Administrator Guide
Access Control Lists 731
packets with either the RST or ACK bits set (logical OR). Flags that are
neither set nor cleared in the rule are not checked in the ACL (don't care or
wildcard).
console(config)#ip access-list flags-demo
console(config-ip-acl)#permit tcp any any flag ?
<value> Enter a TCP Flag (+fin, -fin, +syn, -syn, +rst, -rst,
+psh, -psh, +ack, -ack, +urg, -urg, established).
Enter a flag (+|-) only once. Specifying established
implies specifying either +rst or +ack
established Match occurs if either RST or ACK bits are set in the
TCP header (Only for TCP).
The following is an example rule to match TCP packets with the PUSH flag
asserted AND the RESET flag cleared. The other flags bits are “don't care”:
console(config-ip-acl)#permit tcp any any flag -rst +psh
ACLs may also contain a number of shorthand qualifiers for protocols and IP,
TCP, and UDP port numbers, as shown below. Note that not all of these
qualifiers make sense in the context of any given port number; e.g., ftp and
ftp-data only make sense in the context of the IP or UDP protocols, while an
HTTP port number only makes sense in terms of the TCP or IP protocols.
Refer to RFC 1700 or iana.org/protocols for a list of protocol numbers.
console(config-ip-acl)#permit ?
<0-255> Match the protocol number.
eigrp Match the EIGRP protocol.
every Match every packet.
gre Match the GRE protocol.
icmp Match the ICMP protocol.
igmp Match the IGMP protocol.
ip Match the IP protocol.
ipinip Match the IPINIP protocol.
ospf Match the OSPF protocol.
pim Match the PIM protocol.
sctp Match the SCTP protocol.
tcp Match the TCP protocol.
udp Match the UDP protocol.