KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R zl2 Switch

351

352

353

354

355

356

357

358

359

360

direction on a port or VLAN, and matches all

other IP traffic in the opposite direction.

For example, a Telnet connection requires TCP

traffic to move both ways between a host and

the target device. If you configure a match

statement for inbound Telnet traffic, policy actions

are normally applied to Telnet traffic in both

directions because responses to outbound

requests are also matched. However, if you enter

the established option, inbound Telnet traffic

arriving in response to outbound Telnet requests

is matched, but inbound Telnet traffic trying to

establish a connection is not matched.

tcp-flag tcp-flag ... (Optional) Applies only to TCP bit settings in

packets destined to a TCP destination port

configured as match criteria (with the

tcp-dest-port parameter) and can be one

or more of the following values:

ack Acknowledge matches TCP packets with the ACK flag.

fin Finish matches TCP packets with the FIN flag.

rst Reset matches TCP packets with the RST bit set.

syn Synchronized matches TCP packets with the SYN flag.

How IPv4 mask bit settings define a match (Example)

The following configuration exists:

• A match statement in a class configuration uses an IPv4 source-address/mask-length of

10.38.31.125/21. The mask-length of 21 results in an IPv4 mask of 0.0.7.255. In the second

octet of the mask, 7 means that the rightmost three bits are on or 1.

• The second octet of the corresponding source address is 31, which means that the rightmost

five bits are on or 1.

A match occurs when the second octet of the SA in a packet being classified has a value in the

range of 24 (binary 00011000) to 31 (binary 00001111), as shown in the last row in the following

table.

Table 34 How IPv4 mask defines a match

Bit position in the octetLocation of octet

1248163264128

11111000SA in match statement

11100000Mask for SA

0/10/10/111000Bits in the corresponding octet

of a packet's SA that must exactly

match

The shaded area indicates the bits in the packet that must exactly match the bits in the source IPv4 address in the

match/ignore statement.

• If a mask bit is 1 (wildcard value), the corresponding bits in a source/destination address in an IPv4 packet header

can be any value.

• If a mask bit is 0, the corresponding bits in a source/destination address must be the same value as in the IPv4

address in the match/ignore statement.

352 Classifier-based software configuration