CiscoNX¶

Header Format¶

The cisconx header designation has the following format:

targets:
    cisconx: [filter name] {extended|object-group|inet6|mixed} {enable_dsmo}

filter name: defines the name or number of the cisconx filter.
extended: specifies that the output should be an extended access list, and the filter name should be non-numeric. This is the default option.
object-group: specifies this is a cisconx extended access list, and that object-groups should be used for ports and addresses.
inet6: specifies the output be for IPv6 only filters.
mixed: specifies output will include both IPv6 and IPv4 filters.
enable_dsmo: Enable discontinuous subnet mask summarization. When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

for common keys see common.md
address: One or more network address tokens, matches source or destination.
destination-exclude: Exclude one or more address tokens from the specified destination-address
dscp_match: Match a DSCP number.
icmp-code: Specifies the ICMP code to filter on.
logging: Specify that this packet should be logged via syslog.
owner: Owner of the term, used for organizational purposes.
source-exclude: exclude one or more address tokens from the specified source-address.
verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
is-fragment: Matches on if a packet is a fragment.
tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
tcp-initial: Only match initial packet for TCP protocol.