#11 Add TCP options support for IOS ACL

closed-fixed
Vadim Kurland
None
1
2010-03-10
2009-09-23
Jiri Polach
No

Please add TCP options support for IOS ACLs. Matching TCP flags (options) is now possible in IOS ACLs, moreover using "established" keyword may be considered obsolete. Please see "ACL Support for Filtering IP Options" on http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtipofil.html. Thank you.

Discussion

  • Vadim Kurland
    Vadim Kurland
    2009-11-08

    The Cisco document you provided URL for talks about matching IP options rather than TCP flags. Please clarify if this request is to implement matching for IP options, such as lsr, ssr, timestamp, router-alert and others, or TCP flags. If the latter, could you provide reference to the relevant Cisco document ? Thanks.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-08

    • assigned_to: nobody --> vkurland
     
  • Vadim Kurland
    Vadim Kurland
    2009-11-08

    meanwhile, I implemented matching TCP flags using extended ACL option "match-all". This seems to work in IOS 12.4 (not "T"). It may be available in 12.3T but I do not have this image to test and I think fwbuilder should require IOS version of the general deployment release, which seems to be 12.4 in this case. Anyway, you can test using latest fwbuilder v3.1 test build that you can download here:

    http://www.fwbuilder.org/nightly_builds/fwbuilder-3.1/

    I'll keep this ticket open until you confirm this works the way you expected..

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-08

    • priority: 5 --> 1
     
  • Vadim Kurland
    Vadim Kurland
    2009-11-08

    • status: open --> open-fixed
     
  • Vadim Kurland
    Vadim Kurland
    2010-03-10

    • status: open-fixed --> closed-fixed