ACL Commands

{ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list

	{ipv4 \| ipv6 \| mac \| ipv4-udk \| mac-udk} access-list <acl-name> no {ipv4 \| ipv6 \| mac \| ipv4-udk \| mac-udk} access-list <acl-name> Creates an ACL table and enters its configuration mode. The no form of the command deletes the ACL table.
Syntax Description	ipv4 \| mac	IPv4 or MAC – access list
Syntax Description	acl-name	User-defined string for the ACL
Default	No ACL available by default.
Configuration Mode	config
History	3.1.1400
History	3.6.5000	Added ipv6, ipv4-udk, and mac-udk parameters
Example	switch (config)# mac access-list my-mac-list switch (config mac access-list my-mac-list)#
Related Commands	ipv4/port access-group
Notes	Each table has its own set of predefined keys The mac-udk and ipv4-udk options add an extra UDK to the standard MAC and IPv4 tables When a new access-list is created, its default bind port is L2 port

policer

	policer <policer_name> {bits\|bytes\|packets} rate <rate_value> [k\|m\|g] [burst <burst_value> [k\|m\|g]] no policer <policer_name> Creates a new shared-policer that can be bound to rules on this table. The no form of the command removes the policer
Syntax Description	rate_value	Policer rate value (of the bits, bytes, or packets) Default is bits
	burst_value	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	k, m, g	Rate/burst value units: kilo, mega, or giga—not mandatory.
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value: 100-1000000000000
Default	Disabled
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list) # policer myPolicer packets rate 1000
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes	This ACL policer is shared when this table is bound to two or more ports. The policer configuration will always be displayed in bytes

bind-point rif

	bind-point rif no bind-point rif Changes the ACL table bind point from L2 port mode to L3 port. The no form of the command resets this parameter to its default.
Syntax Description	N/A
Default	L2 port
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list)# bind-point rif
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes	The bind point may only be changed when an ACL table is empty (no rules) and unbound This command is used to attach ACLs to interface VLANs only

remark

	[<seq-number>] remark <string> no [<seq-number>] remark <string> Creates a remark rule from an ACL table. The no form of the command deletes a remark rule from an ACL table.
Syntax Description	N/A
Default	N/A
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list)# remark “1st group”
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes	The remark rule has a sequence number like standard rules and it can be displayed when showing all rules of ACL table This rule has no effect on traffic and it is only for management purposes

shared-counter

	shared-counter <counter-name> no shared-counter <counter-name> Creates a shared counter. The no form of the command deletes a shared counter.
Syntax Description	counter-name	Shared counter name
Default	N/A
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list)# shared-counter myCounter
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes	When creating a new shared counter, it is created only in the scope of the ACL table it has been initially created on and cannot be shared across multiple ACL tables A shared counter cannot be deleted when attached to rules

clear shared-counters

	clear shared-counters [<counter-name>] Resets all shared counters in ACL table or a specific shared counter.
Syntax Description	counter-name	Shared counter name
Default	N/A
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list)# clear shared-counters
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list shared-counter
Notes

clear counters

	clear counters [<seq-number>] Resets all counters (including shared counters) in ACL table or a specific counter.
Syntax Description	seq-number	The sequence number of the rule whose counter to reset
Default	N/A
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config mac access-list my-mac-list)# clear counters 10
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list shared-counter
Notes

{ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list clear counters

	{ipv4 \| ipv6 \| mac \| ipv4-udk \| mac-udk} access-list clear counters Resets all counters (including shared counters) on all ACL tables of the same type.
Syntax Description	N/A
Default	N/A
Configuration Mode	config mac access-list config ipv4 access-list config ipv6 access-list config ipv4-udk access-list config mac-udk access-list
History	3.6.5000
Example	switch (config)# ipv4 access-list clear counters
Related Commands	ipv4/ipv6/mac/ipv4-udk/mac-udk access-list shared-counter
Notes

