deny tcp

To configure the TCP packets to be to be rejected based on the associated parameters, use the command deny tcp in Extended ACL IP Configuration Mode.

deny

deny { tcp }

{ {any } { | host } { <src-ip-address>} } { | <src-ip-address>} } { <src-mask>} }

{ [{gt } { <port-number (1-65535)> } { | lt } { <port-number (1-65535)> } { | eg } { <port-number (1-65535)> } { | range } { <port-number (1-65535)> } { <port-number (1-65535)>}] }

{ {any } { | host } { <dest-ip-address>} } { | <dest-ip-address>} } { <dest-mask>} }

{ [{gt } { <port-number (1-65535)> } { | lt } { <port-number (1-65535)> } { | eg } { <port-number (1-65535)> } { | range } { <port-number (1-65535)> } { <port-number (1-65535)>}] } { [{ack } { | rst}] }

{ [{tos } { {max-reliability } { | max-throughput } { | min-delay } { | normal } { |<value(0-7)>} } { | dscp <value (0-63)>}] } { {priority } { <value (1-255)>}] }

{ [svlan-id } { <vlan-id (1-4094)>] } { [svlan-priority } { <value (0-7)>] } { [cvlan-id } { <vlan-id (1-4094)>] } { [cvlan-priority } { <value (0-7)>] }

{ [{single-tag } { | double-tag}] }

Parameters

Parameter	Type	Description
`tcp`		Enter to configure the TCP packets to be rejected based on the associated parameters.
`any`		Enter to specify that TCP packets can be denied from any source.
`host`		Enter to specify the host source IPv4 address from which the packets are denied. Note: Both source and destination port cannot be configured. Only either source or the destination port range can be configured.
`<src-ip-address>`		Enter a value for the host source IPv4 address from which the packets are denied.
`<src-mask>`		Enter to specify the network mask to be used with the destination IP address.
`gt`		Enter to deny only the TCP control packets having the TCP source port numbers greater than the specified port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`lt`		Enter to deny only the TCP control packets having the TCP source port numbers lesser than the specified port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`eq`		Enter to deny only the TCP control packets having the specified TCP source port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`range`		Enter to deny only the TCP control packets having the TCP source port numbers within the specified range.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`any`		Enter to specify that TCP packets can be forwarded to any destination.
`host`		Enter to specify the host destination IPv4 address to be used for forwarding the packets. Note: Both source and destination port cannot be configured. Only either source or the destination port range can be configured.
`<dest-ip-address>`		Enter a value for the host destination IPv4 address to which the packets are denied.
`<dest-mask>`		Enter to specify the network mask to be used with the destination IP address.
`gt`		Enter to deny only the TCP control packets having the TCP destination port numbers greater than the specified port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`lt`		Enter to deny only the TCP control packets having the TCP destination port numbers lesser than the specified port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`eq`		Enter to deny only the TCP control packets having the specified TCP destination port number.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`range`		Enter to deny only the TCP control packets having the TCP destination port numbers within the specified range.
`<port-number (1-65535)>`		Enter a value for the port number. This value ranges from 1 to 65535.
`ack`		Enter to configure the TCP ACK bit to be checked against the packet.
`rst`		Enter to configure the TCP RST bit to be checked against the packet.
`tos`		Enter to deny the TCP packets based on the following type of service configuration.
`max-reliability`		Enter to deny the TCP packets having TOS field set as high reliability.
`max-throughput`		Enter to deny the TCP packets having TOS field set as high throughput.
`min-delay`		Enter to deny the TCP packets having TOS field set as low delay
`normal`		Enter to deny all TCP packets. Does not check for the TOS field in the packets.
`<value(0-7)>`		Enter to deny the protocol packets based on the TOS value set. This value ranges from 0 to 7. This value represents different combination of TOS. 0 - Denies all protocol packets. Does not check for the TOS field in the packets. 1 - Denies the protocol packets having TOS field set as high reliability. 2 - Denies the protocol packets having TOS field set as high throughput. 3 - Denies the protocol packets having TOS field set either as high reliability or high throughput. 4 - Denies the protocol packets having TOS field set as low delay. 5 -Denies the protocol packets having TOS field set either as low delay or high reliability. 6 - Denies the protocol packets having TOS field set either as low delay or high throughput. 7 - Denies the protocol packets having TOS field set either as low delay or high reliability or high throughput.
`dscp`		Enter to configure the Differentiated Services Code Point (DSCP) value to be checked against the packet
`<value((0-63))>`		Enter a DSCP value. This value provides the quality of service control. This value ranges from 0 to 63.
`priority`		Enter to configure the priority of the filter to decide which filter rule is applicable when the packet matches with more than one filter rules. Higher value of ‘filter priority’ implies a higher priority.
`<short (1-255)>`		Enter a priority value. This value ranges from 1 to 255.
`svlan-id`		Enter to configure Service VLAN value to match against incoming packets.
`<vlan-id (1-4094)>`		Enter a value for Service VLAN. This value ranges from 1 to 4094.
`svlan-priority`		Enter to specify Service VLAN related configuration.
`<value (0-7)>`		Enter a Service VLAN ID value. This value ranges from 0 to 7.
`cvlan-id`		Enter to configure Customer VLAN value to be matched against incoming packets.
`<vlan-id (1-4094)>`		Enter a value for customer VLAN. This value ranges from 1 to 4094.
`cvlan-priority`		Enter to configure Customer priority value to be matched against incoming packets.
`<value (0-7)>`		Enter a Customer vlan ID value. This value ranges from 0 to 7.
`double-tag`		Enter to specify that the filter is to be applied on double VLAN tagged packets
`single-tag`		Enter to specify that the filter is to be applied on Single VLAN tagged packets

Mode

Extended ACL IP Configuration Mode

Default

any -Source and Destination address are not checked.
gt - 0 (the packets are not checked for TCP port number)
lt - 0 (the packets are not checked for TCP port number)
eq - 0 (the packets are not checked for TCP port number)
range - 0 for minimum port number, 65535 for maximum port number.
tos-value - 0
dscp - 1
priority - 1
svlan-id - 0
svlan-priority - 1
cvlan-id - 0
cvlan-priority - 1
single-tag | double-tag - Single tag

Examples

iS5Comm (config)# ip access-list extended 1001

iS5Comm (config-ext-nacl)# deny tcp any any priority 2