Users Guide
deny tcp
Congure a lter that drops transmission control protocol (TCP) packets meeting the lter criteria.
Syntax
deny tcp {source mask | any | host ip-address} [bit] [operator port [port]]
{destination mask | any | host ip-address} [dscp] [bit] [operator port [port]]
[count [bytes] [order] [fragments] [monitor [session-ID]] [no-drop]
To remove this lter, you have two choices:
• Use the no seq sequence-number command if you know the lter’s sequence number.
•
Use the no deny tcp {source mask | any | host ip-address} {destination mask |
any | host ip-address} command.
Parameters
source Enter the IP address of the network or host from which the packets are sent.
mask Enter a network mask in /prex format (/x) or A.B.C.D. The mask, when specied in
A.B.C.D format, may be either contiguous or non-contiguous.
any Enter the keyword any to specify that all routes are subject to the lter.
host ip-address Enter the keyword host then the IP address to specify a host IP address.
dscp Enter this keyword dscp to deny a packet based on the DSCP value. The range is from 0
to 63.
bit Enter a ag or combination of bits:
• ack: acknowledgement eld
• fin: nish (no more data from the user)
• psh: push function
• rst: reset the connection
• syn: synchronize sequence numbers
• urg: urgent eld
• established: datagram of established TCP session
Use the established ag to match only ACK and RST ags of established TCP
session.
You cannot use established along with the other control ags
While using the established ag in an ACL rule, all the other TCP control ags are
masked, to avoid redundant TCP control ags conguration in a single rule. When you use
any TCP control ag in an ACL rule, established is masked and other control ags are
available.
operator (OPTIONAL) Enter one of the following logical operand:
• eq = equal to
• neq = not equal to
• gt = greater than
• lt = less than
200 Access Control Lists (ACL)