{ipv4/ipv6/mac/ipv4-udk/mac-udk} port access-group

	{ipv4 \| ipv6 \| mac \| ipv4-udk \| mac-udk} port access-group <acl-name> no {ipv4 \| ipv6 \| mac \| ipv4-udk \| mac-udk} port access-group <acl-name> Binds an ACL to the interface. The no form of the command unbinds the ACL from the interface.
Syntax Description	ipv4 \| mac	IPv4 or MAC – access list
Syntax Description	acl-name	ACL name
Default	No ACL is bind by default.
Configuration Mode	config interface ethernet config interface port-channel config interface mlag-port-channel config interface vlan
History	3.1.1400
	3.3.4500	Added MPO configuration mode
	3.6.5000	Added new parameters
Example	switch (config interface ethernet 1/1) # mac port access-group my-list
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
Notes	The access control list should be defined prior to the binding action

deny/permit (MAC ACL rule)

	[seq-number <sequence-number>] {permit \| deny} ip {<source-mac> mask <mac_mask> \| any} {<dest-mac> mask <mac_mask> \| any} [protocol <protocol_num>] [cos <cos>] [vlan <vlan_id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter \| shared-counter <name>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for MAC ACL. The no form of the command deletes a rule from the MAC ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-mac> mask <mac_mask> \| any	Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
	<dest-mac> mask <mac_mask> \| any	Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
	protocol	Sets the Ethertype field value from the MAC address Range: 0x0000-0xffff
	cos	Sets the COS (priority bit) field Range: 0-7
	vlan <vlan_id>	Sets the VLAN ID field Range: 1-4094
	vlan-mask <vlan-mask>	Sets VLAN group Range: 0x0000-0x0FFF
	action	Action name (free string)
	log	Enable the log option
	counter	Attach a unique counter to rule
	shared-counter	Attach a predefined shared-counter to rule
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config mac acl
History	3.1.1400
	3.3.4500	Added vlan-mask parameter
	3.5.1000	Updated seq-number parameter
	3.6.5000	Added log, counter, and shared-counter parameters
	3.6.6000	Added policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config mac access-list my-list) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	VLAN and VLAN group cannot be used in the same command It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 ACL rule)

	[seq-number <sequence-number>] {permit \| deny} ip {<source-ip> mask <ip> \| [any]} {<dest-ip> mask <ip> \| [any]} [action <action-id>] [log] [counter \| shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 ACL. The no form of the command deletes a rule from the IPv4 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	{any \| <source-ip> mask <ip>}	Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
	{any \| <destination-ip> mask <ip>}	Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
	action	Action needs to be defined before attaching to rule
	log	Enable the log option
	counter	Attach a unique counter to rule
	shared-counter	Attach a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-3
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.1.1400
	3.3.4302	Updated syntax description of mask <ip> parameter
	3.5.1000	Updated seq-number parameter
	3.6.5000	Added log, counter, and shared-counter parameters
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority, and tc parameters
Example	switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	User cannot attach a shared counter defined on a different ACL table The parameter shared-counter must be defined before attaching it to the scope of the ACL table It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 TCP ACL rule)

	[seq-number <sequence-number>] {deny \| permit} tcp {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [src-port <src-port> \| eq-source <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| eq-destination <dest-port> \| dest-port-range <from> <to>] [action <action-id>] [established \| [ack {0 \| 1}] [urg {0 \| 1}] [rst {0 \| 1}] [syn {0 \| 1}] [fin {0 \| 1}] [psh {0 \| 1}] [ns {0 \| 1}] [ece {0 \| 1}] [cwr {0 \| 1}]] [log] [counter \| shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 TCP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> mask <ip> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> mask <ip> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	eq-source <src-port>	TCP source port number Range: 0-65535
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	eq-destination <dest-port>	TCP destination port number Range: 0-65535
	dest-port-range	Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range
	action	Action needs to be defined before attaching to rule
	established	Matches flows which are in established state (“ack” or “rst” flags are set)
	ack; urg; rst; syn; fin; psh; ns; ece; cwr	Matches flows with specific flag Possible match: 0 or 1
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.1.1400
	3.5.1000	Updated seq-number parameter
	3.6.5000	Updated command syntax
	3.6.6000	Added ECN, TTL, DSCP, policer, and extra flag parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established switch (config ipv4 access-list my-list)# permit tcp any any ns 0 policer packets rate 1 k burst 2050
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	L4 ports are valid It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 TCP-UDP/UDP ACL rule)

