host – Keyword followed by a speci fic IP addr ess.
precedence – IP precedence lev el. (Range: 0-7)
tos – Type of Service level. (Range: 0-15)
dscp – DSCP priority level. (Range: 0-63)
sport – Protocol26 source port number. (Range: 0-655 35)
dport – Protocol26 destination port nu mber. (Ra nge: 0-6 5535)
port-bitmask – Decimal number rep resentin g the port bits to match.
(Range: 0-65535)
control-flags – Decimal number (represe nting a bit string ) that spe cifies fla g
bits in byte 14 of the TCP header. (Range: 0-6 3)
flag-bitmask – Decimal num ber repre sentin g the code bits to match.
Default Setting
None
Command Mode
Extended IPv4 ACL
Command Usage
All new rules are appended to the end of the list.
Address bitma sk s ar e s imilar to a subnet mask, con ta i ning f ou r inte ger s f r om
0 to 255, each separated by a period. The binary mask use s 1 bits to ind icat e
“match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the
specified source IP address, and then compared with the a ddres s for each I P
packet entering the port(s) to which this ACL has been as signed.
You can specify both Precedence and ToS in the same rule. How ever, if
DSCP is used, then neither Precedence nor ToS can be specified.
The control-code bitmask is a decimal nu mbe r (repre senting a n equiv alent bit
mask) that is applied to the control code. Enter a decimal number, where the
equivalent binary bit “1” means to match a bit and “0 ” means to i gnore a bit.
The following bits may be specified:
- 1 (fin) – Finish
- 2 (syn) – Synchroni ze
- 4 (rst) Reset
- 8 (psh) – Push
- 16 (ack) – Acknowledgement
- 32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with the
following flags set:
- SYN flag valid, use “control-code 2 2”
- Both SYN and ACK valid, use “control-code 18 18 ”
- SYN valid and ACK invalid, use “control-code 2 18”
26. Includes TCP, UDP or other protocol t ypes.
26-4
Access Control List Commands
26