NVIDIA Onyx User Manual v3.10.3100
NVIDIA MLNX-GW User Manual for NVIDIA Skyway Appliance v8.2.2200

ACL Commands

{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list <acl-name>

Creates an ACL table and enters its configuration mode.
The no form of the command deletes the ACL table.

Syntax Description

ipv4 | mac

IPv4 or MAC –access list

acl-name

User-defined string for the ACL

Default

No ACL available by default.

Configuration Mode

config

History

3.1.1400

3.6.5000

Added ipv6, ipv4-udk, and mac-udk parameters

Example

switch (config)# mac access-list my-mac-list
switch (config mac access-list my-mac-list)#

Related Commands

ipv4/port access-group

Notes

  • Each table has its own set of predefined keys

  • The mac-udk and ipv4-udk options add an extra UDK to the standard MAC and IPv4 tables

  • When a new access-list is created, its default bind port is L2 port

policer <policer_name> {bits|bytes|packets} rate <rate_value> [k|m|g] [burst <burst_value> [k|m|g]]
no policer <policer_name>

Creates a new shared-policer that can be bound to rules on this table.
The no form of the command removes the policer

Syntax Description

rate_value

Policer rate value (of the bits, bytes, or packets)

Default is bits

burst_value

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

k, m, g

Rate/burst value units: kilo, mega, or giga—not mandatory.

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value: 100-1000000000000

Default

Disabled

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list) # policer myPolicer packets rate 1000

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list

Notes

  • This ACL policer is shared when this table is bound to two or more ports.

  • The policer configuration will always be displayed in bytes

bind-point rif
no bind-point rif

Changes the ACL table bind point from L2 port mode to L3 port.
The no form of the command resets this parameter to its default.

Syntax Description

N/A

Default

L2 port

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list)# bind-point rif

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list

Notes

  • The bind point may only be changed when an ACL table is empty (no rules) and unbound

  • This command is used to attach ACLs to interface VLANs only

[<seq-number>] remark <string>
no [<seq-number>] remark <string>

Creates a remark rule from an ACL table.
The no form of the command deletes a remark rule from an ACL table.

Syntax Description

N/A

Default

N/A

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list)# remark “1st group”

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list

Notes

  • The remark rule has a sequence number like standard rules and it can be displayed when showing all rules of ACL table

  • This rule has no effect on traffic and it is only for management purposes

shared-counter <counter-name>
no shared-counter <counter-name>

Creates a shared counter.
The no form of the command deletes a shared counter.

Syntax Description

counter-name

Shared counter name

Default

N/A

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list)# shared-counter myCounter

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list

Notes

  • When creating a new shared counter, it is created only in the scope of the ACL table it has been initially created on and cannot be shared across multiple ACL tables

  • A shared counter cannot be deleted when attached to rules

clear shared-counters [<counter-name>]

Resets all shared counters in ACL table or a specific shared counter.

Syntax Description

counter-name

Shared counter name

Default

N/A

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list)# clear shared-counters

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter

Notes

clear counters [<seq-number>]

Resets all counters (including shared counters) in ACL table or a specific counter.

Syntax Description

seq-number

The sequence number of the rule whose counter to reset

Default

N/A

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config mac access-list my-mac-list)# clear counters 10

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter

Notes

{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} access-list clear counters

Resets all counters (including shared counters) on all ACL tables of the same type.

Syntax Description

N/A

Default

N/A

Configuration Mode

config mac access-list
config ipv4 access-list
config ipv6 access-list
config ipv4-udk access-list
config mac-udk access-list

History

3.6.5000

Example

switch (config)# ipv4 access-list clear counters

Related Commands

ipv4/ipv6/mac/ipv4-udk/mac-udk access-list
shared-counter

Notes

{ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>
no {ipv4 | ipv6 | mac | ipv4-udk | mac-udk} port access-group <acl-name>

Binds an ACL to the interface.
The no form of the command unbinds the ACL from the interface.

