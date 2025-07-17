On This Page
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list
- policer
- bind-point rif
- remark
- shared-counter
- clear shared-counters
- clear counters
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} access-list clear counters
- {ipv4/ipv6/mac/ipv4-udk/mac-udk} port access-group
- deny/permit (MAC ACL rule)
- deny/permit (IPv4 ACL rule)
- deny/permit (IPv4 TCP ACL rule)
- deny/permit (IPv4 TCP-UDP/UDP ACL rule)
- deny/permit (IPv4 ICMP ACL rule)
- deny/permit (IPv6 ACL rule)
- deny/permit (IPv6 TCP ACL rule)
- deny/permit (IPv6 TCP-UDP/UDP ACL rule)
- deny/permit (IPv6 ICMPv6 ACL rule)
- deny/permit (MAC UDK ACL rule)
- deny/permit (IPv4 UDK ACL rule)
- deny/permit (IPv4 TCP UDK ACL rule)
- deny/permit (IPv4 TCP-UDP/UDP UDK ACL rule)
- deny/permit (IPv4 ICMP UDK ACL rule)
- port access-group (IPv4/IPv4 UDK/IPv6/MAC/MAC UDK)
- access-list action
- access-list log
- vlan-map
- vlan-pop
- vlan-push
- monitor session
- show ipv4 access-lists
- show ipv4-udk access-lists
- show ipv6 access-lists
- show mac access-lists
- show mac access-lists summary
- show mac-udk access-lists
- show access-lists action
- show mac-udk access-lists
- show access-lists log config
- show access-lists policers (ipv4/ipv4-udk/ipv6/mac/mac-udk)
- show access-lists shared-counters (ipv4/ipv4-udk/ipv6/mac/mac-udk)
- show access-lists summary
- show access-lists log
- show access-lists log config
ACL Commands
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>
Creates an ACL table and enters its configuration mode.
The no form of the command deletes the ACL table.
Syntax Description
ipv4 | mac
IPv4 or MAC – access list
acl-name
User-defined string for the ACL
Default
No ACL available by default.
Configuration Mode
config
History
3.1.1400
3.6.5000
Added ipv6, ipv4-udk, and mac-udk parameters
Example
switch (config)# mac access-list my-mac-list
Related Commands
ipv4/port access-group
Notes
policer <policer_name> {bits|bytes|packets} rate <rate_value> [k|m|g] [burst <burst_value> [k|m|g]]
no policer <policer_name>
Creates a new shared-policer that can be bound to rules on this table.
The no form of the command removes the policer
Syntax Description
rate_value
Policer rate value (of the bits, bytes, or packets)
Default is bits
burst_value
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
k, m, g
Rate/burst value units: kilo, mega, or giga—not mandatory.
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value: 100-1000000000000
Default
Disabled
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list) # policer myPolicer packets rate 1000
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes
bind-point rif
no bind-point rif
Changes the ACL table bind point from L2 port mode to L3 port.
The no form of the command resets this parameter to its default.
Syntax Description
N/A
Default
L2 port
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list)# bind-point rif
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes
[<seq-number>] remark <string>
no [<seq-number>] remark <string>
Creates a remark rule from an ACL table.
The no form of the command deletes a remark rule from an ACL table.
Syntax Description
N/A
Default
N/A
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list)# remark “1st group”
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes
shared-counter <counter-name>
no shared-counter <counter-name>
Creates a shared counter.
The no form of the command deletes a shared counter.
Syntax Description
counter-name
Shared counter name
Default
N/A
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list)# shared-counter myCounter
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
Notes
clear shared-counters [<counter-name>]
Resets all shared counters in ACL table or a specific shared counter.
Syntax Description
counter-name
Shared counter name
Default
N/A
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list)# clear shared-counters
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
Notes
clear counters [<seq-number>]
Resets all counters (including shared counters) in ACL table or a specific counter.
Syntax Description
seq-number
The sequence number of the rule whose counter to reset
Default
N/A
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config mac access-list my-mac-list)# clear counters 10
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
Notes
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list clear counters
Resets all counters (including shared counters) on all ACL tables of the same type.
