KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch

121

122

123

124

125

126

127

128

129

130

These are the same as those used with the TCP/UDP source-port options and are

listed earlier in this command description.

Comparison operators and well-known port names

[ established ]

This option applies only where TCP is the configured IPv6 protocol type. It blocks

the synchronizing packet associated with establishing a new TCP connection,

while allowing all other IPv6 traffic for existing connections.

For example, a Telnet connect requires TCP traffic to move both ways between

a host and the target device. Simply applying a deny to inbound Telnet traffic

on a VLAN prevents Telnet sessions in either direction, because responses to

outbound requests are blocked. However, by using the established option,

inbound Telnet traffic arriving in response to outbound Telnet requests are

permitted, but inbound Telnet traffic trying to establish a new connection is

denied.

The established and dscp options are mutually exclusive in a given ACE.

Configuring established and any combination of TCP control bits in the

same ACE is supported, but established must precede any TCP control bits

configured in the ACE.

TCP control bits

In a given ACE for filtering TCP traffic you can configure one or more of these

options:

[ ack ]

Acknowledgment

[ fin ]

Sender finished

[ rst ]

Connection reset

[ syn ]

TCP control bit: sequence number synchronize

For more information on using TCP control bits, see RFC 793.

Filtering ICMP traffic

This option allows configuring an ACE to selectively permit some types of ICMP traffic, while

denying other types. An ACE designed to permit or deny ICMP traffic can optionally include an

ICMP type and code value to permit or deny an individual type of ICMP packet, while not addressing

other ICMP traffic types in the same ACE. As a further option, the ACE can include the name of

an ICMP packet type.

Syntax:

[ deny | permit ] icmp SA DA icmp-type icmp-code

[ deny | permit ] icmp SA DA icmp-type-name

Using icmp as the packet protocol type, you can optionally specify an individual

ICMP packet type or packet type/code pair to further define the criteria for a match.

This option, if used, is entered immediately after the destination IP address (DA)

entry.

Configuration Commands 121