deny (ex3500-ext acl)

Creates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing deny rule.

Supported in the following platforms:

Service Platforms — NX5500, NX75000, NX9500, NX9600, VX9000

Syntax

deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] 
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]

Parameters

deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] 
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]


deny [<0-255>\| tcp\|udp]	Creates a deny rule and identifies the protocol type. This deny rule is applied only to packets matching the protocol specified here.
[<SOURCE-NETWORK-IP/MASK>\| any\| host <SOURCE-HOST-IP>]	Specifies the source as any, host, or network <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network‘s IPv4 address along with the mask. host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device‘s IPv4 address. any – Specifies that the source can be any device
[<DEST-NETWORK-IP/MASK>\| any\| host <DEST-HOST-IP>]	Specifies the destination as any, host, or network <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network‘s IPv4 address along with the mask. host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device‘s IPv4 address. any – Specifies that the destination can be any device
control-flag <0-63>	Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header <0-63> – Specify a value from 0 - 63. Note: Control flags can be used only in ACLs designed to filter TCP traffic. The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags. URG flag - Marks incoming packet as urgent. ACK flag - Acknowledges receipt of packet PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer. RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag. SYN flag - Establishes the 3-way handshake between two hosts FIN flag - Tears down the connection established between two hosts via the 3-way SYN process
destination-port <0-65535>	Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>). <0-65535> – Specify the destination port from 0 - 65535.
destination-port-bitmark <0-65535>	Configures the decimal number representing the protocol destination port bits to match <0-65535> – Specify the destination port bits from 0 - 65535.
dscp <0-63>	Configures the DSCP priority level <0-63> – Specify a value from 0 - 63. Note: If specifying DSCP priority, ip-precedence cannot be specified.
ex3500-time-range <TIME-RANGE-NAME>	Applies a periodic or absolute time range to this rule <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.
ip-precedence <0-7>	Configures the IP header precedence <0-7> – Specify a value from 0 - 7.
source-port <0-65535>	Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>). <0-65535> – Specify the source port from 0 - 65535.
source-port-bitmark <0-65535>	Configures the decimal number representing the protocol source port bits to match <0-65535> – Specify the source port bits from 0 - 65535.
rule-precedence <1-128>	The following keywords are recursive and common to all of the above parameters: rule-precedence – Assigns a precedence to this deny rule <1-128> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.

Usage Guidelines

Use this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:

TCP
UDP
<0-255> (any Internet protocol other than TCP, UDP, and ICMP)

Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the ACL configuration.

Filtering TCP/UDP allows you to specify port numbers as filtering criteria

Examples

The following example denies TCP outgoing packets from all sources p within the 192.168.14.0/24 network to a specific host 192.168.13.13:

nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1

nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
 deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#

Related Commands


no (ex3500-ext acl)	Removes a specified deny access rule from this IPv4 EX3500 extended ACL