Configuring a protocol ACE

Configure a protocol ACE to filter on the source port, destination port, ICMP and ICMPv6 message type, or TCP flags.

Note

Note

For IPv6 filters, you must configure next header to configure the protocol attributes.

Before you begin

  • The ACL exists.

  • The ACE exists.

About this task

The eq and mask parameters specify an operator for a field match condition: equal to or mask. The mask operator is an implied eq on the mask bits.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure an ACE for destination port attributes:

    filter acl ace protocol <acl-id> <ace-id> dst-port eq WORD<1–60>

    OR

    filter acl ace protocol <acl-id> <ace-id> dst-port mask WORD<1–60> WORD<1–256>

  3. Configure an ACE for source port attributes:

    filter acl ace protocol <acl-id> <ace-id> src-port eq WORD<1–65535>

    OR

    filter acl ace protocol <acl-id> <ace-id> src-port mask WORD<1–65535> WORD<1–256>

  4. Configure an ACE for ICMP message type attributes:

    filter acl ace protocol <acl-id> <ace-id> icmp-msg-type eq WORD<1–200>

  5. Configure an ACE for TCP flags attributes:

    filter acl ace protocol <acl-id> <ace-id> tcp-flags eq WORD<1–50>

    OR

    filter acl ace protocol <acl-id> <ace-id> tcp-flags mask {0-0x3F|0-0x3F}

  6. Ensure the configuration is correct:

    show filter acl protocol <acl-id> <ace-id>

  7. Optional: Delete the individual attributes from the protocol portion of the ACE:

    no filter acl ace protocol <acl-id> <ace-id> [dst-port] [icmp-msg-type] [icmpv6–msg-type] [routing-type] [src-port] [tcp-flags]

  8. Optional: Delete all the attributes from the protocol portion of the ACE:

    default filter acl ace protocol <acl-id> <ace-id>

Specify ICMP packets:

Switch:1(config)#filter acl ace protocol 1 12 icmpv6-msg-type eq echoRequest
Table 1. TCP Flags Order in Packet

32 (decimal)

16 (decimal

8 (decimal)

4 (decimal)

2 (decimal)

1 (decimal)

Urgent

Ack

Push

Reset

Syn

Fin

Configure an ACE for TCP flags attributes: Example 1

The mask is set for an ‘ack‘ tcp flag bit regardless of whether any other tcp flag bits are also set:

Switch:1(config)#filter acl ace protocol 1 1 tcp-flags mask ack ?
    <0-0x3F | 0-63> Mask value <Hex | Decimal>: This six bit mask is a reverse mask where 0:care
                             about, 1:do not care about
Switch:1(config)#filter acl ace protocol 1 1 tcp-flags mask ack 0x2f
Hex Value 20 10 8 4 2 1
TCP Flags _ ack _ _ _ _ 
Binary Value 1 0 1 1 1 1 or in hex = 0x2F

Configure an ACE for TCP flags attributes: Example 2

A packet will match this filter if the 3 tcpflag bits are set in the tcp header (and only those 3 bits).

Switch:1(config)#filter acl ace protocol 1 1 tcp-flags eq ?
WORD<1-50> Tcp flags
{none | fin | syn | rst | push | ack | urg | undefined}
Switch:1(config)#filter acl ace protocol 1 1 tcp-flags eq syn,push,urg

You can configure a functionally equivalent filter with the mask operator as follows:

Switch:1(config)#filter acl ace protocol 1 1 tcp-flags mask syn,push,urg 0x0

Configure an ACE for TCP flags attributes: Example 3

The mask operator provides more flexibility. For example a packet will match the following filter if the 'syn,push,urg' tcpflag bits are set, regardless of whether any other tcpflag bits are also set:

Switch:1(config)#filter acl ace protocol 1 1 tcp-flags mask syn,push,urg ?
    <0-0x3F | 0-63> Mask value <Hex | Decimal>: This six bit mask is a reverse mask where 0:care
                             about, 1:do not care about
Switch:1(config)#filter acl ace protocol 1 1 tcp-flags mask syn,push,urg 0x15

Configure an ACE for ICMP message type: Example 4

filter acl 1 type inPort name "ICMP_TRAFFIC_FILTER"
filter acl port 1 1/3
filter acl ace 1 1
filter acl ace action 1 1 deny count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 src-ip mask 194.183.100.64 0.0.0.15
filter acl ace ip 1 1 dst-ip eq 146.97.137.42
filter acl ace ip 1 1 ip-protocol-type eq icmp
filter acl ace protocol 1 1 icmp-msg-type eq echo-request
filter acl ace 1 1 enable
filter acl ace 1 2
filter acl ace action 1 2 deny count
filter acl ace ethernet 1 2 ether-type eq ip
filter acl ace ip 1 2 src-ip mask 194.183.100.64 0.0.0.15
filter acl ace ip 1 2 dst-ip eq 146.97.137.42
filter acl ace ip 1 2 ip-protocol-type eq icmp
filter acl ace protocol 1 2 icmp-msg-type eq echoreply
filter acl ace 1 2 enable

Variable Definitions

Use the data in the following table to use the filter acl ace protocol command.

Variable

Value

{0-0x3F}

Specifies the mask value.

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

WORD<1–50>

Specifies one or more TCP flags—none, fin (finish connection), syn (synchronize), rst (reset connection), push, ack (acknowledge), urg (urgent), and undefined.

WORD<1–60>

Specifies the destination port: (0–65535), or echo, ftpdata, ftpcontrol, ssh, telnet, dns, http, hdot323, bootpServer, bootpClient, tftp, rtp, rtcp, or undefined.

WORD<1–200>

Specifies the ICMP message type:

Icmpmsg type (0–255), or echoreply, destunreach, sourcequench, redirect, echo-request, routeradv, routerselect, time-exceeded, param-problem, timestamp-request, timestamp-reply, addressmask-request, addressmask-reply, or traceroute.

WORD<1–200>

Specifies the ICMPv6 message type:

Icmpmsg type (0-255), or destUnreach, pktTooBig, timeExceeded, paramProblem, echoRequest, echoReply, mcastListenReq, mcastListenRpt, mcastListenDone, routerSolicit, routerAdvert, neighborSolicit, neighborAdvert, redirectMsg, nodeInfoReq, nodeInfoRsp, or v2McastListenRpt.

WORD<1–256>

Specifies the mask parameter, {0-0xFFFF}.

WORD<0–65535>

Specifies the source port (0–65535).
9037147-00 Rev AB