IP ACL Rules: Consider the port controlling rules
BOOTP is probably by far the worse case example of needing to use multiple rules to control a process involving ports. It also shows the effectiveness of syntax changes that reduce the number of rules when utilizing port limiting rules.
I believe in order to enable DHCP by controlling port usage one needs to write 4 rules:
access-list create 690 name "General BOOTP Allow"
access-list ip 690 rule 691 permit logging disable protocol 6 d-port 67 d-port-mask ffff s-port 68 s-port-mask ffff
access-list ip 690 rule 692 permit logging disable protocol 17 d-port 67 d-port-mask ffff s-port 68 s-port-mask ffff
access-list ip 690 rule 696 permit logging disable protocol 6 d-port 68 d-port-mask ffff s-port 67 s-port-mask ffff
access-list ip 690 rule 697 permit logging disable protocol 17 d-port 68 d-port-mask ffff s-port 67 s-port-mask ffff
Yes, one might be able to argue that the return rules (696 and 697) are not required because the sip or dip is likely to be passed by other rules present
I believe to prevent any misuse of the DHCP ports 67 and 68 (admittedly many people do not consider this) one would need to code the following:
access-list create 790 name "General BOOTP Block"
access-list ip 790 rule 791 deny logging disable protocol 6 s-port 68 s-port-mask ffff
access-list ip 790 rule 792 deny logging disable protocol 17 s-port 68 s-port-mask ffff
access-list ip 790 rule 793 deny logging disable protocol 6 s-port 67 s-port-mask ffff
access-list ip 790 rule 794 deny logging disable protocol 17 s-port 67 s-port-mask ffff
access-list ip 790 rule 795 deny logging disable protocol 6 d-port 68 d-port-mask ffff
access-list ip 790 rule 796 deny logging disable protocol 17 d-port 68 d-port-mask ffff
access-list ip 790 rule 797 deny logging disable protocol 6 d-port 67 d-port-mask ffff
access-list ip 790 rule 798 deny logging disable protocol 17 d-port 67 d-port-mask ffff
That is 12 rules and with the EnterpriseV4 option 120 rules is the maximum. If you have VLans for IOT devices, Guests, Children and Adults that becomes 48 of 120 rules.
I believe there are several options that could reduce this number
- Consider the protocol options -- if in addition to the 6 & 17 options for TCP and UDP there was a ?? (determined by TP-Link) code for TCP/UDP the above rules are reduced by a factor of 2 to 6 rules
- If "swap" rules could be coded the above rules also can be reduced by a factor of 2 from 12 to 6. It this case the use of ss_port... and ds_port... would indicate the desire for two rules to be processed the first where the source ports and destination ports are the ones coded and the second where the destination ports are the source ports and the source ports are the destination ports.
- I looked a the IANA port assignments and {s/p}-port-masks do not seem to be of great value (I could be wrong and I am not advocating necessarily for their elimination) but consider that a port_mask has the same number of bits as a port number. If {s/p}-port-start and {s/p}-port-end were options the 790 blocking rules could be reduced by a factor of 2.
- Lastly when assigning the same rule list to multiple VLans it would be nice of they counted as multiple VLan Bound Lists where the rules are shared and only count 1 time regardless of how many VLans share the same rule. (This one is internal to the executable code and cannot be shown in the syntax.)
Considering the 690 BOOTP Allow rules above the whole thing reduces to 1 rule using options 1 & 2 (do not use option 3 here)
The first 2 rules using option 1 become:
access-list ip 690 rule 691 deny logging disable protocol ?? s-port-start 67 d-port-mask ffff s-port-end 68 s-port-mask ffff
The second 2 rules using option 1 become:
access-list ip 690 rule 696 deny logging disable protocol ?? s-port-start 68 d-port-mask ffff s-port-end 67 s-port-mask ffff
The preceding two rules using option 2 become:
access-list ip 690 rule 690 permit logging disable protocol ?? ds-port 67 ds-port-mask ffff ss-port 68 ss-port-mask ffff
Consider the 790 BOOTP Block rules above again amazingly the whole thing reduces to 1 rule using all three options.
The first 4 rules using options 1 and 3 become:
access-list ip 790 rule 791 deny logging disable protocol ?? s-port-start 67 s-port-end 68
The second 4 rules using options 1 and 3 become:
access-list ip 790 rule 795 deny logging disable protocol ?? d-port-start 67 d-port-end 68
The preceding two rules using option 2 become:
access-list ip 790 rule 790 deny logging disable protocol ?? ss-port-start 67 ss-port-end 68
in the end 12 old style rules have the potential to become 2 new style rules.