Administrator Guide
Layer 2 Switching Commands 268
– When “neq” is specified, IP ACL rule matches only if the layer 4
destination port number is not equal to the specified port number or
portkey.
–IPv4 TCP port names
: bgp, domain, echo, ftp, ftp-data, http, smtp,
telnet, www, pop2, pop3
–IPv4 UDP port names:
domain, echo, ntp, rip, snmp, tftp, time, who
•
dstip
dstmask
|
any | host
dstip
—Specifies a destination IP address and
netmask for match condition of the IP ACL rule.
– Specifying “any” implies specifying
dstip
as “0.0.0.0” and
dstmask
as
“255.255.255.255”.
– Specifying “host A.B.C.D” implies
dstip
as “A.B.C.D” and
dstmask
as
“0.0.0.0”.
•
[precedence
precedence
| tos
tos
[
tosmask
] | dscp
dscp
]—
Specifies the TOS
for an IP/TCP/UDP ACL rule depending on a match of precedence or
DSCP values using the parameters dscp, precedence, or tos tosmask.
• flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack]
[+urg | -urg] [established]—Specifies that the IP/TCP/UDP ACL rule
matches on the TCP flags.
–
Ack
– Acknowledgement bit
–
Fin
– Finished bit
–
Psh
– push bit
–
Rst
– reset bit
–
Syn
– Synchronize bit
–
Urg
– Urgent bit
– When “+<tcpflagname>
”
is specified, a match occurs if specified
<tcpflagname> flag is set in the TCP header.
– When “-<tcpflagname>
”
is
specified, a match occurs if specified
<tcpflagname> flag is *NOT* set in the TCP header.
– When “established
” is
specified, a match occurs if either the RST or
ACK bits are set in the TCP header.
– This option is visible only if protocol is “tcp”.
•
[icmp-type
icmp-type
[icmp-code
icmp-code
] |
icmp-message
icmp-message
]
—
Specifies a match condition for ICMP packets.
2CSNXXX_SWUM204.book Page 268 Monday, January 25, 2016 1:25 PM