Comparison operators for TCP or UDP

In an IPv6 ACL using either tcp or udp as the IP packet protocol type, you can optionally apply comparison operators specifying TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match.

Applying comparison operators

#deny tcp host fe80::119 eq 23 host fe80::155
 established
#permit tcp host 2001:db8::10.100 host
   2001:db8::15:12 eq telnet
#deny udp 2001:db8::ad5:1f4 host 2001:db8::ad0:ff3
   range 161 162

[comparison–operator <tcp/udp–src–port>]

To specify a TCP or UDP source port number in an ACE:

Comparison operators:

eq <tcp/udp–port–nbr> : "Equal To" - to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp–port–nbr> .

gt <tcp/udp–port–nbr> : "Greater Than" - to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp–port–nbr> .

lt <tcp/udp–port–nbr> : "Less Than" - to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp–port–nbr> .

neq <tcp/udp–port–nbr> : "Not Equal" - to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp–port–nbr> .

range <start–port–nbr> <end–port–nbr> : For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start–port–nbr> <end–port–nbr> .

Port number or well-known port name:

Use the TCP or UDP port number required by your application. The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:

TCP

bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

UDP

bootpc, bootps, dns, ntp, radius, radius–old, rip, snmp, snmp–trap, tftp

To list the above names, press the [Shift]+ [?] key combination after entering an operator. For a comprehensive listing of port numbers, see www.iana.org/assignments/port-numbers.

[comparison–operator <tcp–dest–port>][established]

[comparison–operator <udp–dest–port>]

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number:

  1. Select a comparison operator.

  2. Enter the port number or a well-known port name.

These are the same as those used with the TCP/UDP source-port options and are listed earlier in this command description.

Comparison operators and well-known port names:

These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description.

[established] — This option applies only where TCP is the configured IPv6 protocol type. It blocks the synchronizing packet associated with establishing a new TCP connection, while allowing all other IPv6 traffic for existing connections.

For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a deny to inbound Telnet traffic on a VLAN prevents Telnet sessions in either direction, because responses to outbound requests are blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests are permitted, but inbound Telnet traffic trying to establish a new connection is denied.

The established and dscp options are mutually exclusive in a given ACE.

Configuring established and any combination of TCP control bits in the same ACE is supported, but established must precede any TCP control bits configured in the ACE.

TCP control bits:

In a given ACE for filtering TCP traffic you can configure one or more of these options:

[ack] - Acknowledgement.

[fin] - Sender finished.

[rst] - Connection reset.

[syn] - TCP control bit: sequence number synchronize.

For more information on using TCP control bits, see RFC 793.