ACL Commands
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name> Creates an ACL table and enters its configuration mode. | ||
Syntax Description | ipv4 | mac | IPv4 or MAC –access list |
acl-name | User-defined string for the ACL | |
Default | No ACL available by default. | |
Configuration Mode | config | |
History | 3.1.1400 | |
3.6.5000 | Added ipv6, ipv4-udk, and mac-udk parameters | |
Example | switch (config)# mac access-list my-mac-list | |
Related Commands | ipv4/port access-group | |
Notes |
|
policer <policer_name> {bits|bytes|packets} rate <rate_value> [k|m|g] [burst <burst_value> [k|m|g]] Creates a new shared-policer that can be bound to rules on this table. | ||
Syntax Description | rate_value | Policer rate value (of the bits, bytes, or packets) Default is bits |
burst_value | Sets burst to policer. | |
k, m, g | Rate/burst value units: kilo, mega, or giga—not mandatory. | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value: 100-1000000000000 | |
Default | Disabled | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list) # policer myPolicer packets rate 1000 | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
|
bind-point rif Changes the ACL table bind point from L2 port mode to L3 port. | ||
Syntax Description | N/A | |
Default | L2 port | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list)# bind-point rif | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
|
[<seq-number>] remark <string> Creates a remark rule from an ACL table. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list)# remark “1st group” | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
|
shared-counter <counter-name> Creates a shared counter. | ||
Syntax Description | counter-name | Shared counter name |
Default | N/A | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list)# shared-counter myCounter | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
|
clear shared-counters [<counter-name>] Resets all shared counters in ACL table or a specific shared counter. | ||
Syntax Description | counter-name | Shared counter name |
Default | N/A | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list)# clear shared-counters | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
clear counters [<seq-number>] Resets all counters (including shared counters) in ACL table or a specific counter. | ||
Syntax Description | seq-number | The sequence number of the rule whose counter to reset |
Default | N/A | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config mac access-list my-mac-list)# clear counters 10 | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list clear counters Resets all counters (including shared counters) on all ACL tables of the same type. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config mac access-list | |
History | 3.6.5000 | |
Example | switch (config)# ipv4 access-list clear counters | |
Related Commands | ipv4/ipv6/mac/ipv4-udk/mac-udk access-list | |
Notes |
{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name> Binds an ACL to the interface. | ||
Syntax Description | ipv4 | mac | IPv4 or MAC –access list |
acl-name | ACL name | |
Default | No ACL is bind by default. | |
Configuration Mode | config interface ethernet | |
History | 3.1.1400 | |
3.3.4500 | Added MPO configuration mode | |
3.6.5000 | Added new parameters | |
Example | switch (config interface ethernet 1/1) # mac port access-group my-list | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes | The access control list should be defined prior to the binding action |
[seq-number <sequence-number>] {permit | deny} ip {<source-mac> mask <mac_mask> | any} {<dest-mac> mask <mac_mask> | any} [protocol <protocol_num>] [cos <cos>] [vlan <vlan_id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for MAC ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-mac> mask <mac_mask> | any | Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC. | |
<dest-mac> mask <mac_mask> | any | Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC. | |
protocol | Sets the Ethertype field value from the MAC address | |
cos | Sets the COS (priority bit) field | |
vlan <vlan_id> | Sets the VLAN ID field | |
vlan-mask <vlan-mask> | Sets VLAN group | |
action | Action name (free string) | |
log | Enable the log option | |
counter | Attach a unique counter to rule | |
shared-counter | Attach a predefined shared-counter to rule | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value: 100-1000000000000 | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config mac acl | |
History | 3.1.1400 | |
3.3.4500 | Added vlan-mask parameter | |
3.5.1000 | Updated seq-number parameter | |
3.6.5000 | Added log, counter, and shared-counter parameters | |
3.6.6000 | Added policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config mac access-list my-list) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80 | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | [any]} {<dest-ip> mask <ip> | [any]} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