Syntax Description
N/A
Default
N/A
Configuration Mode
config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list
History
3.6.5000
Example
switch (config)# ipv4 access-list clear counters
Related Commands
ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter
Notes
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>
Binds an ACL to the interface.
The no form of the command unbinds the ACL from the interface.
Syntax Description
ipv4 | mac
IPv4 or MAC – access list
acl-name
ACL name
Default
No ACL is bind by default.
Configuration Mode
config interface ethernet
config interface port-channel
config interface mlag-port-channel
config interface vlan
History
3.1.1400
3.3.4500
Added MPO configuration mode
3.6.5000
Added new parameters
Example
switch (config interface ethernet 1/1) # mac port access-group my-list
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
Notes
The access control list should be defined prior to the binding action
[seq-number <sequence-number>] {permit | deny} ip {<source-mac> mask <mac_mask> | any} {<dest-mac> mask <mac_mask> | any} [protocol <protocol_num>] [cos <cos>] [vlan <vlan_id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for MAC ACL.
The no form of the command deletes a rule from the MAC ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-mac> mask <mac_mask> | any
Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
<dest-mac> mask <mac_mask> | any
Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
protocol
Sets the Ethertype field value from the MAC address
Range: 0x0000-0xffff
cos
Sets the COS (priority bit) field
Range: 0-7
vlan <vlan_id>
Sets the VLAN ID field
Range: 1-4094
vlan-mask <vlan-mask>
Sets VLAN group
Range: 0x0000-0x0FFF
action
Action name (free string)
log
Enable the log option
counter
Attach a unique counter to rule
shared-counter
Attach a predefined shared-counter to rule
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config mac acl
History
3.1.1400
3.3.4500
Added vlan-mask parameter
3.5.1000
Updated seq-number parameter
3.6.5000
Added log, counter, and shared-counter parameters
3.6.6000
Added policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config mac access-list my-list) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | [any]} {<dest-ip> mask <ip> | [any]} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
{any | <source-ip> mask <ip>}
Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
{any | <destination-ip> mask <ip>}
Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
action
Action needs to be defined before attaching to rule
log
Enable the log option
counter
Attach a unique counter to rule
shared-counter
Attach a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-3
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.1.1400
3.3.4302
Updated syntax description of mask <ip> parameter
3.5.1000
Updated seq-number parameter
3.6.5000
Added log, counter, and shared-counter parameters
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority, and tc parameters
Example
switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> mask <ip> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> mask <ip> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
eq-source <src-port>
TCP source port number
Range: 0-65535
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
eq-destination <dest-port>
TCP destination port number
Range: 0-65535
dest-port-range
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
action
Action needs to be defined before attaching to rule
established
Matches flows which are in established state (“ack” or “rst” flags are set)
ack; urg; rst; syn; fin; psh; ns; ece; cwr
Matches flows with specific flag
Possible match: 0 or 1
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.1.1400
3.5.1000
Updated seq-number parameter
3.6.5000
Updated command syntax
3.6.6000
Added ECN, TTL, DSCP, policer, and extra flag parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> mask <ip> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> mask <ip> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
eq-source <src-port>
TCP-UDP/UDP source port number
Range: 0-65535
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
eq-destination <dest-port>
TCP-UDP/UDP destination port number
Range: 0-65535
dest-port-range
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
action
Action needs to be defined before attaching to rule
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.1.1400
3.5.1000
Updated seq-number parameter
3.6.5000
Updated command syntax
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> mask <ip> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> mask <ip> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
eq-code
Matches ICMP code value. Range: 0-255.
eq-type
Matches ICMP type value. Range: 0-255.
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter. Value: 0-3.
ttl
Time to live ACL filter. Value: 0-225.
dscp
DSCP ACL filter. Value: 0-63.
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority. valid values 0-7
tc <tc_value>
Mapping of matched traffic to tc. valid values 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.1.1400
3.5.1000
Updated seq-number parameter
3.6.2002
Added ICMP parameters
3.6.5000
Updated command syntax
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {permit | deny} ip {<src-ipv6>/<mask-len> | any} {<dest-ipv6>/<mask-len> | any} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<src-ipv6>/<mask-len> | any
Sets source IP and optionally sets a mask for that IP address. The parameter “any” ignores the source IP.
