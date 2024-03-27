On This Page
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list
- policer
- bind-point rif
- remark
- shared-counter
- clear shared-counters
- clear counters
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list clear counters
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} port access-group
- deny/permit (MAC ACL rule)
- deny/permit (IPv4 ACL rule)
- deny/permit (IPv4 TCP ACL rule)
- deny/permit (IPv4 TCP-UDP/UDP ACL rule)
- deny/permit (IPv4 ICMP ACL rule)
- deny/permit (IPv6 ACL rule)
- deny/permit (IPv6 TCP ACL rule)
- deny/permit (IPv6 TCP-UDP/UDP ACL rule)
- deny/permit (IPv6 ICMPv6 ACL rule)
- deny/permit (MAC UDK ACL rule)
- deny/permit (IPv4 UDK ACL rule)
- deny/permit (IPv4 TCP UDK ACL rule)
- deny/permit (IPv4 TCP-UDP/UDP UDK ACL rule)
- deny/permit (IPv4 ICMP UDK ACL rule)
- port access-group (IPv4/IPv4 UDK/IPv6/MAC/MAC UDK)
- access-list action
- access-list log
- vlan-map
- vlan-pop
- vlan-push
- monitor session
- show ipv4 access-lists
- show ipv4-udk access-lists
- show ipv6 access-lists
- show mac access-lists
- show mac access-lists summary
- show mac-udk access-lists
- show access-lists action
- show mac-udk access-lists
- show access-lists log config
- show access-lists policers (ipv4/ipv4-udk/ipv6/mac/mac-udk)
- show access-lists shared-counters (ipv4/ipv4-udk/ipv6/mac/mac-udk)
- show access-lists summary
- show access-lists log
- show access-lists log config
ACL Commands
|
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>
Creates an ACL table and enters its configuration mode.
The no form of the command deletes the ACL table.
|
Syntax Description
|
ipv4 | mac
|
IPv4 or MAC – access list
|
acl-name
|
User-defined string for the ACL
|
Default
|
No ACL available by default.
|
Configuration Mode
|
config
|
History
|
3.1.1400
|
3.6.5000
|
Added ipv6, ipv4-udk, and mac-udk parameters
|
Example
|
switch (config)# mac access-list my-mac-list
|
Related Commands
|
ipv4/port access-group
|
Notes
|
|
policer <policer_name> {bits|bytes|packets} rate <rate_value> [k|m|g] [burst <burst_value> [k|m|g]]
no policer <policer_name>
Creates a new shared-policer that can be bound to rules on this table.
The no form of the command removes the policer
|
Syntax Description
|
rate_value
|
Policer rate value (of the bits, bytes, or packets)
Default is bits
|
burst_value
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
k, m, g
|
Rate/burst value units: kilo, mega, or giga—not mandatory.
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value: 100-1000000000000
|
Default
|
Disabled
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list) # policer myPolicer packets rate 1000
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
|
Notes
|
|
bind-point rif
no bind-point rif
Changes the ACL table bind point from L2 port mode to L3 port.
The no form of the command resets this parameter to its default.
|
Syntax Description
|
N/A
|
Default
|
L2 port
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list)# bind-point rif
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
|
Notes
|
|
[<seq-number>] remark <string>
no [<seq-number>] remark <string>
Creates a remark rule from an ACL table.
The no form of the command deletes a remark rule from an ACL table.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list)# remark “1st group”
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
|
Notes
|
|
shared-counter <counter-name>
no shared-counter <counter-name>
Creates a shared counter.
The no form of the command deletes a shared counter.
|
Syntax Description
|
counter-name
|
Shared counter name
|
Default
|
N/A
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list)# shared-counter myCounter
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
|
Notes
|
|
clear shared-counters [<counter-name>]
Resets all shared counters in ACL table or a specific shared counter.
|
Syntax Description
|
counter-name
|
Shared counter name
|
Default
|
N/A
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list)# clear shared-counters
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
|
Notes
|
clear counters [<seq-number>]
Resets all counters (including shared counters) in ACL table or a specific counter.
|
Syntax Description
|
seq-number
|
The sequence number of the rule whose counter to reset
|
Default
|
N/A
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-mac-list)# clear counters 10
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
|
Notes
|
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list clear counters
Resets all counters (including shared counters) on all ACL tables of the same type.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
|
History
|
3.6.5000
|
Example
|
switch (config)# ipv4 access-list clear counters
|
Related Commands
|
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
|
Notes
|
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>
Binds an ACL to the interface.
