP version (475)
telnet Telnet Protocol (23)
time Time (37)
tunnel TUNNEL Profile (604)
ups Uninterruptible Power Supply (401)
uucp Unix-to-Unix Copy Program (540)
uucp-path UUCP Path Service (117)
vmnet VMNET (175)
whois Nicname (43)
www World Wide Web (HTTP) (80)
xns-ch XNS (Xerox Network Systems) Clearinghouse (54)
xns-mail XNS (Xerox Network Systems) Mail (58)
xns-time XNS (Xerox Network Systems) Time Protocol (52)
z39-50 ANSI Z39.50 (210)
<0-65535> Port number

leaf1(config-acl-test)#permit udp any any eq ?
acr-nema ACR-NEMA Digital Imaging and Communications in Medicine (104)
arns A Remote Network Server System (384)
asf-rmcp ASF Remote Management and Control Protocol (623)
at-rtmp AppleTalk Routing Maintenance (201)
aurp Appletalk Update-Based Routing Protocol (387)
auth Authentication Service (113)
bfd Bidirectional Forwarding Detection (3784)
bfd-echo BFD Echo (3785)
bftp Background File Transfer Program (152)
bgmp Border Gateway Multicast Protocol (264)
biff Biff (mail notification, comsat) (512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
chargen Character Generator (19)
citadel Citadel (504)
clearcase Clearcase albd (371)
commerce Commerce Applications (542)
courier Remote Procedure Call (530)
csnet-ns CCSO Name Server Protocol (105)
daytime Daytime (13)
dhcpv6-client DHCPv6 Client (546)
dhcpv6-server DHCPv6 Server (547)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (53)
dsp Display Support Protocol (33)
echo Echo (7)
esro-gen Efficient Short Remote Operations (259)
ftps FTPS Protocol (control) (990)
ftps-data FTPS Protocol (data) (989)
godi Group Domain of Interpretation Protocol (848)
gtp-c GPRS Tunneling Protocol Control Data (2123)
gtp-prime GPRS Tunneling Prime Protocol (3386)
gtp-u GPRS Tunneling Protocol User Data (2152)
ha-cluster Linux-HA Heartbeat (694)
hp-alarm-mgr HP Performance Data Alarm Manager (383)
http-mgmt http-mgmt (280)
http-rpc-epmap HTTP RPC Ep Map (593)
imap3 Interactive Mail Access Protocol v3 (220)
ipp Internet Printing Protocol (631)
ipx Internetwork Packet Exchange (213)
isakmp Internet Security Association and Key Management Protocol (500)
isi-gl ISI Graphics Language (55)
kerberos Kerberos Authentication System (88)
kerberos-adm Kerberos Administration (749)
kpasswd Kerberos Change/Set Password (464)
l2tp Layer 2 Tunneling Protocol (1701)
la-maint IMP Logical Address Maintenance (51)
ldap Lightweight Directory Access Protocol (389)
ldaps LDAP Over TLS/SSH (636)
ldp Label Distribution Protocol (646)
lsp-ping MPLS LSP-echo Port (3503)
matip-type-a MATIP Type A (350)
matip-type-b MATIP Type B (351)
micro-bfd RFC7130 BFD session over each LAG member link (6784)
mlag MLAG Protocol (4432)
mobile-ip Mobile IP registration (434)
monitor Monitord (561)
mpp Netix Message Posting Protocol (218)
ms-sql-m Microsoft SQL Monitor (1434)
msdp Multicast Source Discovery Protocol (639)
msg-icp MSG ICP (29)
msp Message Send Protocol (18)
multihop-bfd Multihop Bfd (4784)
nameserver IEN116 Nameserver Service (obsolete) (42)
nas Netnews Administration System (991)
nat Nat Sync Protocol (4532)
ncp NetWare Core Protocol (524)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
netwall For Emergency Broadcasts (533)
new-rwho new-who (550)
nfs Network File System (2049)
nntps Network News Transfer Protocol Over TSL/SSH (563)
non500-isakmp Internet Security Association and Key Management Protocol (4500)
nsw-fe NSW User System FE (27)
ntp Network Time Protocol (123)
odmr On Demand Mail Retry (366)
olsr Optimized Link State Routing (698)
openvpn OpenVPN (1194)
pim-auto-rp PIM Auto-RP (496)
pkix-timestamp PKIX Timestamp (318)
pkt-krb-ipsec Internet Protocol Security (1293)
pptp Microsoft Point-to-Point Tunneling Protocol (1723)
ptp-event Precision Time Protocol Event (319)
ptp-general Precision Time Protocol General (320)
qmtp The Quick Mail Transfer Protocol (209)
qotd Quote of the Day (17)
radius Radius Authentication Protocol (1812)
radius-acct Radius Accounting Protocol (1813)
re-mail-ck Remote Mail Checking Protocol (50)
repcmd SupportSoft Nexus Remote Command (641)
rip Routing Information Protocol (520)
rje Remote Job Entry (5)
rlp Resource Location Protocol (39)
rlzdbase RLZ DBase (635)
rmc Remote Monitoring and Control Protocol (657)
rmonitor Remote Monitord (560)
rpc2portmap Rpc2portmap (369)
rtsp Real Time Streaming Protocol (554)
sgmp Simple Gateway Monitoring Protocol (153)
smux SNMP Unix Multiplexer (199)
snagas SNA Gateway Access Server (108)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
snpp Simple Network Paging Protocol (444)
sqlserv SQL Services (118)
sqlsrv SQL Service (156)
sunrpc Sun Remote Procedure Call (111)
svrloc Server Location Protocol (427)
syslog System Logger (514)
systat Active users (11)
tacacs TAC Access Control System (49)
talk Talk (517)
tcpmux TCP Port Service Multiplexer (1)
tcpnethaspsrv Aladdin Knowledge Systems Hasp services, TCP/IP version (475)
tftp Trivial File Transfer Protocol (69)
time Time (37)
timed Timeserver (525)
ups Uninterruptible Power Supply (401)
who Who service, rwho (513)
xdmcp X Display Manager Control Protocol (177)
xns-ch XNS (Xerox Network Systems) Clearinghouse (54)
xns-mail XNS (Xerox Network Systems) Mail (58)
xns-time XNS (Xerox Network Systems) Time Protocol (52)
z39-50 ANSI Z39.50 (210)
<0-65535> Port number