Syntax Description

ipv4 | mac

IPv4 or MAC –access list

acl-name

ACL name

Default

No ACL is bind by default.

Configuration Mode

config interface ethernet
config interface port-channel
config interface mlag-port-channel
config interface vlan

History

3.1.1400

3.3.4500

Added MPO configuration mode

3.6.5000

Added new parameters

Example

switch (config interface ethernet 1/1) # mac port access-group my-list

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list

Notes

The access control list should be defined prior to the binding action

[seq-number <sequence-number>] {permit | deny} ip {<source-mac> mask <mac_mask> | any} {<dest-mac> mask <mac_mask> | any} [protocol <protocol_num>] [cos <cos>] [vlan <vlan_id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for MAC ACL.
The no form of the command deletes a rule from the MAC ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-mac> mask <mac_mask> | any

Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.

<dest-mac> mask <mac_mask> | any

Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.

protocol

Sets the Ethertype field value from the MAC address
Range: 0x0000-0xffff

cos

Sets the COS (priority bit) field
Range: 0-7

vlan <vlan_id>

Sets the VLAN ID field
Range: 1-4094

vlan-mask <vlan-mask>

Sets VLAN group
Range: 0x0000-0x0FFF

action

Action name (free string)

log

Enable the log option

counter

Attach a unique counter to rule

shared-counter

Attach a predefined shared-counter to rule

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config mac acl

History

3.1.1400

3.3.4500

Added vlan-mask parameter

3.5.1000

Updated seq-number parameter

3.6.5000

Added log, counter, and shared-counter parameters

3.6.6000

Added policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config mac access-list my-list) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • VLAN and VLAN group cannot be used in the same command

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | [any]} {<dest-ip> mask <ip> | [any]} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

{any | <source-ip> mask <ip>}

Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.

{any | <destination-ip> mask <ip>}

Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.

action

Action needs to be defined before attaching to rule

log

Enable the log option

counter

Attach a unique counter to rule

shared-counter

Attach a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-3

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.1.1400

3.3.4302

Updated syntax description of mask <ip> parameter

3.5.1000

Updated seq-number parameter

3.6.5000

Added log, counter, and shared-counter parameters

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority, and tc parameters

Example

switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • User cannot attach a shared counter defined on a different ACL table

  • The parameter shared-counter must be defined before attaching it to the scope of the ACL table

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> mask <ip> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> mask <ip> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

eq-source <src-port>

TCP source port number
Range: 0-65535

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

eq-destination <dest-port>

TCP destination port number
Range: 0-65535

dest-port-range

Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range

action

Action needs to be defined before attaching to rule

established

Matches flows which are in established state (“ack” or “rst” flags are set)

ack; urg; rst; syn; fin; psh; ns; ece; cwr

Matches flows with specific flag
Possible match: 0 or 1

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.1.1400

3.5.1000

Updated seq-number parameter

3.6.5000

Updated command syntax

3.6.6000

Added ECN, TTL, DSCP, policer, and extra flag parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established
switch (config ipv4 access-list my-list)# permit tcp any any ns 0 policer packets rate 1 k burst 2050

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • L4 ports are valid

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> mask <ip> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> mask <ip> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

eq-source <src-port>

TCP-UDP/UDP source port number
Range: 0-65535

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

eq-destination <dest-port>

TCP-UDP/UDP destination port number
Range: 0-65535

dest-port-range

Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range

action

Action needs to be defined before attaching to rule

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.1.1400

3.5.1000

Updated seq-number parameter

3.6.5000

Updated command syntax

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
switch (config ipv4 access-list my-list)# permit udp any any eq-destination 100 eq-source 300

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> mask <ip> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> mask <ip> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

eq-code

Matches ICMP code value. Range: 0-255.

eq-type

Matches ICMP type value. Range: 0-255.

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter. Value: 0-3.

ttl

Time to live ACL filter. Value: 0-225.

dscp

DSCP ACL filter. Value: 0-63.

