Page 11 | AlliedWare Plus™ OS How To Note
Making filters by using QoS class-maps
Matching on TCP flagUnlike the other match commands, you can match on multiple TCP flags. The switch
combines the specified flags by ANDing them together. To specify the multiple flags, either
make multiple match tcp-flags commands or specify the flags in one command as a space-
separated list. For example, the following series of commands will match on a packet that has
all of ACK, SYN and FIN set:
awplus(config)#class-map tcp-flags
awplus(config-cmap)#match tcp-flags ack
awplus(config-cmap)#match tcp-flags syn
awplus(config-cmap)#match tcp-flags fin
So will the following single match command:
awplus(config)#class-map tcp-flags
awplus(config-cmap)#match tcp-flags ack syn fin
Note that QoS only checks that the specified flags are set, not that the other flags are not
set. For example, the following commands will match on a packet that has both SYN and
ACK set, as well as a packet that has SYN but not ACK set:
awplus(config)#class-map tcp-flags
awplus(config-cmap)#match tcp-flags syn
To drop packets with SYN only, but not with ACK and SYN, you could use the following two
class-maps. Note that access-list 3000 is used to get a deny action. This example is explained
fully in "Blocking TCP sessions in one direction" on page 17.
awplus(config)#access-list 3000 deny tcp any any
awplus(config)#class-map ack-syn-flags
awplus(config-cmap)#match tcp-flags ack syn
awplus(config-cmap)#class-map syn-flags
awplus(config-cmap)#match tcp-flags syn
awplus(config-cmap)#match access-group 3000
awplus(config-cmap)#policy-map flags
awplus(config-pmap)#class ack-syn-flags
awplus(config-pmap-c)#class syn-flags