	[seq-number <sequence-number>] {deny \| permit} {tcp-udp \| udp} {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [src-port <src-port> \| eq-source <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| eq-destination <dest-port> \| dest-port-range <from> <to>] [action <action-id>] [log] [counter \| shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 TCP-UDP/UDP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> mask <ip> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> mask <ip> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	eq-source <src-port>	TCP-UDP/UDP source port number Range: 0-65535
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	eq-destination <dest-port>	TCP-UDP/UDP destination port number Range: 0-65535
	dest-port-range	Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range
	action	Action needs to be defined before attaching to rule
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.1.1400
	3.5.1000	Updated seq-number parameter
	3.6.5000	Updated command syntax
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300 switch (config ipv4 access-list my-list)# permit udp any any eq-destination 100 eq-source 300
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 ICMP ACL rule)

	[seq-number <sequence-number>] {deny \| permit} icmp {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter \| shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 ICMP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> mask <ip> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> mask <ip> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	eq-code	Matches ICMP code value. Range: 0-255.
	eq-type	Matches ICMP type value. Range: 0-255.
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter. Value: 0-3.
	ttl	Time to live ACL filter. Value: 0-225.
	dscp	DSCP ACL filter. Value: 0-63.
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority. valid values 0-7
	tc <tc_value>	Mapping of matched traffic to tc. valid values 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.1.1400
	3.5.1000	Updated seq-number parameter
	3.6.2002	Added ICMP parameters
	3.6.5000	Updated command syntax
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	ICMP code must be specified in conjunction with an ICMP type. If ICMP type is specified but no ICMP code is specified, the rule matches all ICMP packets of the given type If no ICMP type or code are specified, the rule matches all ICMP packets from the specified source/destination address It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv6 ACL rule)

	[seq-number <sequence-number>] {permit \| deny} ip {<src-ipv6>/<mask-len> \| any} {<dest-ipv6>/<mask-len> \| any} [action <action-id>] [log] [counter \| shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates an IPv6 ACL rule with a specific protocol. The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<src-ipv6>/<mask-len> \| any	Sets source IP and optionally sets a mask for that IP address. The parameter “any” ignores the source IP.
	<dest-ipv6>/<mask-len> \| any	Sets destination IP and optionally sets a mask for that IP. The parameter “any” ignores the destination IP.
	action	Action needs to be defined before attaching to rule
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv6 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv6 access-list my-list) # permit ip 2:2::/32 any switch (config ipv6 access-list my-list) # permit ip any any policer name
Related Commands
Notes	IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len The fields eq-code (icmp-code) and eq-type (eq-type) are valid only for ICMP rules It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv6 TCP ACL rule)

	[seq-number <sequence-number>] {permit \| deny} tcp {<source-ipv6> /<mask-len> \| any} {<dest-ipv6> /<mask-len> \| any} [src-port <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| dest-port-range <from> <to>] [established \| [ack {0 \| 1}] [urg {0 \| 1}] [rst {0 \| 1}] [syn {0 \| 1}] [fin {0 \| 1}] [psh {0 \| 1}] [ns {0 \| 1}] [ece {0 \| 1}] [cwr {0 \| 1}]] [log] [counter \| shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates an IPv6 ACL rule with a specific protocol. The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ipv6> /<mask-len> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ipv6> /<mask-len> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	dest-port-range	Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range
	action	Action needs to be defined before attaching to rule
	established	Matches flows which are in established state (“ack” or “rst” flags are set)
	ack; urg; rst; syn; fin; psh; ns; ece; cwr	Matches flows with specific flag Possible match: 0 or 1
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63.
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv6 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, policer, and flag parameters
	3.7.0000	Added bits, switch-priority, and tc parameters
Example	switch (config ipv6 access-list my-list) # permit tcp any 10:10:12::/48
Related Commands
Notes	IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv6 TCP-UDP/UDP ACL rule)

	[seq-number <sequence-number>] {permit \| deny} {tcp-udp \| udp} {<source-ipv6> /<mask-len> \| any} {<dest-ipv6> /<mask-len> \| any} [src-port <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| dest-port-range <from> <to>] [log] [counter \| shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates an IPv6 ACL rule with a specific protocol. The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ipv6> /<mask-len> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ipv6> /<mask-len> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	dest-port-range	Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range
	action	Action needs to be defined before attaching to rule
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63.
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv6 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv6 access-list my-list) # permit udp 2:2::/32 10:10:12::/48
Related Commands
Notes	IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv6 ICMPv6 ACL rule)

