TCP Flags - edge port security

The edge port security feature works in combination with IP ACL rules, and supports all 6 TCP flags present in the offset 13 of the TCP header:

  • +|- urg = Urgent
  • +|- ack = Acknowledge
  • +|- psh = Push
  • +|- rst = Reset
  • +|- syn = Synchronize
  • +|- fin = Finish

TCP flags can be combined with other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when designing ACLs.

The TCP flags feature offers two options, match-all and match-any:

  • Match-any - Indicates that incoming TCP traffic must be matched against any of the TCP flags configured as part of the match-any ACL rule. In CAM hardware, the number of ACL rules will match the number of configured flags.
  • Match-all - Indicates that incoming TCP traffic must be matched against all of the TCP flags configured as part of the match-all ACL rule. In Content-addressable memory (CAM) hardware, there will be only one ACL rule for all configured flags.
NOTE
The match-all option is not supported on ICX 7750 and ICX 7450 devices. 

device(config-ext-nACL)#permit tcp 10.1.1.1 0.0.0.255 eq 100 10.2.2.2 0.0.0.255 eq 300 match-all +urg +ack +syn -rst

This command configures a single rule in CAM hardware. This rule will contain all of the configured TCP flags (urg, ack, syn, and rst).

Parent topic: Security Vulnerability