A
CCESS
C
ONTROL
L
IST
C
OMMANDS
3-177
• The control-flag bitmask is a decimal number (representing an
equivalent bit mask) that is applied to the control code. Enter a decimal
number, where the equivalent binary bit “1” means to match a bit and
“0” means to ignore a bit. The following bits may be specified:
-1 (fin) – Finish
- 2 (syn) – Synchronize
- 4 (rst) – Reset
-8 (psh) – Push
- 16 (ack) – Acknowledgement
- 32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with
the following flags set:
- SYN flag valid, use “control-flag 2 2”
- Both SYN and ACK valid, use “control-flag 18 18”
- SYN valid and ACK invalid, use “control-flag 2 18”
Examples
This permits only 192.168.1.1 and 210.244.51.x.
This example accepts any incoming packets if the source address is within
subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0
& 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0),
the packet passes through.
This allows TCP packets from class C addresses 192.168.1.0 to any
destination address when set for destination TCP port 80 (i.e., HTTP).
Console(config-ext-acl)#permit 192.168.1.1 255.255.255.0 any
Console(config-ext-acl)#permit 210.244.51.0 255.255.255.0 any
Console(config-ext-acl)#deny any any
Console(config-ext-acl)#
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any
destination-port 80
Console(config-ext-acl)#
To Next Page
Loading...