	[seq-number <sequence-number>] {permit \| deny} icmpv6 {<source-ipv6> /<mask-len> \| any} {<dest-ipv6> /<mask-len> \| any} [code <icmp-code>] [type <icmp-type>] [log] [counter \| shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates an IPv6 ACL rule with a specific protocol. The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ipv6> /<mask-len> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ipv6> /<mask-len> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	eq-code	Matches ICMP code value Range: 0-255
	eq-type	Matches ICMP type value Range: 0-255
	action	Action needs to be defined before attaching to rule
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv6 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority, and tc parameters
Example	switch (config ipv6 access-list my-list) # permit icmpv6 any any eq-code 10 eq-type 155
Related Commands
Notes	IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (MAC UDK ACL rule)

	[seq-number <sequence-number>] {deny \| permit} {<source-mac> mask <mac-mask> \| any} {<dest-mac> mask <mac-mask> \| any} [protocol <protocol-num>] [cos <cos>] [vlan <vlan-id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter \| shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a MAC-UDK ACL rule. The no form of the command deletes a rule from MAC UDK ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-mac> mask <mac-mask> \| any	Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
	<dest-mac> mask <mac-mask> \| any	Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
	protocol	Sets the Ethertype filed value from the MAC address Range: 0x0000-0xffff
	cos	Sets the COS (priority bit) field Range: 0-7
	vlan <vlan-id>	Sets the VLAN ID field Range: 1-4094
	vlan-mask <vlan-mask>	Sets VLAN group Range: 0x0000-0x0FFF
	action	Action name (free string)
	log	Enable the log option
	counter	Attach a unique counter to rule
	shared-counter	Attach a predefined shared-counter to rule
	udk	UDK name must be set by user before the rule configuration
	val	The value of the UDK (up to 4 bytes)
	mask	Mask for the UDK value
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config mac-udk acl
History	3.6.5000
	3.6.6000	Added policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config mac-udk access-list mac_udk_acl) # permit any any udk myUdk 10 mask 0xff
Related Commands
Notes	User cannot attach a shared counter defined on a different ACL table The parameter shared-counter must be defined before attaching it to the scope of the ACL table UDK fields must come at the end of the rule configuration The default mask is 0xff-0xffffffff (depends on value length) UDK cannot be deleted while it is attached to a rule 1-4 UDKs per rule may be configured Values and masks of the UDK can be decimal or hexadecimal It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 UDK ACL rule)

	[seq-number <sequence-number>] {permit \| deny} ip {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 ACL. The no form of the command deletes a rule from the IPv4 ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	{any \| <source-ip> mask <ip>}	Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
	{any \| <destination-ip> mask <ip>}	Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
	action	Action needs to be defined before attaching to rule
	log	Enable the log option
	counter	Attach a unique counter to rule
	shared-counter	Attach a predefined shared-counter to rule
	udk	UDK name must be set by user before the rule configuration
	val	The value of the UDK (up to 4 bytes)
	mask	Mask for the UDK value
	ecn	ECN ACL filter\| Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	User cannot attach a shared counter defined on a different ACL table The parameter shared-counter must be defined before attaching it to the scope of the ACL table UDK fields must come at the end of the rule configuration The default mask is 0xff-0xffffffff (depends on value length) UDK cannot be deleted while it is attached to a rule 1-4 UDKs per rule may be configured Values and masks of the UDK can be decimal or hexadecimal It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 TCP UDK ACL rule)