<dest-ipv6>/<mask-len> | any
Sets destination IP and optionally sets a mask for that IP. The parameter “any” ignores the destination IP.
action
Action needs to be defined before attaching to rule
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv6 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv6 access-list my-list) # permit ip 2:2::/32 any
Related Commands
Notes
[seq-number <sequence-number>] {permit | deny} tcp {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ipv6> /<mask-len> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ipv6> /<mask-len> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
dest-port-range
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
action
Action needs to be defined before attaching to rule
established
Matches flows which are in established state (“ack” or “rst” flags are set)
ack; urg; rst; syn; fin; psh; ns; ece; cwr
Matches flows with specific flag
Possible match: 0 or 1
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63.
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv6 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, policer, and flag parameters
3.7.0000
Added bits, switch-priority, and tc parameters
Example
switch (config ipv6 access-list my-list) # permit tcp any 10:10:12::/48
Related Commands
Notes
[seq-number <sequence-number>] {permit | deny} {tcp-udp | udp} {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ipv6> /<mask-len> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ipv6> /<mask-len> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
dest-port-range
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
action
Action needs to be defined before attaching to rule
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63.
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv6 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv6 access-list my-list) # permit udp 2:2::/32 10:10:12::/48
Related Commands
Notes
[seq-number <sequence-number>] {permit | deny} icmpv6 {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [code <icmp-code>] [type <icmp-type>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ipv6> /<mask-len> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ipv6> /<mask-len> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
eq-code
Matches ICMP code value
Range: 0-255
eq-type
Matches ICMP type value
Range: 0-255
action
Action needs to be defined before attaching to rule
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv6 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority, and tc parameters
Example
switch (config ipv6 access-list my-list) # permit icmpv6 any any eq-code 10 eq-type 155
Related Commands
Notes
[seq-number <sequence-number>] {deny | permit} {<source-mac> mask <mac-mask> | any} {<dest-mac> mask <mac-mask> | any} [protocol <protocol-num>] [cos <cos>] [vlan <vlan-id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a MAC-UDK ACL rule.
The no form of the command deletes a rule from MAC UDK ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-mac> mask <mac-mask> | any
Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.
<dest-mac> mask <mac-mask> | any
Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.
protocol
Sets the Ethertype filed value from the MAC address
Range: 0x0000-0xffff
cos
Sets the COS (priority bit) field
Range: 0-7
vlan <vlan-id>
Sets the VLAN ID field
Range: 1-4094
vlan-mask <vlan-mask>
Sets VLAN group
Range: 0x0000-0x0FFF
action
Action name (free string)
log
Enable the log option
counter
Attach a unique counter to rule
shared-counter
Attach a predefined shared-counter to rule
udk
UDK name must be set by user before the rule configuration
val
The value of the UDK (up to 4 bytes)
mask
Mask for the UDK value
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config mac-udk acl
History
3.6.5000
3.6.6000
Added policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config mac-udk access-list mac_udk_acl) # permit any any udk myUdk 10 mask 0xff
Related Commands
Notes
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
{any | <source-ip> mask <ip>}
Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.
{any | <destination-ip> mask <ip>}
Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.
action
Action needs to be defined before attaching to rule
log
Enable the log option
counter
Attach a unique counter to rule
shared-counter
Attach a predefined shared-counter to rule
udk
UDK name must be set by user before the rule configuration
val
The value of the UDK (up to 4 bytes)
mask
Mask for the UDK value
ecn
ECN ACL filter|
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> [mask <ip>] | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> [mask <ip>] | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
eq-source <src-port>
TCP source port number
Range: 0-65535
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
eq-destination <dest-port>
TCP destination port number
Range: 0-65535
dest-port-range
Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range
action
Action needs to be defined before attaching to rule
established
Matches flows which are in established state (“ack” or “rst” flags are set)
ack; urg; rst; syn; fin; psh; ns; ece; cwr
Matches flows with specific flag
Possible match: 0 or 1
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
udk
UDK name must be set by user before the rule configuration
val
The value of the UDK (up to 4 bytes)
mask
Mask for the UDK value
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, policer, and flag parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> mask <ip> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> mask <ip> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
src-port
L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source
eq-source <src-port>
TCP-UDP/UDP source port number
Range: 0-65535
src-port-range
Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range
dest-port
L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination
eq-destination <dest-port>
TCP-UDP/UDP destination port number
Range: 0-65535
dest-port-range
Sets a range of L4 destination ports to match.