The no form of the command unbinds the ACL from the interface.
|
Syntax Description
|
ipv4 | mac
|
IPv4 or MAC – access list
|
acl-name
|
ACL name
|
Default
|
No ACL is bind by default.
|
Configuration Mode
|
config interface ethernet
config interface port-channel
config interface mlag-port-channel
config interface vlan
|
History
|
3.1.1400
|
3.3.4500
|
Added MPO configuration mode
|
3.6.5000
|
Added new parameters
|
Example
|
switch (config interface ethernet 1/1) # mac port access-group my-list
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
|
Notes
|
The access control list should be defined prior to the binding action
|
[seq-number <sequence-number>] {permit | deny} ip {<source-mac> mask <mac_mask> | any} {<dest-mac> mask <mac_mask> | any} [protocol <protocol_num>] [cos <cos>] [vlan <vlan_id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for MAC ACL.
The no form of the command deletes a rule from the MAC ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-mac> mask <mac_mask> | any
|
Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
|
<dest-mac> mask <mac_mask> | any
|
Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
|
protocol
|
Sets the Ethertype field value from the MAC address
Range: 0x0000-0xffff
|
cos
|
Sets the COS (priority bit) field
Range: 0-7
|
vlan <vlan_id>
|
Sets the VLAN ID field
Range: 1-4094
|
vlan-mask <vlan-mask>
|
Sets VLAN group
Range: 0x0000-0x0FFF
|
action
|
Action name (free string)
|
log
|
Enable the log option
|
counter
|
Attach a unique counter to rule
|
shared-counter
|
Attach a predefined shared-counter to rule
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config mac acl
|
History
|
3.1.1400
|
3.3.4500
|
Added vlan-mask parameter
|
3.5.1000
|
Updated seq-number parameter
|
3.6.5000
|
Added log, counter, and shared-counter parameters
|
3.6.6000
|
Added policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config mac access-list my-list) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | [any]} {<dest-ip> mask <ip> | [any]} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
{any | <source-ip> mask <ip>}
|
Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
|
{any | <destination-ip> mask <ip>}
|
Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enable the log option
|
counter
|
Attach a unique counter to rule
|
shared-counter
|
Attach a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-3
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.1.1400
|
3.3.4302
|
Updated syntax description of mask <ip> parameter
|
3.5.1000
|
Updated seq-number parameter
|
3.6.5000
|
Added log, counter, and shared-counter parameters
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority, and tc parameters
|
Example
|
switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> mask <ip> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> mask <ip> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
eq-source <src-port>
|
TCP source port number
Range: 0-65535
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
eq-destination <dest-port>
|
TCP destination port number
Range: 0-65535
|
dest-port-range
|
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
|
action
|
Action needs to be defined before attaching to rule
|
established
|
Matches flows which are in established state (“ack” or “rst” flags are set)
|
ack; urg; rst; syn; fin; psh; ns; ece; cwr
|
Matches flows with specific flag
Possible match: 0 or 1
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.1.1400
|
3.5.1000
|
Updated seq-number parameter
|
3.6.5000
|
Updated command syntax
|
3.6.6000
|
Added ECN, TTL, DSCP, policer, and extra flag parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> mask <ip> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> mask <ip> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
eq-source <src-port>
|
TCP-UDP/UDP source port number
Range: 0-65535
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
eq-destination <dest-port>
|
TCP-UDP/UDP destination port number
Range: 0-65535
|
dest-port-range
|
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.1.1400
|
3.5.1000
|
Updated seq-number parameter
|
3.6.5000
|
Updated command syntax
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> mask <ip> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> mask <ip> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
eq-code
|
Matches ICMP code value. Range: 0-255.
|
eq-type
|
Matches ICMP type value. Range: 0-255.
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter. Value: 0-3.
|
ttl
|
Time to live ACL filter. Value: 0-225.
|
dscp
|
DSCP ACL filter. Value: 0-63.
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority. valid values 0-7
|
tc <tc_value>
|
Mapping of matched traffic to tc. valid values 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.1.1400
|
3.5.1000
|
Updated seq-number parameter
|
3.6.2002
|
Added ICMP parameters
|
3.6.5000
|
Updated command syntax
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} ip {<src-ipv6>/<mask-len> | any} {<dest-ipv6>/<mask-len> | any} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<src-ipv6>/<mask-len> | any
|
Sets source IP and optionally sets a mask for that IP address. The parameter “any” ignores the source IP.
|
<dest-ipv6>/<mask-len> | any
|
Sets destination IP and optionally sets a mask for that IP. The parameter “any” ignores the destination IP.