	[seq-number <sequence-number>] {deny \| permit} tcp {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [src-port <src-port> \| eq-source <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| eq-destination <dest-port> \| dest-port-range <from> <to>] [action <action-id>] [established \| [ack {0 \| 1}] [urg {0 \| 1}] [rst {0 \| 1}] [syn {0 \| 1}] [fin {0 \| 1}] [psh {0 \| 1}] [ns {0 \| 1}] [ece {0 \| 1}] [cwr {0 \| 1}]] [log] [counter \| shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 TCP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> [mask <ip>] \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> [mask <ip>] \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	eq-source <src-port>	TCP source port number Range: 0-65535
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	eq-destination <dest-port>	TCP destination port number Range: 0-65535
	dest-port-range	Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range
	action	Action needs to be defined before attaching to rule
	established	Matches flows which are in established state (“ack” or “rst” flags are set)
	ack; urg; rst; syn; fin; psh; ns; ece; cwr	Matches flows with specific flag Possible match: 0 or 1
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	udk	UDK name must be set by user before the rule configuration
	val	The value of the UDK (up to 4 bytes)
	mask	Mask for the UDK value
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, policer, and flag parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	UDK fields must come at the end of the rule configuration The default mask is 0xff-0xffffffff (depends on value length) UDK cannot be deleted while it is attached to a rule 1-4 UDKs per rule may be configured It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 TCP-UDP/UDP UDK ACL rule)

	[seq-number <sequence-number>] {deny \| permit} {tcp-udp \| udp} {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [src-port <src-port> \| eq-source <src-port> \| src-port-range <from> <to>] [dest-port <dest-port> \| eq-destination <dest-port> \| dest-port-range <from> <to>] [action <action-id>] [log] [counter \| shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 TCP-UDP/UDP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> mask <ip> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> mask <ip> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	src-port	L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source
	eq-source <src-port>	TCP-UDP/UDP source port number Range: 0-65535
	src-port-range	Sets a range of L4 source ports to match Note: User may configure either a single source port or a range
	dest-port	L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
	eq-destination <dest-port>	TCP-UDP/UDP destination port number Range: 0-65535
	dest-port-range	Sets a range of L4 destination ports to match. Note: User may configure either a single destination port or a range.
	action	Action needs to be defined before attaching to rule
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	udk	UDK name must be set by user before the rule configuration
	val	The value of the UDK (up to 4 bytes)
	mask	Mask for the UDK value
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300 switch (config ipv4 access-list my-list)# permit udp any any eq-destination 100 eq-source 300
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	UDK fields must come at the end of the rule configuration The default mask is 0xff-0xffffffff (depends on value length) UDK cannot be deleted while it is attached to a rule 1-4 UDKs per rule may be configured It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

deny/permit (IPv4 ICMP UDK ACL rule)

	[seq-number <sequence-number>] {deny \| permit} icmp {<source-ip> mask <ip> \| any} {<dest-ip> mask <ip> \| any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter \| shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> \| [bytes \| packets] rate <rate_value> [k \| m \| g] [burst <burst_value> [k \| m \| g]]} no <sequence-number> Creates a rule for IPv4 ICMP ACL. The no form of the command deletes a rule from the ACL.
Syntax Description	sequence-number	Optional parameter to set a specific sequence number for the rule Range: 1-65535
	deny	Drop all matching traffic
	permit	Allow matching traffic to pass
	<source-ip> mask <ip> \| any	Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
	<dest-ip> mask <ip> \| any	Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
	eq-code	Matches ICMP code value Range: 0-255
	eq-type	Matches ICMP type value Range: 0-255
	log	Enables the log option
	counter	Attaches a unique counter to rule
	shared-counter	Attaches a predefined shared-counter to rule
	udk	UDK name must be set by user before the rule configuration
	val	The value of the UDK (up to 4 bytes)
	mask	Mask for the UDK value
	ecn	ECN ACL filter Range: 0-3
	ttl	Time to live ACL filter Range: 0-225
	dscp	DSCP ACL filter Range: 0-63
	policer	Attaches shared policer to a rule
	bytes	Attaches bytes type policer
	bits	Attaches bits type policer. Min value: 8000 bits.
	packets	Attaches packets type policer
	rate	Policer rate value Range: 100-1000000000000
	k \| m \| g	Specifies kilo, mega, giga
	burst	Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.
	switch-priority <switch-priority_value>	Mapping of matched traffic to switch-priority Range: 0-7
	tc <tc_value>	Mapping of matched traffic to TC Range: 0-7
Default	No rule is added by default to access control list Default sequence number is by increments of 10
Configuration Mode	config ipv4 acl
History	3.6.5000
	3.6.6000	Added ECN, TTL, DSCP, and policer parameters
	3.7.0000	Added bits, switch-priority and tc parameters
Example	switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
Related Commands	{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes	ICMP code must be specified in conjunction with an ICMP type. If ICMP type is specified but no ICMP code is specified, the rule matches all ICMP packets of the given type. If no ICMP type or code are specified, the rule matches all ICMP packets from the specified source/destination address. UDK fields must come at the end of the rule configuration The default mask is 0xff-0xffffffff (depends on value length) UDK cannot be deleted while it is attached to a rule 1-4 UDKs per rule may be configured It is possible to attach the rule to a unique policer, or to create a policer only for the rule The policer configuration will always be displayed in bytes This ACL policer is shared when this table is bound to two or more ports.