Note: User may configure either a single destination port or a range.
action
Action needs to be defined before attaching to rule
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
udk
UDK name must be set by user before the rule configuration
val
The value of the UDK (up to 4 bytes)
mask
Mask for the UDK value
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>
Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.
Syntax Description
sequence-number
Optional parameter to set a specific sequence number for the rule
Range: 1-65535
deny
Drop all matching traffic
permit
Allow matching traffic to pass
<source-ip> mask <ip> | any
Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.
<dest-ip> mask <ip> | any
Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.
eq-code
Matches ICMP code value
Range: 0-255
eq-type
Matches ICMP type value
Range: 0-255
log
Enables the log option
counter
Attaches a unique counter to rule
shared-counter
Attaches a predefined shared-counter to rule
udk
UDK name must be set by user before the rule configuration
val
The value of the UDK (up to 4 bytes)
mask
Mask for the UDK value
ecn
ECN ACL filter
Range: 0-3
ttl
Time to live ACL filter
Range: 0-225
dscp
DSCP ACL filter
Range: 0-63
policer
Attaches shared policer to a rule
bytes
Attaches bytes type policer
bits
Attaches bits type policer. Min value: 8000 bits.
packets
Attaches packets type policer
rate
Policer rate value
Range: 100-1000000000000
k | m | g
Specifies kilo, mega, giga
burst
Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.
switch-priority <switch-priority_value>
Mapping of matched traffic to switch-priority
Range: 0-7
tc <tc_value>
Mapping of matched traffic to TC
Range: 0-7
Default
No rule is added by default to access control list
Default sequence number is by increments of 10
Configuration Mode
config ipv4 acl
History
3.6.5000
3.6.6000
Added ECN, TTL, DSCP, and policer parameters
3.7.0000
Added bits, switch-priority and tc parameters
Example
switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155
Related Commands
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
{ipv4 | ipv4-udk | ipv6 | mac | mac-udk} port access-group <acl-name>
no {mac | ipv4 | ipv6 | mac-udk | ipv4-udk} port access-group
Attaches an ACL table with bind-point RIF to a VLAN interface.
The no form of the command unmaps ACL table with bind-point RIF from a VLAN interface.
Syntax Description
acl-name
ACL table name
Default
N/A
Configuration Mode
config interface vlan
History
3.6.5000
Example
switch (config interface vlan 10)# ipv4 port access-group ipv4_acl2
Related Commands
show access list summary
Notes
access-list action <action-profile-name>
no access-list action <action-profile-name>
Creates access-list action profile and entering the action profile configuration mode.
The no form of the command deletes the action profile.
Syntax Description
action-profile-name
Given name for the profile
Default
N/A
Configuration Mode
config
History
3.2.0230
Example
switch (config)# access-list action my-action
Related Commands
Notes
access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]
no access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]
Configures access list logger.
The no form of the command resets parameters for access list logger.
Syntax Description
interval
Logging interval length in minutes
Range: 1min-24hrs
memory
Maximal number of packets to save in memory
Range: 1-3600
syslog
Maximal number of packets to show in syslog
Range: 1-3600
Default
N/A
Configuration Mode
config
History
3.6.5000
Example
switch (config)# access-list log interval 10
Related Commands
Notes
vlan-map <vid>
no vlan-map
Adds action to map a new VLAN to the packet (in the ingress port or VLAN).
The no form of the command removes the action to map a new VLAN.
