Skip to content

Latest commit

 

History

History
56 lines (50 loc) · 3.6 KB

cisco.md

File metadata and controls

56 lines (50 loc) · 3.6 KB
Raw

Cisco

The cisco header designation has the following format:

target:: cisco [filter name] {extended|standard|object-group|object-group-inet6|inet6|mixed} {dsmo}
  • filter name: defines the name or number of the cisco filter.
  • extended: specifies that the output should be an extended access list, and the filter name should be non-numeric. This is the default option.
  • standard: specifies that the output should be a standard access list, and the filter name should be numeric and in the range of 1-99.
  • object-group: specifies this is a cisco extended access list, and that object-groups should be used for ports and addresses.
  • object-group-inet6: specifies this is a cisco extended ipv6 access list, and that object-groups should be used for ports and addresses.
  • inet6: specifies the output be for IPv6 only filters.
  • mixed: specifies output will include both IPv6 and IPv4 filters.
  • dsmo: Enable discontinuous subnet mask summarization. When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • address:: One or more network address tokens, matches source or destination.
  • restrict-address-family:: Only include the term in the matching address family filter (eg. for mixed filters).
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-port:: One or more service definition tokens
  • dscp_match:: Match a DSCP number.
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-code:: Specifies the ICMP code to filter on.
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • owner:: Owner of the term, used for organizational purposes.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • is-fragment:: Matches on if a packet is a fragment.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial:: Only match initial packet for TCP protocol.