port access-group (IPv4/IPv4 UDK/IPv6/MAC/MAC UDK)

	{ipv4 \| ipv4-udk \| ipv6 \| mac \| mac-udk} port access-group <acl-name> no {mac \| ipv4 \| ipv6 \| mac-udk \| ipv4-udk} port access-group Attaches an ACL table with bind-point RIF to a VLAN interface. The no form of the command unmaps ACL table with bind-point RIF from a VLAN interface.
Syntax Description	acl-name	ACL table name
Default	N/A
Configuration Mode	config interface vlan
History	3.6.5000
Example	switch (config interface vlan 10)# ipv4 port access-group ipv4_acl2
Related Commands	show access list summary
Notes	Only ACL tables with bind-point set to RIF can be attached to a VLAN interface Interface VLAN must be configured before binding operation

access-list action

	access-list action <action-profile-name> no access-list action <action-profile-name> Creates access-list action profile and entering the action profile configuration mode. The no form of the command deletes the action profile.
Syntax Description	action-profile-name	Given name for the profile
Default	N/A
Configuration Mode	config
History	3.2.0230
Example	switch (config)# access-list action my-action switch (config access-list action my-action)#
Related Commands
Notes

access-list log

	access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>] no access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>] Configures access list logger. The no form of the command resets parameters for access list logger.
Syntax Description	interval	Logging interval length in minutes Range: 1min-24hrs
	memory	Maximal number of packets to save in memory Range: 1-3600
	syslog	Maximal number of packets to show in syslog Range: 1-3600
Default	N/A
Configuration Mode	config
History	3.6.5000
Example	switch (config)# access-list log interval 10 switch (config)# access-list log memory 300 switch (config)# access-list log syslog 200
Related Commands
Notes	The packet number in syslog configuration must not be greater than the maximal packets number in memory When configuring interval, the interval will restart resulting in a log dump to syslog and memory clear

vlan-map

	vlan-map <vid> no vlan-map Adds action to map a new VLAN to the packet (in the ingress port or VLAN). The no form of the command removes the action to map a new VLAN.
Syntax Description	vid	VLAN ID Range: 1-4094
Default	N/A
Configuration Mode	config acl action
History	3.2.0230
Example	switch (config access-list action my-action)# vlan-map 10
Related Commands
Notes

vlan-pop

	vlan-pop Pops VLAN frames from traffic.
Syntax Description	N/A
Default	N/A
Configuration Mode	config acl action
History	3.4.3000
Example	switch (config access-list action my-action)# vlan-pop
Related Commands
Notes

vlan-push

	vlan-push <vid> Pushes (or adds) VLAN frames to traffic.
Syntax Description	vid	VLAN ID Range: 1-4094
Default	N/A
Configuration Mode	config acl action
History	3.4.3000
Example	switch (config access-list action my-action)# vlan-push 10
Related Commands
Notes

monitor session

	monitor session <session_id> Mirrors traffic to monitor session.
Syntax Description	session_id	The monitor session. Range: 1-3
Default	N/A
Configuration Mode	config acl action
History	3.9.3100
Example	switch (config access-list action my-action)# monitor session 1
Related Commands

