56
Cisco Nexus 5500 Series NX-OS Security Command Reference
OL-27883-02
Chapter D Commands
deny tcp (IPv4)
dscp dscp (Optional) Specifies that the rule matches only those packets with the
specified 6-bit differentiated services value in the DSCP field of the IP
header. The dscp argument can be one of the following numbers or
keywords:
• 0–63—The decimal equivalent of the 6 bits of the DSCP field. For
example, if you specify 10, the rule matches only those packets that have
the following bits in the DSCP field: 001010.
• af11—Assured Forwarding (AF) class 1, low drop probability (001010)
• af12—AF class 1, medium drop probability (001100)
• af13—AF class 1, high drop probability (001110)
• af21—AF class 2, low drop probability (010010)
• af22—AF class 2, medium drop probability (010100)
• af23—AF class 2, high drop probability (010110)
• af31—AF class 3, low drop probability (011010)
• af32—AF class 3, medium drop probability (011100)
• af33—AF class 3, high drop probability (011110)
• af41—AF class 4, low drop probability (100010)
• af42—AF class 4, medium drop probability (100100)
• af43—AF class 4, high drop probability (100110)
• cs1—Class-selector (CS) 1, precedence 1 (001000)
• cs2—CS2, precedence 2 (010000)
• cs3—CS3, precedence 3 (011000)
• cs4—CS4, precedence 4 (100000)
• cs5—CS5, precedence 5 (101000)
• cs6—CS6, precedence 6 (110000)
• cs7—CS7, precedence 7 (111000)
• default—Default DSCP value (000000)
• ef—Expedited Forwarding (101110)
established (Optional) Specifies that the rule matches only packets that belong to an
established TCP connection. The switch considers TCP packets with the
ACK or RST bits set to belong to an established connection.
flags (Optional) Rule that matches only packets that have specific TCP control bit
flags set. The value of the flags argument must be one or more of the
following keywords:
• ack
• fin
• psh
• rst
• syn
• urg
To Next Page
Loading...