{any | <source-ip> mask <ip>} | Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255. | |
{any | <destination-ip> mask <ip>} | Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP. | |
action | Action needs to be defined before attaching to rule | |
log | Enable the log option | |
counter | Attach a unique counter to rule | |
shared-counter | Attach a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value: 100-1000000000000 | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.1.1400 | |
3.3.4302 | Updated syntax description of mask <ip> parameter | |
3.5.1000 | Updated seq-number parameter | |
3.6.5000 | Added log, counter, and shared-counter parameters | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority, and tc parameters | |
Example | switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 TCP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> mask <ip> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> mask <ip> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
eq-source <src-port> | TCP source port number | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
eq-destination <dest-port> | TCP destination port number | |
dest-port-range | Sets a range of L4 destination ports to match | |
action | Action needs to be defined before attaching to rule | |
established | Matches flows which are in established state (“ack” or “rst” flags are set) | |
ack; urg; rst; syn; fin; psh; ns; ece; cwr | Matches flows with specific flag | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.1.1400 | |
3.5.1000 | Updated seq-number parameter | |
3.6.5000 | Updated command syntax | |
3.6.6000 | Added ECN, TTL, DSCP, policer, and extra flag parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 TCP-UDP/UDP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> mask <ip> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> mask <ip> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
eq-source <src-port> | TCP-UDP/UDP source port number | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
eq-destination <dest-port> | TCP-UDP/UDP destination port number | |
dest-port-range | Sets a range of L4 destination ports to match | |
action | Action needs to be defined before attaching to rule | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.1.1400 | |
3.5.1000 | Updated seq-number parameter | |
3.6.5000 | Updated command syntax | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300 | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 ICMP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> mask <ip> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> mask <ip> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
eq-code | Matches ICMP code value. Range: 0-255. | |
eq-type | Matches ICMP type value. Range: 0-255. | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter. Value: 0-3. | |
ttl | Time to live ACL filter. Value: 0-225. | |
dscp | DSCP ACL filter. Value: 0-63. | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value: 100-1000000000000 | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority. valid values 0-7 | |
tc <tc_value> | Mapping of matched traffic to tc. valid values 0-7 | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.1.1400 | |
3.5.1000 | Updated seq-number parameter | |
3.6.2002 | Added ICMP parameters | |
3.6.5000 | Updated command syntax | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155 | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {permit | deny} ip {<src-ipv6>/<mask-len> | any} {<dest-ipv6>/<mask-len> | any} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates an IPv6 ACL rule with a specific protocol. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<src-ipv6>/<mask-len> | any | Sets source IP and optionally sets a mask for that IP address. The parameter “any” ignores the source IP. | |
<dest-ipv6>/<mask-len> | any | Sets destination IP and optionally sets a mask for that IP. The parameter “any” ignores the destination IP. | |
action | Action needs to be defined before attaching to rule | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv6 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv6 access-list my-list) # permit ip 2:2::/32 any | |
Related Commands | ||
Notes |
|
[seq-number <sequence-number>] {permit | deny} tcp {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates an IPv6 ACL rule with a specific protocol. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ipv6> /<mask-len> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ipv6> /<mask-len> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
dest-port-range | Sets a range of L4 destination ports to match | |
action | Action needs to be defined before attaching to rule | |
established | Matches flows which are in established state (“ack” or “rst” flags are set) | |