show ipv4 access-lists

	show ipv4 access-lists <access-list-name> Displays configuration of IPv4 rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.1.1400
	3.3.4500	Updated example
	3.6.6000	Updated example
Example
switch (config) # show ipv4 access-lists my-list Table Type: ipv4 Table Name: my-list Bind-point: port ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- seq-number p/d protocol s-ipv4 d-ipv4 sport/type end-sport dport/code end-dport tcp-control action counter Packets ttl ecn dscp policer log ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 permit ip any any any none any none N/A none N/A N/A none none none none NO 20 permit ip any any any none any none N/A none N/A N/A none none none YES NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show ipv4-udk access-lists

	show ipv4-udk access-lists <access-list-name> Displays configuration of IPv4 UDK rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
History	3.6.6000	Updated example
Example
switch (config) # show ipv4-udk access-lists my-list Table Type: ipv4-udk Table Name: my-list Bind-point: port ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ seq-number p/d protocol s-ipv4 d-ipv4 sport/type end-sport dport/code end-dport tcp-control action counter Packets udk ttl ecn dscp policer log ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 7 permit tcp any any any none any none any none N/A N/A none none none none NO 8 deny tcp 1.1.1.1/32 any any none any none -U +F none N/A N/A aaa value 5 none none none none NO 10 permit tcp 1.1.1.1/32 2.2.2.2/32 any none any none +P-R none N/A N/A bbb value 6 mask 0x8 none none none none NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show ipv6 access-lists

	show ipv6 access-lists <access-list-name> Displays configuration of IPv6 rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
History	3.6.6000	Updated example
Example
switch (config) # show ipv6 access-lists my-list Table Type: ipv6 Table Name: my-list Bind-point: port ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- seq-number p/d protocol s-ipv6 d-ipv6 sport/type end-sport dport/code end-dport tcp-control action counter Packets ttl ecn dscp policer log ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 permit ip any any any none any none N/A none N/A N/A 33 none none none YES 20 permit ip any any any none any none N/A none N/A N/A none none none none NO 30 permit ip any any any none any none N/A none N/A N/A none none none none NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show mac access-lists

	show mac access-lists <access-list-name> Displays configuration of MAC rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.1.1400
	3.3.4500	Updated example
	3.6.6000	Updated example
Example
switch (config) # show mac access-lists my-list Table Type: mac Table Name: my-list Bind-point: port -------------------------------------------------------------------------------------------------------------------------------------------------- seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets policer log -------------------------------------------------------------------------------------------------------------------------------------------------- 10 permit any any any any any N/A none N/A N/A roe NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show mac access-lists summary

	show mac access-lists <access-list-name> Displays configuration of MAC rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.8100
Example
switch (config) # show mac access-lists summary ---------------------------------------------------------------------------------------- Table type Table Name Bind Point Total entries Bound to interfaces ---------------------------------------------------------------------------------------- mac mac1 port 1 Eth1/16
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show mac-udk access-lists

	show mac-udk access-lists <access-list-name> Displays configuration of MAC UDK rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
History	3.6.6000	Updated example
Example
switch (config) # show mac-udk access-lists my-list Table Type: mac Table Name: my-list Bind-point: port ---------------------------------------------------------------------------------------------------------------------------------- seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets udk policer log --------------------------------------------------------------------------------------------------------------------------------- 10 permit any any any any any N/A none N/A 0 YES NO 20 permit any any any any any N/A none N/A N/A none NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show access-lists action

	show access-lists action <action-profile-name> Displays the access-list action profiles summary.
Syntax Description	action-profile-name	Filter the table according to the action profile name
Syntax Description	summary	Display summary of the action list
Default	N/A
Configuration Mode	Any command mode
History	3.2.0230
	3.7.1000	Updated example
	3.9.3100	Updated example to reflect ACL-based monitoring
Example	switch (config)# show access-lists action test_action_1 Access-list Action test_action: ---------------------------------------------------------------------------------- Type Mapped_Vlan_ID Mapped_port Counter_set Policer_ID ---------------------------------------------------------------------------------- vlan-map 1 N/A N/A N/A switch (config)# show access-lists action test_action_2 Access-list Action test_action: --------------------------------------------------------------------------------- Type Monitor_Sesion Mapped_port Counter_set Policer_ID --------------------------------------------------------------------------------- monitor 1 N/A N/A N/A
Related Commands
Notes