Syntax Description
vid
VLAN ID
Range: 1-4094
Default
N/A
Configuration Mode
config acl action
History
3.2.0230
Example
switch (config access-list action my-action)# vlan-map 10
Related Commands
Notes
vlan-pop
Pops VLAN frames from traffic.
Syntax Description
N/A
Default
N/A
Configuration Mode
config acl action
History
3.4.3000
Example
switch (config access-list action my-action)# vlan-pop
Related Commands
Notes
vlan-push <vid>
Pushes (or adds) VLAN frames to traffic.
Syntax Description
vid
VLAN ID
Range: 1-4094
Default
N/A
Configuration Mode
config acl action
History
3.4.3000
Example
switch (config access-list action my-action)# vlan-push 10
Related Commands
Notes
monitor session <session_id>
Mirrors traffic to monitor session.
Syntax Description
session_id
The monitor session.
Range: 1-3
Default
N/A
Configuration Mode
config acl action
History
3.9.3100
Example
switch (config access-list action my-action)# monitor session 1
Related Commands
show ipv4 access-lists <access-list-name>
Displays configuration of IPv4 rules in a specific table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.1.1400
3.3.4500
Updated example
3.6.6000
Updated example
Example
switch (config) # show ipv4 access-lists my-list
Related Commands
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
show ipv4-udk access-lists <access-list-name>
Displays configuration of IPv4 UDK rules in a specific table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
3.6.6000
Updated example
Example
switch (config) # show ipv4-udk access-lists my-list
Table Type: ipv4-udk
Related Commands
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
show ipv6 access-lists <access-list-name>
Displays configuration of IPv6 rules in a specific table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
3.6.6000
Updated example
Example
switch (config) # show ipv6 access-lists my-list
Table Type: ipv6
Related Commands
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
show mac access-lists <access-list-name>
Displays configuration of MAC rules in a specific table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.1.1400
3.3.4500
Updated example
3.6.6000
Updated example
Example
switch (config) # show mac access-lists my-list
Table Type: mac
Related Commands
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
show mac-udk access-lists <access-list-name>
Displays configuration of MAC UDK rules in a specific table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
3.6.6000
Updated example
Example
switch (config) # show mac-udk access-lists my-list
Table Type: mac
Related Commands
deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Notes
show access-lists action <action-profile-name>
Displays the access-list action profiles summary.
Syntax Description
action-profile-name
Filter the table according to the action profile name
summary
Display summary of the action list
Default
N/A
Configuration Mode
Any command mode
History
3.2.0230
3.7.1000
Updated example
3.9.3100
Updated example to reflect ACL-based monitoring
Example
switch (config)# show access-lists action test_action_1
Related Commands
Notes
show access-lists log config <action-profile-name>
Displays the access-list log configuration information.
Syntax Description
action-profile-name
Filter the table according to the action profile name
Default
N/A
Configuration Mode
Any command mode
History
3.2.0230
3.6.8008
Updated example
Example
switch (config)# show access-lists log config
Related Commands
Notes
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> policers [name | seq-number]
Displays all configured policers on a specific ACL table.
Syntax Description
access-list-name
ACL name
name
Policer name filter
seq-number
Filter by sequence number
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
Example
switch (config) # show ipv6 access-lists my-list policers
-----------------------------------------------------------------
Related Commands
Notes
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> shared-counters
Displays all configured shared-counters on a specific ACL table.
Syntax Description
access-list-name
ACL name
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
Example
switch (config mac access-list my-list) # show mac access-lists mac_acl shared-counters
-------------------------------------------------
Related Commands
Notes
show [ipv4 | mac | ipv6 | ipv4-udk | mac-udk] access-lists summary
Displays the summary of number of rules per ACL, and the interfaces attached.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.1400
3.6.5000
Updated example
Example
switch (config) # show access-lists summary
-----------------------------------------------------------------------------------
Related Commands
Notes
show access-lists log [last <num>]
Displays captured packets on all access list rules.
Syntax Description
num
Number of packets to show
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
Example
switch (config) # show access-lists log
Log status: Normal
Related Commands
Notes
show access-lists log config
Displays configuration of access-list logger.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.6.5000
Example
switch (config) # show access-lists log config
Related Commands
Notes