leaf1(config-acl-test)#permit icmp any any ?
administratively-prohibited Communication administratively prohibited (3/13)
alternate-address Alternate host address (6)
conversion-error Datagram conversion error (31)
dod-host-prohibited Communication with host prohibited (3/10)
dod-net-prohibited Communication with network prohibited (3/9)
dscp Match packets by DSCP value or name
echo Echo (8)
echo-reply Echo reply (0)
ecn Match packets by ECN Codepoints
fragments Match non-head fragment packets
general-parameter-problem General parameter problem (12/0)
host-isolated Source host isolated (3/8)
host-precedence-unreachable Host precedence violation (3/14)
host-redirect Host redirect (5/1)
host-tos-redirect Host and type of service redirect (5/3)
host-tos-unreachable Host unreachable for type of service (3/12)
host-unknown Host unknown (3/7)
host-unreachable Host unreachable (3/1)
information-reply Information replies (16)
information-request Information requests (15)
ip-length Match IP packet length
log Log matches against this rule
mask-reply Address mask replies (18)
mask-request Address mask request (17)
mobile-host-redirect Mobile host redirect (32)
net-redirect Network redirect (5/0)
net-tos-redirect Network and type of service redirect (5/2)
net-tos-unreachable Network unreachable for type of service (3/11)
net-unreachable Net unreachable (3/0)
network-unknown Network unknown (3/6)
no-room-for-option Bad length for parameter (12/2)
option-missing Missing a required option (12/1)
packet-too-big Fragmentation needed but DF was set (3/4)
parameter-problem All parameter problems (12)
payload Match packets based on payload
port-unreachable Port unreachable (3/3)
precedence-unreachable Precedence cutoff in effect (3/15)
protocol-unreachable Protocol unreachable (3/2)
reassembly-timeout Fragment reassembly time exceeded (11/1)
redirect All redirects (5)
router-advertisement Router advertisement (9)
router-solicitation Router solicitation (10)
source-quench Source quench (4)
source-route-failed Source route failed (3/5)
time-exceeded All time exceeded messages (11)
timestamp-reply Timestamp replies (14)
timestamp-request Timestamp requests (13)
traceroute Traceroute (30)
tracked Match packets in existing ICMP/UDP/TCP connections
ttl Match TTL (Time-to-Live) value
ttl-exceeded Time to live exceeded in transit (11/0)
unreachable All destination unreachables (3)
<0-255> ICMP message type

Post your Answer

You must be logged in to post an answer.