ack; urg; rst; syn; fin; psh; ns; ece; cwr | Matches flows with specific flag | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv6 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, policer, and flag parameters | |
3.7.0000 | Added bits, switch-priority, and tc parameters | |
Example | switch (config ipv6 access-list my-list) # permit tcp any 10:10:12::/48 | |
Related Commands | ||
Notes |
|
[seq-number <sequence-number>] {permit | deny} {tcp-udp | udp} {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates an IPv6 ACL rule with a specific protocol. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ipv6> /<mask-len> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ipv6> /<mask-len> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
dest-port-range | Sets a range of L4 destination ports to match | |
action | Action needs to be defined before attaching to rule | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv6 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv6 access-list my-list) # permit udp 2:2::/32 10:10:12::/48 | |
Related Commands | ||
Notes |
|
[seq-number <sequence-number>] {permit | deny} icmpv6 {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [code <icmp-code>] [type <icmp-type>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates an IPv6 ACL rule with a specific protocol. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ipv6> /<mask-len> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ipv6> /<mask-len> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
eq-code | Matches ICMP code value | |
eq-type | Matches ICMP type value | |
action | Action needs to be defined before attaching to rule | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv6 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority, and tc parameters | |
Example | switch (config ipv6 access-list my-list) # permit icmpv6 any any eq-code 10 eq-type 155 | |
Related Commands | ||
Notes |
|
[seq-number <sequence-number>] {deny | permit} {<source-mac> mask <mac-mask> | any} {<dest-mac> mask <mac-mask> | any} [protocol <protocol-num>] [cos <cos>] [vlan <vlan-id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a MAC-UDK ACL rule. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-mac> mask <mac-mask> | any | Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC. | |
<dest-mac> mask <mac-mask> | any | Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC. | |
protocol | Sets the Ethertype filed value from the MAC address | |
cos | Sets the COS (priority bit) field | |
vlan <vlan-id> | Sets the VLAN ID field | |
vlan-mask <vlan-mask> | Sets VLAN group | |
action | Action name (free string) | |
log | Enable the log option | |
counter | Attach a unique counter to rule | |
shared-counter | Attach a predefined shared-counter to rule | |
udk | UDK name must be set by user before the rule configuration | |
val | The value of the UDK (up to 4 bytes) | |
mask | Mask for the UDK value | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config mac-udk acl | |
History | 3.6.5000 | |
3.6.6000 | Added policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config mac-udk access-list mac_udk_acl) # permit any any udk myUdk 10 mask 0xff | |
Related Commands | ||
Notes |
|
[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
{any | <source-ip> mask <ip>} | Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255. | |
{any | <destination-ip> mask <ip>} | Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP. | |
action | Action needs to be defined before attaching to rule | |
log | Enable the log option | |
counter | Attach a unique counter to rule | |
shared-counter | Attach a predefined shared-counter to rule | |
udk | UDK name must be set by user before the rule configuration | |
val | The value of the UDK (up to 4 bytes) | |
mask | Mask for the UDK value | |
ecn | ECN ACL filter| | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 TCP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> [mask <ip>] | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> [mask <ip>] | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
eq-source <src-port> | TCP source port number | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
eq-destination <dest-port> | TCP destination port number | |
dest-port-range | Sets a range of L4 destination ports to match | |
action | Action needs to be defined before attaching to rule | |
established | Matches flows which are in established state (“ack” or “rst” flags are set) | |
ack; urg; rst; syn; fin; psh; ns; ece; cwr | Matches flows with specific flag | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
udk | UDK name must be set by user before the rule configuration | |
val | The value of the UDK (up to 4 bytes) | |
