deny (ex3500-ext acl)

Creates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing deny rule.

Supported in the following platforms:

  • Wireless Controllers — RFS4000
  • Service Platforms — NX5500, NX75000, NX9500, NX9600, VX9000

Syntax

deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] 
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]

Parameters

deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] 
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]
deny [<0-255>| tcp|udp] Creates a deny rule and identifies the protocol type. This deny rule is applied only to packets matching the protocol specified here.
[<SOURCE-NETWORK-IP/MASK>| any| host <SOURCE-HOST-IP>] Specifies the source as any, host, or network
  • <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network‘s IPv4 address along with the mask.
  • host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device‘s IPv4 address.
  • any – Specifies that the source can be any device
[<DEST-NETWORK-IP/MASK>| any| host <DEST-HOST-IP>] Specifies the destination as any, host, or network
  • <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network‘s IPv4 address along with the mask.
  • host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device‘s IPv4 address.
  • any – Specifies that the destination can be any device
control-flag <0-63> Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header
  • <0-63> – Specify a value from 0 - 63.
Note: Control flags can be used only in ACLs designed to filter TCP traffic.
The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags.
  • URG flag - Marks incoming packet as urgent.
  • ACK flag - Acknowledges receipt of packet
  • PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer.
  • RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag.
  • SYN flag - Establishes the 3-way handshake between two hosts
  • FIN flag - Tears down the connection established between two hosts via the 3-way SYN process
destination-port <0-65535> Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
  • <0-65535> – Specify the destination port from 0 - 65535.
destination-port-bitmark <0-65535> Configures the decimal number representing the protocol destination port bits to match
  • <0-65535> – Specify the destination port bits from 0 - 65535.
dscp <0-63> Configures the DSCP priority level
  • <0-63> – Specify a value from 0 - 63.
Note: If specifying DSCP priority, ip-precedence cannot be specified.
ex3500-time-range <TIME-RANGE-NAME> Applies a periodic or absolute time range to this rule
  • <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.
ip-precedence <0-7> Configures the IP header precedence
  • <0-7> – Specify a value from 0 - 7.
source-port <0-65535> Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
  • <0-65535> – Specify the source port from 0 - 65535.
source-port-bitmark <0-65535> Configures the decimal number representing the protocol source port bits to match
  • <0-65535> – Specify the source port bits from 0 - 65535.
rule-precedence <1-128> The following keywords are recursive and common to all of the above parameters:
  • rule-precedence – Assigns a precedence to this deny rule
    • <1-128> – Specify a value from 1 - 5000.
    Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.

Usage Guidelines

Use this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:
  • TCP
  • UDP
  • <0-255> (any Internet protocol other than TCP, UDP, and ICMP)
Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the ACL configuration.
  • Filtering TCP/UDP allows you to specify port numbers as filtering criteria

Examples

The following example denies TCP outgoing packets from all sources p within the 192.168.14.0/24 network to a specific host 192.168.13.13:

nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
 deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#

Related Commands

no (ex3500-ext acl) Removes a specified deny access rule from this IPv4 EX3500 extended ACL