show mac-udk access-lists

	show mac-udk access-lists <access-list-name> Displays configuration of MAC UDK rules in a specific table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
History	3.6.6000	Updated example
Example
switch (config) # show mac-udk access-lists my-list Table Type: mac Table Name: my-list Bind-point: port -------------------------------------------------------------------------------------------------------------------------------- seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets udk policer log -------------------------------------------------------------------------------------------------------------------------------- 10 permit any any any any any N/A none N/A 0 YES NO 20 permit any any any any any N/A none N/A N/A none NO
Related Commands	deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes

show access-lists log config

	show access-lists log config <action-profile-name> Displays the access-list log configuration information.
Syntax Description	action-profile-name	Filter the table according to the action profile name
Default	N/A
Configuration Mode	Any command mode
History	3.2.0230
History	3.6.8008	Updated example
Example	switch (config)# show access-lists log config access-list log configuration: Memory packets : 1000 Syslog packets : 10 Interval (minutes): 1
Related Commands
Notes

show access-lists policers (ipv4/ipv4-udk/ipv6/mac/mac-udk)

	show {ipv4 \| ipv4-udk \| ipv6 \| mac \| mac-udk} access-lists <access-list-name> policers [name \| seq-number] Displays all configured policers on a specific ACL table.
Syntax Description	access-list-name	ACL name
	name	Policer name filter
	seq-number	Filter by sequence number
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
Example
switch (config) # show ipv6 access-lists my-list policers ----------------------------------------------------------------- Name Type Rate Burst Sequence Number ----------------------------------------------------------------- pol packets 1000 200 50,60,70 rom packets 1000 200 80 N/A bytes 12345 20000 40
Related Commands
Notes

show access-lists shared-counters (ipv4/ipv4-udk/ipv6/mac/mac-udk)

	show {ipv4 \| ipv4-udk \| ipv6 \| mac \| mac-udk} access-lists <access-list-name> shared-counters Displays all configured shared-counters on a specific ACL table.
Syntax Description	access-list-name	ACL name
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
Example
switch (config mac access-list my-list) # show mac access-lists mac_acl shared-counters ------------------------------------------------- counter packets total Rules rule IDs ------------------------------------------------- cnt1 0 3 20 30 40 cnt2 0 2 50 60 cnt3 0 1 70
Related Commands
Notes	For each configured shared counter it also displays the counter value (packets), the number of rules attached to this counter and the rule IDs Up to 5 rule IDs are displayed even though there is no limitation on how many rules can be attached to a counter

show access-lists summary

	show [ipv4 \| mac \| ipv6 \| ipv4-udk \| mac-udk] access-lists summary Displays the summary of number of rules per ACL, and the interfaces attached.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.1.1400
History	3.6.5000	Updated example
Example
switch (config) # show access-lists summary ----------------------------------------------------------------------------------- Table type Table Name Bind type Total entries Bound to interfaces ----------------------------------------------------------------------------------- mac aaa port 0 Mpo55 ipv4 ddd port 1 Eth1/3, Po1 ipv4 ggg rif 0 VlanIf555 ipv6 table1 port 9 Eth1/9
Related Commands
Notes

show access-lists log

	show access-lists log [last <num>] Displays captured packets on all access list rules.
Syntax Description	num	Number of packets to show
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
Example
switch (config) # show access-lists log Log status: Normal Log MAC rules: ---------------------------------------------------------------------------------- IF Table(rule) Source MAC Dest MAC Ethertype VLAN Hits ---------------------------------------------------------------------------------- 1/2 mac_al_log(10) 44:44:44:44:44:44 22:22:22:22:22:22 IPv4 N/A 5 Log IPv4 rules: ------------------------------------------------------------------------------------- IF Table(rule) Source IPv4 Dest IPv4 Protocol Source Dest Hits port port ------------------------------------------------------------------------------------- 1/3 ipv4_al_lo(10) 1.1.1.1 2.2.2.2 UDP 44 33 11
Related Commands
Notes

show access-lists log config

	show access-lists log config Displays configuration of access-list logger.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.6.5000
Example	switch (config) # show access-lists log config access-list log configuration: Memory packets: 1000 Syslog packets: 10 Interval (minutes): 60
Related Commands
Notes

On This Page