Defining TCP and UDP match criteria
In a class configuration, you can enter match/ignore statements that more precisely define the TCP or UDP traffic to match in an IPv4 or IPv6 traffic class. For example, enter a port number as a match criterion that specifies one or more TCP source ports, destination ports, or both.
Context: Class configuration
Syntax:
no [seq—number] [match | ignore] {tcp | udp} source—address [operator tcp—src—port | udp—src—port] destination—address [operator tcp—dest—port [established] [tcp—flag tcp—flag ...] udp—dest—port] [ip—dscp codepoint] [precedence precedence—value] [tos tos—value]
[vlan vlan—id]
switch(config-class)# match tcp host 10.20.10.17 eq 23 host 10.20.10.155 established switch(config-class)# match tcp host 10.10.10.100 host 10.20.10.17 eq telnet switch(config-class)# ignore udp 10.30.10.1/24 host 10.20.10.17 range 161 162
- {operator | {tcp-src-port | udp-src-port}}
-
To specify a TCP or UDP source port number as a match criteria, enter a comparison operator from the following list with a TCP/UDP port number or well-known port name immediately after the source-address value in the command.
Comparison Operators:
eq tcp/udp-port-number
Equal To matches a packet with the same TCP or UDP source port number as
tcp/udp-port-number
.gt tcp/udp-port-number
Greater Than matches any packet with a TCP or UDP source port number greater than
tcp/udp-port-number
.lt tcp/udp-port-number
Less Than matches any packet with a TCP or UDP source port number less than
tcp/udp-port-number
.neq tcp/udp-port-number
Not Equal matches any packet with a TCP or UDP source port number that is not equal to
tcp/udp-port-number
.range start-port-number end-port-number
Matches any packet with a TCP or UDP source port number in the range
start-port-number
toend-port-number
.
TCP/UDP well-known source-port names and numbers
Enter a comparison operator with the source TCP or UDP port number used by the applications you want to match. Valid port numbers are from
0
to
255
. You can also enter well-known TCP or UDP port names as an alternative to the corresponding port number; for example:
-
TCP:
bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet
-
UDP:
bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp
To display a list of valid TCP/UDP source ports, enter ? after you enter an operator.
operator tcp-dest-port established {[tcp-flag tcp-flag ...] | udp-destport}
To specify a TCP or UDP destination port number as a match criteria, enter acomparison operator with a TCP/UDP port number or well-known port name immediately after the destination-address value in the command.
The optional
established
and
tcp-flag
values apply only to TCP destination-port criteria.
TCP/UDP well-known destination-port names and numbers
The same operators, port numbers, and well-known names are supported for TCP/UDP destination-port match criteria as for TCP/UDP source-port criteria. To display a list of valid TCP/UDP destination ports, enter ? after you enter an operator.
- established
-
(Optional) Applies only to TCP destination-port match criteria and matches only on the TCP Acknowledge (ACK) or Reset (RST) flags. The
established
keyword ignores the synchronizing packet associated with the establishment of a TCP connection in one direction on a port or VLAN, and matches all other IP traffic in the opposite direction.For example, a Telnet connection requires TCP traffic to move both ways between a host and the target device. If you configure a match statement for inbound Telnet traffic, policy actions are normally applied to Telnet traffic in both directions because responses to outbound requests are also matched. However, if you enter the
established
option, inbound Telnet traffic arriving in response to outbound Telnet requests is matched, but inbound Telnet traffic trying to establish a connection is not matched. - tcp-flag tcp-flag ...
-
(Optional) Applies only to TCP bit settings in packets destined to a TCP destination port configured as match criteria (with the
tcp-dest-port
parameter) and can be one or more of the following values:- ack
-
Acknowledge matches TCP packets with the ACK flag.
- fin
-
Finish matches TCP packets with the FIN flag.
- rst
-
Reset matches TCP packets with the RST bit set.
- syn
-
Synchronized matches TCP packets with the SYN flag.