Users Guide
Layer 2 Switching Commands 510
– For IPv6 ACLs, “any” implies 0::/128 prefix and a mask of all ones.
– Specifying host implies prefix length as “/128” and a mask of 0::/128.
•[dscp dscp]—Specifies a match of DSCP values.
• flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack]
[+urg | -urg] [established]—Specifies that the IP/TCP/UDP ACL rule
matches on the TCP flags.
– When “+<tcpflagname>” is specified, a match occurs if specified
<tcpflagname> flag is set in the TCP header.
– When “-<tcpflagname>” is specified, a match occurs if specified
<tcpflagname> flag is *NOT* set in the TCP header.
– When “established” is specified, a match occurs if specified either
RST or ACK bits are set in the TCP header.
– This option is visible only if the protocol is tcp.
– Ack – Acknowledgment bit
– Fin – Finished bit
– Psh – push bit
– Rst – reset bit
– Syn – Synchronize bit
– Urg – Urgent bit
• [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-
message]—Specifies a match condition for ICMP packets.
– When icmp-type is specified, IP ACL rule matches on the specified
ICMP message type, a number from 0 to 255.
– When icmp-code is specified, IP ACL rule matches on the specified
ICMP message code, a number from 0 to 255.
– Specifying icmp-message implies both icmp-type and icmp-code are
specified.
– ICMP message is decoded into corresponding ICMP type and ICMP
code within that ICMP type. This option is visible only if the protocol
is “icmpv6”.