Comparison operators and well-known port names

This option applies only where TCP is the configured IPv6 protocol type. It blocks the synchronizing packet associated with establishing a new TCP connection, while allowing all other IPv6 traffic for existing connections.

For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a deny to inbound Telnet traffic on a VLAN prevents Telnet sessions in either direction, because responses to outbound requests are blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests are permitted, but inbound Telnet traffic trying to establish a new connection is denied.

The established and dscp options are mutually exclusive in a given ACE.

Configuring established and any combination of TCP control bits in the same ACE is supported, but established must precede any TCP control bits configured in the ACE.

TCP control bits

In a given ACE for filtering TCP traffic you can configure one or more of these options:
[ ack ]

Acknowledgement

[ fin ]

Sender finished

[ rst]

Connection reset

[ syn]

TCP control bit: sequence number synchronize