Cisco Nexus 5500 Series Command Reference Manual page 96

deny tcp (IPv6)
flags
established
Command Default
None
Command Modes
IPv6 ACL configuration
Command History Release
5.2(1)N1(1)
Usage Guidelines
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL.
The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of
more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method
you use to specify one of these arguments does not affect how you specify the other. When you configure
a rule, use the following methods to specify the source and destination arguments:
•
•
Cisco Nexus 5500 Series NX-OS Security Command Reference
82
(Optional) Rule matches only packets that have specific TCP control bit
flags set. The value of the flags argument must be one or more of the
following keywords:
•
•
•
•
•
•
(Optional) Specifies that the rule matches only packets that belong to an
established TCP connection. The device considers TCP packets with the
ACK or RST bits set to belong to an established connection.
Modification
This command was introduced.
Address and variable-length subnet mask—You can use an IPv6 address followed by a
variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The
syntax is as follows:
IPv6-address/prefix-len
This example shows how to specify the source argument with the IPv6 address and VLSM for the
2001:0db8:85a3:: network:
switch(config-acl)# deny tcp 2001:0db8:85a3::/48 any
Host address—You can use the host keyword and an IPv6 address to specify a host as a source or
destination. The syntax is as follows:
host IPv6-address
ack
fin
psh
rst
syn
urg
Chapter D Commands
OL-27883-02