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv6 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv6 access-list my-list) # permit ip 2:2::/32 any
|
Related Commands
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} tcp {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ipv6> /<mask-len> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ipv6> /<mask-len> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
dest-port-range
|
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
|
action
|
Action needs to be defined before attaching to rule
|
established
|
Matches flows which are in established state (“ack” or “rst” flags are set)
|
ack; urg; rst; syn; fin; psh; ns; ece; cwr
|
Matches flows with specific flag
Possible match: 0 or 1
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63.
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv6 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, policer, and flag parameters
|
3.7.0000
|
Added bits, switch-priority, and tc parameters
|
Example
|
switch (config ipv6 access-list my-list) # permit tcp any 10:10:12::/48
|
Related Commands
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} {tcp-udp | udp} {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ipv6> /<mask-len> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ipv6> /<mask-len> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
dest-port-range
|
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63.
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv6 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv6 access-list my-list) # permit udp 2:2::/32 10:10:12::/48
|
Related Commands
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} icmpv6 {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [code <icmp-code>] [type <icmp-type>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ipv6> /<mask-len> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ipv6> /<mask-len> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
eq-code
|
Matches ICMP code value
Range: 0-255
|
eq-type
|
Matches ICMP type value
Range: 0-255
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv6 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority, and tc parameters
|
Example
|
switch (config ipv6 access-list my-list) # permit icmpv6 any any eq-code 10 eq-type 155
|
Related Commands
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} {<source-mac> mask <mac-mask> | any} {<dest-mac> mask <mac-mask> | any} [protocol <protocol-num>] [cos <cos>] [vlan <vlan-id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a MAC-UDK ACL rule.
The no form of the command deletes a rule from MAC UDK ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-mac> mask <mac-mask> | any
|
Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
|
<dest-mac> mask <mac-mask> | any
|
Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
|
protocol
|
Sets the Ethertype filed value from the MAC address
Range: 0x0000-0xffff
|
cos
|
Sets the COS (priority bit) field
Range: 0-7
|
vlan <vlan-id>
|
Sets the VLAN ID field
Range: 1-4094
|
vlan-mask <vlan-mask>
|
Sets VLAN group
Range: 0x0000-0x0FFF
|
action
|
Action name (free string)
|
log
|
Enable the log option
|
counter
|
Attach a unique counter to rule
|
shared-counter
|
Attach a predefined shared-counter to rule
|
udk
|
UDK name must be set by user before the rule configuration
|
val
|
The value of the UDK (up to 4 bytes)
|
mask
|
Mask for the UDK value
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config mac-udk acl
|
History
|
3.6.5000
|
3.6.6000
|
Added policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config mac-udk access-list mac_udk_acl) # permit any any udk myUdk 10 mask 0xff
|
Related Commands
|
Notes
|
|
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
{any | <source-ip> mask <ip>}
|
Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
|
{any | <destination-ip> mask <ip>}
|
Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enable the log option
|
counter
|
Attach a unique counter to rule
|
shared-counter
|
Attach a predefined shared-counter to rule
|
udk
|
UDK name must be set by user before the rule configuration
|
val
|
The value of the UDK (up to 4 bytes)
|
mask
|
Mask for the UDK value
|
ecn
|
ECN ACL filter|
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> [mask <ip>] | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> [mask <ip>] | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
eq-source <src-port>
|
TCP source port number
Range: 0-65535
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
eq-destination <dest-port>
|
TCP destination port number
Range: 0-65535
|
dest-port-range
|
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
|
action
|
Action needs to be defined before attaching to rule
|
established
|
Matches flows which are in established state (“ack” or “rst” flags are set)
|
ack; urg; rst; syn; fin; psh; ns; ece; cwr
|
Matches flows with specific flag
Possible match: 0 or 1
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
udk
|
UDK name must be set by user before the rule configuration
|
val
|
The value of the UDK (up to 4 bytes)
|
mask
|
Mask for the UDK value
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, policer, and flag parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> mask <ip> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> mask <ip> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
src-port
|
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
|
eq-source <src-port>
|
TCP-UDP/UDP source port number
Range: 0-65535
|
src-port-range
|
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
|
dest-port
|
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
|
eq-destination <dest-port>
|
TCP-UDP/UDP destination port number
Range: 0-65535
|
dest-port-range
|
Sets a range of L4 destination ports to match.
