Filtering Based on TCP Header Flags

Problem

You want to filter on the flag bits in the TCP header.

Solution

The following ACL blocks several illegal combinations of TCP header flags:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg
Router1(config)#access-list 161 deny tcp any any rst syn 
Router1(config)#access-list 161 deny tcp any any rst syn fin
Router1(config)#access-list 161 deny tcp any any rst syn fin ack
Router1(config)#access-list 161 deny tcp any any syn fin 
Router1(config)#access-list 161 deny tcp any any syn fin ack
Router1(config)#end
Router1#

Beginning with IOS Version 12.3(4)T, Cisco changed the format of TCP flag filtering, while still maintaining support for the legacy method. The following is the same example as above using the new TCP flag filtering method:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip access-list extended TCPFLAGFILTER
Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg      
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn                    
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin          
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack
Router2(config-ext-nacl)#end
Router2#

Discussion

There ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Cisco IOS Cookbook, 2nd Edition by Kevin Dooley, Ian Brown

Filtering Based on TCP Header Flags

Problem

Solution

Discussion

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly