19 deny tcp – CANOGA PERKINS CanogaOS Command Reference User Manual

CanogaOS Command Line Reference

Revision 1.02

Proprietary & Confidential Canoga Pertkins Metro Ethernet Switches

Page 674 of 855

to 10.10.10.255 are matched.

An auto-generated sequence number will be assigned to the filter if the sequence-num field is not
presented. The auto-generated sequence number is incremented by 10 on the maximum existing
sequence number in the IP ACL. i.e. when the maximum existing sequence number is 100, the
sequence number of subsequent created IP filter is 110.

Examples

This example shows how to create a filter in IP ACL to deny any IP packets.
Switch(config-ip-acl)#1 deny any any any
This example shows how to create a filter in IP ACL to deny the fragment packets with the source IP
addresss 1.1.1.1.
Switch(config-ip-acl)#2 deny any host 1.1.1.1 any fragments
This example shows how to create a filter in IP ACL to deny any routed packets.
Switch(config-ip-acl)#3 deny any any any routed-packet

Related Commands

deny tcp
deny udp
deny icmp
deny igmp

33.19 deny tcp

Use this command to reject TCP packets matching the IP filter.

Command Syntax

[<1-2147483646>] deny tcp { source source-mask | any | host source } [ src-port operator
port ]{destination destination-mask any | host destination} [ dst-port operator port ] [ ip-precedence
precedence | dscp dscp ] [ established | [ match-any | match-all flag-name] ] [ fragments ]
[ routed-packet ] [ options ] [ time-range time-range-name ] [ stats ]
src-port: source port <0-65535>
dst-port: destination port <0-65535>

operator

：including eq (equal to), lt (less than), gt (greater than), neq (not equal to), range

port: the port should be in the range <0-65535>

established

：match established connections

match-any

：match any of the flag-name

match-all

： match all the flag-name

flag-name: the flag bit in TCP packets including ack, fin, psh, rst, syn, urg