19 deny tcp – CANOGA PERKINS 9175 Command Reference User Manual

CanogaOS Command Reference

33-13

Related Commands

deny tcp

deny udp

deny icmp

deny igmp

33.19 deny tcp

Use this command to reject TCP packets matching the IP filter.

Command Syntax

[<1-2147483646>] deny tcp { source source-mask | any | host source } [ src-port operator

port ]{destination destination-mask any | host destination} [ dst-port operator port ] [ ip-precedence

precedence | dscp dscp ] [ established | [ match-any | match-all flag-name] ] [ fragments ]

[ routed-packet ] [ options ] [ time-range time-range-name ] [ stats ]

src-port: source port <0-65535>

dst-port: destination port <0-65535>

operator

˖including eq (equal to), lt (less than), gt (greater than), neq (not equal to), range

port: the port should be in the range <0-65535>

established

˖match established connections

match-any

˖match any of the flag-name

match-all

˖ match all the flag-name

flag-name: the flag bit in TCP packets including ack, fin, psh, rst, syn, urg

reference to command deny for other parameters

Command Mode

IP ACL configuration

Usage

The fragments will be invalid when the layer 4 information is specified (i.e. src-port).

Examples

This example shows how to create a filter in IP ACL to deny any TCP packets.

Switch(config-ip-acl)# 1 deny tcp any any

This example shows how to create a filter in IP ACL to deny the TCP packets with the source IP address

1.1.1.1, source port 0-100.

Switch(config-ip-acl)# 2 deny tcp host 1.1.1.1 src-port range 0 100 any

This example shows how to create a filter in IP ACL to deny any TCP packets in established TCP

streams.

Switch(config-ip-acl)# 3 deny tcp any any establised

This example shows how to create a filer in IP ACL to deny the TCP ACK packets with the source IP

address 1.1.1.1.

Switch(config-ip-acl)# 4 deny tcp 10.10.10.0 0.0.0.0 any match-any ack