Note: User may configure either a single destination port or a range.
|
action
|
Action needs to be defined before attaching to rule
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
udk
|
UDK name must be set by user before the rule configuration
|
val
|
The value of the UDK (up to 4 bytes)
|
mask
|
Mask for the UDK value
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.
|
Syntax Description
|
sequence-number
|
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
|
deny
|
Drop all matching traffic
|
permit
|
Allow matching traffic to pass
|
<source-ip> mask <ip> | any
|
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
|
<dest-ip> mask <ip> | any
|
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
|
eq-code
|
Matches ICMP code value
Range: 0-255
|
eq-type
|
Matches ICMP type value
Range: 0-255
|
log
|
Enables the log option
|
counter
|
Attaches a unique counter to rule
|
shared-counter
|
Attaches a predefined shared-counter to rule
|
udk
|
UDK name must be set by user before the rule configuration
|
val
|
The value of the UDK (up to 4 bytes)
|
mask
|
Mask for the UDK value
|
ecn
|
ECN ACL filter
Range: 0-3
|
ttl
|
Time to live ACL filter
Range: 0-225
|
dscp
|
DSCP ACL filter
Range: 0-63
|
policer
|
Attaches shared policer to a rule
|
bytes
|
Attaches bytes type policer
|
bits
|
Attaches bits type policer. Min value: 8000 bits.
|
packets
|
Attaches packets type policer
|
rate
|
Policer rate value
Range: 100-1000000000000
|
k | m | g
|
Specifies kilo, mega, giga
|
burst
|
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
|
switch-priority <switch-priority_value>
|
Mapping of matched traffic to switch-priority
Range: 0-7
|
tc <tc_value>
|
Mapping of matched traffic to TC
Range: 0-7
|
Default
|
No rule is added by default to access control list
Default sequence number is by increments of 10
|
Configuration Mode
|
config ipv4 acl
|
History
|
3.6.5000
|
3.6.6000
|
Added ECN, TTL, DSCP, and policer parameters
|
3.7.0000
|
Added bits, switch-priority and tc parameters
|
Example
|
switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
|
Related Commands
|
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
|
{ipv4 | ipv4-udk | ipv6 | mac | mac-udk} port access-group <acl-name>
no {mac | ipv4 | ipv6 | mac-udk | ipv4-udk} port access-group
Attaches an ACL table with bind-point RIF to a VLAN interface.
The no form of the command unmaps ACL table with bind-point RIF from a VLAN interface.
|
Syntax Description
|
acl-name
|
ACL table name
|
Default
|
N/A
|
Configuration Mode
|
config interface vlan
|
History
|
3.6.5000
|
Example
|
switch (config interface vlan 10)# ipv4 port access-group ipv4_acl2
|
Related Commands
|
show access list summary
|
Notes
|
|
access-list action <action-profile-name>
no access-list action <action-profile-name>
Creates access-list action profile and entering the action profile configuration mode.
The no form of the command deletes the action profile.
|
Syntax Description
|
action-profile-name
|
Given name for the profile
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
3.2.0230
|
Example
|
switch (config)# access-list action my-action
|
Related Commands
|
Notes
|
access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]
no access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]
Configures access list logger.
The no form of the command resets parameters for access list logger.
|
Syntax Description
|
interval
|
Logging interval length in minutes
Range: 1min-24hrs
|
memory
|
Maximal number of packets to save in memory
Range: 1-3600
|
syslog
|
Maximal number of packets to show in syslog
Range: 1-3600
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
3.6.5000
|
Example
|
switch (config)# access-list log interval 10
|
Related Commands
|
Notes
|
|
vlan-map <vid>
no vlan-map
Adds action to map a new VLAN to the packet (in the ingress port or VLAN).
