Matching on tcp flag – Allied Telesis x908 User Manual

Page 11 | AlliedWare Plus™ OS How To Note

Making filters by using QoS class-maps

Matching on TCP flag

Unlike the other match commands, you can match on multiple TCP flags. The switch
combines the specified flags by ANDing them together. To specify the multiple flags, either
make multiple match tcp-flags commands or specify the flags in one command as a space-
separated list. For example, the following series of commands will match on a packet that has
all of ACK, SYN and FIN set:

awplus(config)#class-map tcp-flags

awplus(config-cmap)#match tcp-flags ack

awplus(config-cmap)#match tcp-flags syn

awplus(config-cmap)#match tcp-flags fin

So will the following single match command:

awplus(config)#class-map tcp-flags

awplus(config-cmap)#match tcp-flags ack syn fin

Note that QoS only checks that the specified flags are set, not that the other flags are not
set. For example, the following commands will match on a packet that has both SYN and
ACK set, as well as a packet that has SYN but not ACK set:

awplus(config)#class-map tcp-flags

awplus(config-cmap)#match tcp-flags syn

To drop packets with SYN only, but not with ACK and SYN, you could use the following two
class-maps. Note that access-list 3000 is used to get a deny action. This example is explained
fully in

"Blocking TCP sessions in one direction" on page 17

.

awplus(config)#access-list 3000 deny tcp any any

awplus(config)#class-map ack-syn-flags

awplus(config-cmap)#match tcp-flags ack syn

awplus(config-cmap)#class-map syn-flags

awplus(config-cmap)#match tcp-flags syn

awplus(config-cmap)#match access-group 3000

awplus(config-cmap)#policy-map flags

awplus(config-pmap)#class ack-syn-flags

awplus(config-pmap-c)#class syn-flags