ip copp access-list tcp|udp
Use this command to define a named copp access control list (ACL) that determines whether to accept or drop an incoming TCP or UDP IP packet based on the specified match criteria. This form of command filters packets based on source and destination IP address along with protocol (TCP or UDP) and port.
Use the no form of this command to remove an ACL specification.
Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip|echo |exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time| uucp|whois|www)| range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)
((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|) (sample|)((redirect-to-port IFNAME)|)
(<1-268435453>|) (deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain| echo|isakmp|mobile-ip |nameserver | netbios-dgm | netbios-ns| netbios-ss|non500-isakmp |ntp |pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp |time|who|xdmcp) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)
((eq|gt |lt|neq)(<0-65535> |biff |bootpc |bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp |ntp|pim-auto- rp| snmp| snmptrap| sunrpc| syslog| tacacs| talk| tftp| time| who| xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535>| bgp| chargen| cmd| daytime| discard| domain| drip| echo|exec|finger|ftp |ftp- data |gopher |hostname| ident| irc| klogin| kshell|login|lpd|nntp|pim-auto- rp |pop2 |pop3 |smtp| ssh| sunrpc| tacacs |talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|)
(A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535> |bgp |chargen |cmd |daytime|discard|domain|drip|echo|exec|finger|ftp|ftp-data| gopher| hostname| ident| irc| klogin| kshell| login| lpd| nntp| pim-auto-rp | pop2| pop3| smtp |ssh |sunrpc|tacacs|talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |)
({ack|established|fin|psh|rst|syn|urg}|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|)(A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D| any)
((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo| isakmp|mobile- ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
tcp
Transmission Control Protocol.
udp
User Datagram Protocol.
A.B.C.D/M
Source or destination IP prefix and length.
A.B.C.D A.B.C.D
Source or destination IP address and mask.
prefix-group
Specifies to build a prefix group
host A.B.C.D
Source or destination host IP address.
any
Any source or destination IP address.
eq
Source or destination port equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
drip
Dynamic Routing Information Protocol.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections.
gopher
Gopher.
hostname
NIC hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login.
lpd
Printer service.
nntp
Network News Transport Protocol.
pim-auto-rp
PIM Auto-RP.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
smtp
Simple Mail Transport Protocol.
ssh
Secure Shell.
sunrpc
Sun Remote Procedure Call.
tacacs
TAC Access Control System.
talk
Talk.
telnet
Telnet.
time
Time.
uucp
UNIX-to-UNIX Copy Program.
whois
WHOIS/NICNAME
www
World Wide Web.
netconf-ssh
Secure Shell Network Configuration
netconf-tls
Transport Layer Security Network Configuration
nntp
Range of source or destination port numbers:
ack
Match on the Acknowledgment (ack) bit.
established
Matches only packets that belong to an established TCP connection.
fin
Match on the Finish (fin) bit.
psh
Match on the Push (psh) bit.
rst
Match on the Reset (rst) bit.
syn
Match on the Synchronize (syn) bit.
urg
Match on the Urgent (urg) bit.
biff
Biff.
bootpc
Bootstrap Protocol (BOOTP) client.
bootps
Bootstrap Protocol (BOOTP) server.
discard
Discard.
dnsix
DNSIX security protocol auditing.
domain
Domain Name Service.
echo
Echo.
isakmp
Internet Security Association and Key Management Protocol.
mobile-ip
Mobile IP registration.
nameserver
IEN116 name service.
netbios-dgm
Net BIOS datagram service.
netbios-ns
Net BIOS name service.
netbios-ss
Net BIOS session service.
non500-isakmp
Non500-Internet Security Association and Key Management Protocol.
ntp
Network Time Protocol.
pim-auto-rp
PIM Auto-RP.
snmp
Simple Network Management Protocol.
snmptrap
SNMP Traps.
sunrpc
Sun Remote Procedure Call.
syslog
System Logger.
tacacs
TAC Access Control System.
talk
Talk.
tftp
Trivial File Transfer Protocol.
time
Time.
who
Who service.
xdmcp
X Display Manager Control Protocol.
fragments
Check non-initial fragments.
ttl <0-255>
Filters packets based on Time-To-Live (TTL) value.
ip-options
Matches packets containing IP options (used for security policies).
hop-limit
Specifies the hop limit
log
Specifies the syslog limit
Default
None
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 6.6.0.
Examples
#configure terminal
(config)#ip copp access-list ip-acl-02
(config-ip-copp-acl)#deny udp any any eq tftp
(config-ip-copp-acl)#deny tcp any any eq ssh
(config-ip-acl)#end