The no form of the command removes the action to map a new VLAN.
|
Syntax Description
|
vid
|
VLAN ID
Range: 1-4094
|
Default
|
N/A
|
Configuration Mode
|
config acl action
|
History
|
3.2.0230
|
Example
|
switch (config access-list action my-action)# vlan-map 10
|
Related Commands
|
Notes
|
vlan-pop
Pops VLAN frames from traffic.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
config acl action
|
History
|
3.4.3000
|
Example
|
switch (config access-list action my-action)# vlan-pop
|
Related Commands
|
Notes
|
vlan-push <vid>
Pushes (or adds) VLAN frames to traffic.
|
Syntax Description
|
vid
|
VLAN ID
Range: 1-4094
|
Default
|
N/A
|
Configuration Mode
|
config acl action
|
History
|
3.4.3000
|
Example
|
switch (config access-list action my-action)# vlan-push 10
|
Related Commands
|
Notes
|
monitor session <session_id>
Mirrors traffic to monitor session.
|
Syntax Description
|
session_id
|
The monitor session.
Range: 1-3
|
Default
|
N/A
|
Configuration Mode
|
config acl action
|
History
|
3.9.3100
|
Example
|
switch (config access-list action my-action)# monitor session 1
|
Related Commands
|
show ipv4 access-lists <access-list-name>
Displays configuration of IPv4 rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.1.1400
|
3.3.4500
|
Updated example
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show ipv4 access-lists my-list
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show ipv4-udk access-lists <access-list-name>
Displays configuration of IPv4 UDK rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show ipv4-udk access-lists my-list
Table Type: ipv4-udk
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show ipv6 access-lists <access-list-name>
Displays configuration of IPv6 rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show ipv6 access-lists my-list
Table Type: ipv6
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show mac access-lists <access-list-name>
Displays configuration of MAC rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.1.1400
|
3.3.4500
|
Updated example
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show mac access-lists my-list
Table Type: mac
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show mac access-lists <access-list-name>
Displays configuration of MAC rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.8100
|
Example
|
switch (config) # show mac access-lists summary
----------------------------------------------------------------------------------------
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show mac-udk access-lists <access-list-name>
Displays configuration of MAC UDK rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show mac-udk access-lists my-list
Table Type: mac
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show access-lists action <action-profile-name>
Displays the access-list action profiles summary.
|
Syntax Description
|
action-profile-name
|
Filter the table according to the action profile name
|
summary
|
Display summary of the action list
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.2.0230
|
3.7.1000
|
Updated example
|
3.9.3100
|
Updated example to reflect ACL-based monitoring
|
Example
|
switch (config)# show access-lists action test_action_1
|
Related Commands
|
Notes
|
show mac-udk access-lists <access-list-name>
Displays configuration of MAC UDK rules in a specific table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
3.6.6000
|
Updated example
|
Example
|
switch (config) # show mac-udk access-lists my-list
Table Type: mac
|
Related Commands
|
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
|
Notes
|
show access-lists log config <action-profile-name>
Displays the access-list log configuration information.
|
Syntax Description
|
action-profile-name
|
Filter the table according to the action profile name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.2.0230
|
3.6.8008
|
Updated example
|
Example
|
switch (config)# show access-lists log config
|
Related Commands
|
Notes
|
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> policers [name | seq-number]
Displays all configured policers on a specific ACL table.
|
Syntax Description
|
access-list-name
|
ACL name
|
name
|
Policer name filter
|
seq-number
|
Filter by sequence number
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
Example
|
switch (config) # show ipv6 access-lists my-list policers
-----------------------------------------------------------------
|
Related Commands
|
Notes
|
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> shared-counters
Displays all configured shared-counters on a specific ACL table.
|
Syntax Description
|
access-list-name
|
ACL name
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
Example
|
switch (config mac access-list my-list) # show mac access-lists mac_acl shared-counters
-------------------------------------------------
|
Related Commands
|
Notes
|
|
show [ipv4 | mac | ipv6 | ipv4-udk | mac-udk] access-lists summary
Displays the summary of number of rules per ACL, and the interfaces attached.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.1.1400
|
3.6.5000
|
Updated example
|
Example
|
switch (config) # show access-lists summary
-----------------------------------------------------------------------------------
|
Related Commands
|
Notes
|
show access-lists log [last <num>]
Displays captured packets on all access list rules.
|
Syntax Description
|
num
|
Number of packets to show
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
Example
|
switch (config) # show access-lists log
Log status: Normal
|
Related Commands
|
Notes
|
show access-lists log config
Displays configuration of access-list logger.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
Any command mode
|
History
|
3.6.5000
|
Example
|
switch (config) # show access-lists log config
|
Related Commands
|
Notes