Configuring Access Control Lists 615
continued
•
flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -
psh] [+ack | -ack] [+urg | -urg] [established]—
Specifies that the IP/TCP/UDP ACL rule matches on the
TCP flags.
–
Ack
– Acknowledgement bit
–
Fin
– Finished bit
–
Psh
– push bit
–
Rst
– reset bit
–
Syn
– Synchronize bit
–
Urg
– Urgent bit
– When “+<tcpflagname>
”
is specified, a match occurs
if specified <tcpflagname> flag is set in the TCP
header.
– When “-<tcpflagname>
”
is
specified, a match occurs
if specified <tcpflagname> flag is *NOT* set in the
TCP header.
– When “established
” is
specified, a match occurs if
either the RST or ACK bits are set in the TCP header.
– This option is visible only if protocol is “tcp”.
•
[icmp-type
icmp-type
[icmp-code
icmp-code
] |
icmp-
message
icmp-message
] —
Specifies a match condition
for ICMP packets.
– When icmp-type is specified, IP ACL rule matches on
the specified ICMP message type, a number from 0
to 255.
– When icmp-code is specified, IP ACL rule matches on
the specified ICMP message code, a number from 0
to 255.
– Specifying icmp-message implies both icmp-type and
icmp-code are specified.
– ICMP message is decoded into corresponding ICMP
type and ICMP code within that ICMP type. This
option is visible only if the protocol is “icmp”.
– IPv4 ICMP message types: echo echo-reply host-
redirect mobile-redirect net-redirect net-unreachable
redirect packet-too-big port-unreachable source-
quench router-solicitation router-advertisement time-
exceeded ttl-exceeded unreachable
Command Purpose
To Next Page
Loading...
