Purpose
Command or Action
• put—Matches HTTP packets with the PUT method
[0x50555420]
• trace—Matches HTTP packets with the TRACE
method [0x54524143]
The
tcp-option-length
option specifies the length of the
TCP options header in the packets. You can configure up
to four TCP option lengths (in multiples of four bytes) in
the access control entries (ACEs). The
length
range is from
0 to 40. If you do not configure this option, the length is
specified as 0, and only packets without the TCP options
header can match the ACE. This option allows the HTTP
method to be matched even on packets that have a
variable-length TCP options header.
The
redirect
option redirects an HTTP method to a server
that is connected to a specific port. The HTTP redirect
feature does not work on Layer 3 ports.
Displays the IP ACL configuration.
(Optional)
show ip access-lists name
Example:
Step 4
switch(config-acl)# show ip access-lists acl-01
Displays the interface configuration.
(Optional)
show run interface interface slot/port
Example:
Step 5
switch(config-acl)# show run interface ethernet
2/2
Example
The following example specifies a length for the TCP options header in the packets and redirects the
post HTTP method to a server that is connected to port channel 4001:
switch(config)#
ip access-list http-redirect-acl
switch(config-acl)#
10 permit tcp any any http-method get tcp-option-length 4 redirect
port-channel4001
switch(config-acl)#
20 permit tcp any any http-method post redirect port-channel4001
switch(config-acl)#
statistics per-entry
switch(config)#
interface Ethernet 1/33
switch(config-if)#
ip port access-group http-redirect-acl in
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
266
Configuring IP ACLs
Configuring ACLs Using HTTP Methods to Redirect Requests