Hi Srini,
Let’s take a look at the different IP options:
R1(config-ext-nacl)#permit ip any any ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
reflect Create reflexive access list entry
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
DSCP refers to the DSCP value in the TOS byte:
https://networklessons.com/quality-of-service/ip-precedence-dscp-values/
Fragments refers to fragmented IP packets.
Log will show matched packets on the console (like I did in this example). Log-input does the same but also allows you to select an interface.
Option refers to the option field in the header…there are a lot of options here.
Precedence refers to the precedence value in the TOS byte:
https://networklessons.com/quality-of-service/ip-precedence-dscp-values/
Reflect is for reflexive access-lists:
https://networklessons.com/quality-of-service/ip-precedence-dscp-values/
Time-range for time-based access-lists:
https://networklessons.com/security/cisco-asa-time-based-access-list/
TOS is for some of the non-DSCP or non-precedence values that you can use in the TOS byte.
TTL is to match on a certain time-to-live value in the IP packet header.
There’s also a big list for TCP options:
R1(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
match-all Match if all specified flags are present
match-any Match if any specified flag is present
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
reflect Create reflexive access list entry
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
urg Match on the URG bit
Some of these options refer to the IP packet (dscp, option, precedence, tos, ttl). The established is an interesting one…
Established checks TCP headers to see if the ACK bit is enabled, after the three way handshake every TCP header has the ACK bit enabled. You can create an ACL statement that only allows “established” sessions with this. We don’t use it anymore…it has been replaced by:
https://networklessons.com/security/reflexive-access-list/
https://networklessons.com/security/cisco-cbac-configuration-example/
https://networklessons.com/security/zone-based-firewall-configuration-example/
Let me know if you want to know some specific options.
Rene