Configuring a connection-rate ACL using UDP/TCP criteria
To configure a connection-rate ACL using source IP address criteria, see Configuring a connection-rate ACL using source IP address criteria.
Syntax
ip access-list connection-rate-filter crf-list-name
Creates a connection-rate-filter ACL and puts the CLI into the ACE context:
switch(config-crf-nacl)#
If the ACL already exists, this command simply puts the CLI into the ACE context.
Syntax
< filter | ignore | < udp | tcp > < any >
< filter | ignore | < udp | tcp > < host ip-addr > [ udp/tcp-options ]
< filter | ignore | < udp | tcp > ip-addr mask-length [ udp/tcp-options ]
Used in the ACE context (above) to specify the action of the connection-rate ACE (filter or ignore), and the UDP/TCP criteria and SA of the IP traffic that the ACE affects.
< filter | ignore >
filter
This
option assigns a policy of filtering (dropping) IP traffic having
an SA that matches the source address criteria in the ACE.
ignore
This option specifies a policy of allowing IP traffic having an SA that matches the source address criteria in the ACE.
< udp | tcp > < any | host > ip-addr | ip-addr mask-length
Applies the filter or ignore action to either TCP packets or UDP packets having the specified SA.
any
Applies the ACEs action (filter
or ignore
)
to IP traffic having any SA.
host <ip-addr>
Applies the ACEs action (filter
or ignore
)
to IP traffic having the specified host SA.
ip-addr <mask-length>
Applies the ACEs action (filter
or ignore
)
to IP traffic having an SA within the range defined by either:
<src-ip-addr/cidr-mask-bits>
or
<src-ip-addr <mask>>
Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits. See Using an ACL in a connection-rate configuration example.
[udp/tcp-options]
destination-port <tcp-data> [ source-port <tcp-data> ]
source-port <tcp-data> [ destination-port <tcp-data> ]
destination-port <udp-data> [ source-port <udp-data> ]
source-port <udp-data> [ destination-port <udp-data> ]
tcp-data: operator tcp-port-#
udp-data: operator udp-port-#
operator < eq | gt | lt | neq | range >
eq <port-nbr-or-name>
"Equal To": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be equal to the specified port number.
gt <port-nbr-or-name>
"Greater Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be greater than the specified port number.
lt <port-nbr-or-name>
"Less Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be less than the specified port number.
neq <port-nbr-or-name>
"Not Equal": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must not be equal to the specified port number.
range <start-port-nbr/name> <end-port-nbr/name>
To have a match with the ACE entry, the TCP or
UDP source-port number in a packet must be in the range <start-port-nbr/name>
<end-port-nbr/name>
.
tcp-data or udp-data
TCP or UDP Port Number or (Well-Known) Port Name:
Use the TCP or UDP port number required for the desired match. The switch also accepts certain well-known TCP or UDP port names as alternates to their corresponding port numbers:
TCP/UDP-PORT:
Specify port by number.
bootpc
Bootstrap Protocol, client (68)
bootps
Bootstrap Protocol, server (67)
dns
Domain Name Service (53)
ntp
Network Time Protocol (123)
radius
Remote Authentication Dial-In User Service (1812)
radius-old
Remote Authentication Dial-In User Service (1645)
rip
Routing Information Protocol (520)
snmp
Simple Network Management Protocol (161)
snmp-trap
Simple Network Management Protocol (162)
tftp
Trivial File Transfer Protocol (69)