Table 546 Parameters for advanced IPv4 ACL rules
Parameter
Function
reflective
Specifies the rule to
be reflective.
vpn-instance
Specifies a VPN
vpn-instance-name
instance.
fragment
Indicates that the rule
applies only to
non-first fragments.
time-range
Specifies the time
time-name
range in which the
rule can take effect.
If the protocol argument is set to tcp or udp, you may define the parameters in
the following table.
Table 547 TCP/UDP-specific parameters for advanced IPv4 ACL rules
Parameter
Function
source-port
Defines a UDP or TCP
operator port1
source port against
[ port2 ]
which UDP or TCP
packets are matched.
destination-port
Defines a UDP or TCP
operator port1
destination port
[ port2 ]
against which UDP or
TCP packets are
matched.
established
Defines the rule for
TCP connection
packets.
If the protocol argument is set to icmp, you may define the parameters in the
following table.
Description
A rule with the reflective keyword can be
defined only for TCP, UDP, or ICMP packets
and its statement can only be permit.
The vpn-instance-name argument is a
case-sensitive string of 1 to 31 characters.
With this keyword not provided, the rule is
effective to both non-fragments and
fragments.
The time-name argument comprises 1 to 32
characters. It is case insensitive and must start
with an English letter. To avoid confusion, this
name cannot be all.
Description
The operator argument can be lt (lower than),
gt (greater than), eq (equal to), neq (not equal
to), and range (inclusive range).
port1, port2: TCP or UDP port number,
represented by a number in the range 0 to
65535. TCP port number can be represented
in words as follows:
chargen (19), bgp (179), cmd (514), daytime
(13), discard (9), domain (53), echo (7), exec
(512), finger (79), ftp (21), ftp-data (20),
gopher (70), hostname (101), irc (194),
klogin (543), kshell (544), login (513), lpd
(515), nntp (119), pop2 (109), pop3 (110),
smtp (25), sunrpc (111), tacacs (49), talk
(517), telnet (23), time (37), uucp (540),
whois (43), or www (80).
UDP port number can be represented in words
as follows: biff (512), bootpc (68), bootps
(67), discard (9), dns (53), dnsix (90), echo
(7), mobilip-ag (434), mobilip-mn (435),
nameserver (42), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), ntp
(123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (65),
talk (517), tftp (69), time (37), who (513),
xdmcp (177).
A keyword specific to TCP.
On a router, With this keyword, the rule
matches the TCP connection packets with the
ACK or RST flag.
2095