Note
•
TCP flag filtering can be used only with named, extended ACLs.
•
The ACL TCP Flags Filtering feature is supported only for Cisco ACLs.
•
Previously, the following command-line interface (CLI) format could be used to configure a TCP
flag-checking mechanism:
permit tcp any any rst The following format that represents the same access control entry (ACE) can
now be used: permit tcp any any match-any +rst Both the CLI formats are accepted; however, if the
new keywords match-all or match-any are chosen, they must be followed by the new flags that are
prefixed with “+” or “-”. It is advisable to use only the old format or the new format in a single ACL. You
cannot mix and match the old and new CLI formats.
If a device having ACEs with the new syntax format is reloaded with a previous version of the Cisco
software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied, leading
to possible security loopholes.
Caution
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
ip access-list extended access-list-name
4.
[sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments]
5.
[sequence-number] deny tcp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments]
6.
Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the
no sequence-numbercommand to delete an entry.
7.
end
8.
show ip access-lists access-list-name
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enable
Step 1
Example:
Device> enable
•
Enter your password if prompted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1240
How to Configure ACL Support for Filtering IP Options
To Next Page
Loading...
Need help?
General