mask | Mask for the UDK value | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, policer, and flag parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 TCP-UDP/UDP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> mask <ip> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> mask <ip> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
src-port | L4 source port | |
eq-source <src-port> | TCP-UDP/UDP source port number | |
src-port-range | Sets a range of L4 source ports to match | |
dest-port | L4 destination port | |
eq-destination <dest-port> | TCP-UDP/UDP destination port number | |
dest-port-range | Sets a range of L4 destination ports to match. | |
action | Action needs to be defined before attaching to rule | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
udk | UDK name must be set by user before the rule configuration | |
val | The value of the UDK (up to 4 bytes) | |
mask | Mask for the UDK value | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300 | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} Creates a rule for IPv4 ICMP ACL. | ||
Syntax Description | sequence-number | Optional parameter to set a specific sequence number for the rule |
deny | Drop all matching traffic | |
permit | Allow matching traffic to pass | |
<source-ip> mask <ip> | any | Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP. | |
<dest-ip> mask <ip> | any | Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP. | |
eq-code | Matches ICMP code value | |
eq-type | Matches ICMP type value | |
log | Enables the log option | |
counter | Attaches a unique counter to rule | |
shared-counter | Attaches a predefined shared-counter to rule | |
udk | UDK name must be set by user before the rule configuration | |
val | The value of the UDK (up to 4 bytes) | |
mask | Mask for the UDK value | |
ecn | ECN ACL filter | |
ttl | Time to live ACL filter | |
dscp | DSCP ACL filter | |
policer | Attaches shared policer to a rule | |
bytes | Attaches bytes type policer | |
bits | Attaches bits type policer. Min value: 8000 bits. | |
packets | Attaches packets type policer | |
rate | Policer rate value | |
k | m | g | Specifies kilo, mega, giga | |
burst | Sets burst to policer. | |
switch-priority <switch-priority_value> | Mapping of matched traffic to switch-priority | |
tc <tc_value> | Mapping of matched traffic to TC | |
Default | No rule is added by default to access control list | |
Configuration Mode | config ipv4 acl | |
History | 3.6.5000 | |
3.6.6000 | Added ECN, TTL, DSCP, and policer parameters | |
3.7.0000 | Added bits, switch-priority and tc parameters | |
Example | switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155 | |
Related Commands | {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list | |
Notes |
|
{ipv4 | ipv4-udk | ipv6 | mac | mac-udk} port access-group <acl-name> Attaches an ACL table with bind-point RIF to a VLAN interface. | ||
Syntax Description | acl-name | ACL table name |
Default | N/A | |
Configuration Mode | config interface vlan | |
History | 3.6.5000 | |
Example | switch (config interface vlan 10)# ipv4 port access-group ipv4_acl2 | |
Related Commands | show access list summary | |
Notes |
|
access-list action <action-profile-name> Creates access-list action profile and entering the action profile configuration mode. | ||
Syntax Description | action-profile-name | Given name for the profile |
Default | N/A | |
Configuration Mode | config | |
History | 3.2.0230 | |
Example | switch (config)# access-list action my-action | |
Related Commands | ||
Notes |
access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>] Configures access list logger. | ||
Syntax Description | interval | Logging interval length in minutes |
memory | Maximal number of packets to save in memory | |
syslog | Maximal number of packets to show in syslog | |
Default | N/A | |
Configuration Mode | config | |
History | 3.6.5000 | |
Example | switch (config)# access-list log interval 10 | |
Related Commands | ||
Notes |
|
vlan-map <vid> Adds action to map a new VLAN to the packet (in the ingress port or VLAN). | ||
Syntax Description | vid | VLAN ID |
Default | N/A | |
Configuration Mode | config acl action | |
History | 3.2.0230 | |
Example | switch (config access-list action my-action)# vlan-map 10 | |
Related Commands | ||
Notes |
vlan-pop Pops VLAN frames from traffic. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | config acl action | |
History | 3.4.3000 | |
Example | switch (config access-list action my-action)# vlan-pop | |
Related Commands | ||
Notes |
vlan-push <vid> Pushes (or adds) VLAN frames to traffic. | ||
Syntax Description | vid | VLAN ID |
Default | N/A | |
Configuration Mode | config acl action | |
History | 3.4.3000 | |
Example | switch (config access-list action my-action)# vlan-push 10 | |
Related Commands | ||
Notes |
monitor session <session_id> Mirrors traffic to monitor session. | ||
Syntax Description | session_id | The monitor session. |
Default | N/A | |
Configuration Mode | config acl action | |
History | 3.9.3100 | |
