Defining TCP and UDP match criteria

In a class configuration, you can enter match/ignore statements that more precisely define the TCP or UDP traffic to match in an IPv4 or IPv6 traffic class. For example, enter a port number as a match criterion that specifies one or more TCP source ports, destination ports, or both.

Context: Class configuration

Syntax:


no [seq—number] [match | ignore] {tcp | udp} source—address [operator tcp—src—port | udp—src—port] destination—address [operator tcp—dest—port [established] [tcp—flag tcp—flag ...] udp—dest—port] [ip—dscp codepoint] [precedence precedence—value] [tos tos—value] 
 [vlan vlan—id]
If you use TCP or UDP as the IP protocol type in a match/ignore statement, you can optionally configure TCP or UDP source and destination port numbers or ranges of numbers to more precisely define match criteria for a traffic class. Enter the optional TCP/UDP match criteria immediately after the source and destination address in the command syntax; for example:
switch(config-class)# match tcp host 10.20.10.17 eq 23 host 10.20.10.155  established
switch(config-class)# match tcp host 10.10.10.100 host 10.20.10.17  eq telnet
switch(config-class)# ignore udp 10.30.10.1/24 host 10.20.10.17  range 161 162
{operator | {tcp-src-port | udp-src-port}}

To specify a TCP or UDP source port number as a match criteria, enter a comparison operator from the following list with a TCP/UDP port number or well-known port name immediately after the source-address value in the command.

Comparison Operators:

  • eq tcp/udp-port-number

    Equal To matches a packet with the same TCP or UDP source port number as tcp/udp-port-number .

  • gt tcp/udp-port-number

    Greater Than matches any packet with a TCP or UDP source port number greater than tcp/udp-port-number.

  • lt tcp/udp-port-number

    Less Than matches any packet with a TCP or UDP source port number less than tcp/udp-port-number .

  • neq tcp/udp-port-number

    Not Equal matches any packet with a TCP or UDP source port number that is not equal to tcp/udp-port-number.

  • range start-port-number end-port-number

    Matches any packet with a TCP or UDP source port number in the rangestart-port-number toend-port-number.

TCP/UDP well-known source-port names and numbers

Enter a comparison operator with the source TCP or UDP port number used by the applications you want to match. Valid port numbers are from 0 to 255. You can also enter well-known TCP or UDP port names as an alternative to the corresponding port number; for example:

  • TCP: bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

  • UDP: bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp

To display a list of valid TCP/UDP source ports, enter ? after you enter an operator.


operator tcp-dest-port established {[tcp-flag tcp-flag ...] | udp-destport}

To specify a TCP or UDP destination port number as a match criteria, enter acomparison operator with a TCP/UDP port number or well-known port name immediately after the destination-address value in the command.

NOTE:

The optional established and tcp-flag values apply only to TCP destination-port criteria.

TCP/UDP well-known destination-port names and numbers

The same operators, port numbers, and well-known names are supported for TCP/UDP destination-port match criteria as for TCP/UDP source-port criteria. To display a list of valid TCP/UDP destination ports, enter ? after you enter an operator.

established

(Optional) Applies only to TCP destination-port match criteria and matches only on the TCP Acknowledge (ACK) or Reset (RST) flags. The established keyword ignores the synchronizing packet associated with the establishment of a TCP connection in one direction on a port or VLAN, and matches all other IP traffic in the opposite direction.

For example, a Telnet connection requires TCP traffic to move both ways between a host and the target device. If you configure a match statement for inbound Telnet traffic, policy actions are normally applied to Telnet traffic in both directions because responses to outbound requests are also matched. However, if you enter the established option, inbound Telnet traffic arriving in response to outbound Telnet requests is matched, but inbound Telnet traffic trying to establish a connection is not matched.

tcp-flag tcp-flag ...
(Optional) Applies only to TCP bit settings in packets destined to a TCP destination port configured as match criteria (with the tcp-dest-port parameter) and can be one or more of the following values:
ack

Acknowledge matches TCP packets with the ACK flag.

fin

Finish matches TCP packets with the FIN flag.

rst

Reset matches TCP packets with the RST bit set.

syn

Synchronized matches TCP packets with the SYN flag.