Using qos match commands with tcp flags – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Access Control Lists Introduction

Software Reference for x310 Series Switches

33.12

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Using QoS Match Commands with TCP Flags

Usually, if multiple matches of the same type are specified, the matching process will
apply to the last match that you specified. For TCP flags however, the arguments are
ANDed together. For example, the following series of commands will match on a packet
that has ack, syn and fin set:

The following commands will achieve the same result:

Note that the matching is looking to see whether “any” of the specified flags are set. There
is no checking for whether any of these flags are unset. Therefore the following
commands will match on a packet in any of the following combinations of syn and ack
status flags as shown in the following table:

:

If you want to drop packets with syn only, but not with ack and syn, the following two
class-maps can be used (note that ACL 4000 is used to apply a drop action as described in

“Actions for Hardware ACLs” on page 33.7

):

awplus#

configure terminal

awplus(config)#

class-map cmap1

awplus(config-cmap)#

match tcp-flags ack

awplus(config-cmap)#

match tcp-flags syn

awplus(config-cmap)#

match tcp-flags fin

awplus(config-cmap)#

exit

awplus#

configure terminal

awplus(config)#

class-map cmap1

awplus(config-cmap)#

match tcp-flags ack syn fin

awplus(config-cmap)#

exit

awplus#

configure terminal

awplus(config)#

class-map cmap1

awplus(config-cmap)#

match tcp-flags syn

awplus(config-cmap)#

exit

Syn

Ack

Match on Packet

Set

Set

Yes

Set

Unset

Yes

Unset

Set

No

Unset

Unset

No