Example | switch (config access-list action my-action)# monitor session 1 | |
Related Commands |
show ipv4 access-lists <access-list-name> Displays configuration of IPv4 rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.1.1400 | |
3.3.4500 | Updated example | |
3.6.6000 | Updated example | |
Example | ||
| ||
Related Commands | deny/permit | |
Notes |
show ipv4-udk access-lists <access-list-name> Displays configuration of IPv4 UDK rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
3.6.6000 | Updated example | |
Example | ||
switch (config) # show ipv4-udk access-lists my-list
| ||
Related Commands | deny/permit | |
Notes |
show ipv6 access-lists <access-list-name> Displays configuration of IPv6 rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
3.6.6000 | Updated example | |
Example | ||
switch (config) # show ipv6 access-lists my-list
| ||
Related Commands | deny/permit | |
Notes |
show mac access-lists <access-list-name> Displays configuration of MAC rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.1.1400 | |
3.3.4500 | Updated example | |
3.6.6000 | Updated example | |
Example | ||
switch (config) # show mac access-lists my-list
| ||
Related Commands | deny/permit {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group | |
Notes |
show mac access-lists <access-list-name> Displays configuration of MAC rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.8100 | |
Example | ||
switch (config) # show mac access-lists summary ---------------------------------------------------------------------------------------- | ||
Related Commands | deny/permit | |
Notes |
show mac-udk access-lists <access-list-name> Displays configuration of MAC UDK rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
3.6.6000 | Updated example | |
Example | ||
switch (config) # show mac-udk access-lists my-list
| ||
Related Commands | deny/permit | |
Notes |
show access-lists action <action-profile-name> Displays the access-list action profiles summary. | ||
Syntax Description | action-profile-name | Filter the table according to the action profile name |
summary | Display summary of the action list | |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.2.0230 | |
3.7.1000 | Updated example | |
3.9.3100 | Updated example to reflect ACL-based monitoring | |
Example |
| |
Related Commands | ||
Notes |
show mac-udk access-lists <access-list-name> Displays configuration of MAC UDK rules in a specific table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
3.6.6000 | Updated example | |
Example | ||
switch (config) # show mac-udk access-lists my-list
| ||
Related Commands | deny/permit | |
Notes |
show access-lists log config <action-profile-name> Displays the access-list log configuration information. | ||
Syntax Description | action-profile-name | Filter the table according to the action profile name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.2.0230 | |
3.6.8008 | Updated example | |
Example |
| |
Related Commands | ||
Notes |
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> policers [name | seq-number] Displays all configured policers on a specific ACL table. | ||
Syntax Description | access-list-name | ACL name |
name | Policer name filter | |
seq-number | Filter by sequence number | |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
Example | ||
switch (config) # show ipv6 access-lists my-list policers ----------------------------------------------------------------- | ||
Related Commands | ||
Notes |
show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> shared-counters Displays all configured shared-counters on a specific ACL table. | ||
Syntax Description | access-list-name | ACL name |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
Example | ||
switch (config mac access-list my-list) # show mac access-lists mac_acl shared-counters ------------------------------------------------- | ||
Related Commands | ||
Notes |
|
show [ipv4 | mac | ipv6 | ipv4-udk | mac-udk] access-lists summary Displays the summary of number of rules per ACL, and the interfaces attached. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.1.1400 | |
3.6.5000 | Updated example | |
Example | ||
switch (config) # show access-lists summary ----------------------------------------------------------------------------------- | ||
Related Commands | ||
Notes |
show access-lists log [last <num>] Displays captured packets on all access list rules. | ||
Syntax Description | num | Number of packets to show |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
Example | ||
switch (config) # show access-lists log
| ||
Related Commands | ||
Notes |
show access-lists log config Displays configuration of access-list logger. | ||
Syntax Description | N/A | |
Default | N/A | |
Configuration Mode | Any command mode | |
History | 3.6.5000 | |
Example | switch (config) # show access-lists log config | |
Related Commands | ||
Notes |