(TCP only; Optional) TCP control bit flags that the
rule matches. The value of the flags argument must
be one or more of the following keywords:
•
ack
•
fin
•
psh
•
rst
•
syn
•
urg
flags
(TCP only; Optional) Specifies that the rule matches
only packets that belong to an established TCP
connection. The device considers TCP packets with
the ACK or RST bits set to belong to an established
connection.
established
(Optional) Rule matches only packets that have a
length in bytes that satisfies the condition specified
by the operator and packet-length arguments.
Valid values for the packet-length argument are whole
numbers from 20 to 9210.
The operator argument must be one of the following
keywords:
• eq—Matches only if the packet length in bytes
is equal to the packet-length argument.
• gt—Matches only if the packet length in bytes
is greater than the packet-length argument.
• lt—Matches only if the packet length in bytes
is less than the packet-length argument.
• neq—Matches only if the packet length in bytes
is not equal to the packet-length argument.
• range—Requires two packet-length arguments
and matches only if the packet length in bytes
is equal to or greater than the first packet-length
argument and equal to or less than the second
packet-length argument.
packet-lengthoperatorpacket-length [packet-length
Command Default
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than
the last rule in the ACL.
Cisco Nexus 7000 Series Security Command Reference
235
D Commands
deny (IPv4)
To Next Page
Loading...