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority. valid values 0-7

tc <tc_value>

Mapping of matched traffic to tc. valid values 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.1.1400

3.5.1000

Updated seq-number parameter

3.6.2002

Added ICMP parameters

3.6.5000

Updated command syntax

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • ICMP code must be specified in conjunction with an ICMP type. If ICMP type is specified but no ICMP code is specified, the rule matches all ICMP packets of the given type

  • If no ICMP type or code are specified, the rule matches all ICMP packets from the specified source/destination address

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} ip {<src-ipv6>/<mask-len> | any} {<dest-ipv6>/<mask-len> | any} [action <action-id>] [log] [counter | shared-counter <name>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<src-ipv6>/<mask-len> | any

Sets source IP and optionally sets a mask for that IP address. The parameter “any” ignores the source IP.

<dest-ipv6>/<mask-len> | any

Sets destination IP and optionally sets a mask for that IP. The parameter “any” ignores the destination IP.

action

Action needs to be defined before attaching to rule

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv6 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv6 access-list my-list) # permit ip 2:2::/32 any
switch (config ipv6 access-list my-list) # permit ip any any policer name

Related Commands

Notes

  • IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len

  • The fields eq-code (icmp-code) and eq-type (eq-type) are valid only for ICMP rules

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} tcp {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ipv6> /<mask-len> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ipv6> /<mask-len> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

dest-port-range

Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range

action

Action needs to be defined before attaching to rule

established

Matches flows which are in established state (“ack” or “rst” flags are set)

ack; urg; rst; syn; fin; psh; ns; ece; cwr

Matches flows with specific flag
Possible match: 0 or 1

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63.

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv6 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, policer, and flag parameters

3.7.0000

Added bits, switch-priority, and tc parameters

Example

switch (config ipv6 access-list my-list) # permit tcp any 10:10:12::/48

Related Commands

Notes

  • IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} {tcp-udp | udp} {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [src-port <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | dest-port-range <from> <to>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ipv6> /<mask-len> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ipv6> /<mask-len> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

dest-port-range

Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range

action

Action needs to be defined before attaching to rule

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63.

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv6 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv6 access-list my-list) # permit udp 2:2::/32 10:10:12::/48

Related Commands

Notes

  • IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} icmpv6 {<source-ipv6> /<mask-len> | any} {<dest-ipv6> /<mask-len> | any} [code <icmp-code>] [type <icmp-type>] [log] [counter | shared-counter <name>] [action <action-id>] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates an IPv6 ACL rule with a specific protocol.
The no form of the command deletes a rule from the IPv6 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ipv6> /<mask-len> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ipv6> /<mask-len> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

eq-code

Matches ICMP code value
Range: 0-255

eq-type

Matches ICMP type value
Range: 0-255

action

Action needs to be defined before attaching to rule

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv6 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority, and tc parameters

Example

switch (config ipv6 access-list my-list) # permit icmpv6 any any eq-code 10 eq-type 155

Related Commands

Notes

  • IPv6 address format is as follows: <A:B:C:D:E:F:G:H>/mask_len

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} {<source-mac> mask <mac-mask> | any} {<dest-mac> mask <mac-mask> | any} [protocol <protocol-num>] [cos <cos>] [vlan <vlan-id>] [vlan-mask <vlan_mask>] [action <action-name>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a MAC-UDK ACL rule.
The no form of the command deletes a rule from MAC UDK ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-mac> mask <mac-mask> | any

Sets source MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the source MAC.

<dest-mac> mask <mac-mask> | any

Sets destination MAC and optionally sets a mask for that MAC. The “any” option will cause the rule not to check the destination MAC.

protocol

Sets the Ethertype filed value from the MAC address
Range: 0x0000-0xffff

cos

Sets the COS (priority bit) field
Range: 0-7

vlan <vlan-id>

Sets the VLAN ID field
Range: 1-4094

vlan-mask <vlan-mask>

Sets VLAN group
Range: 0x0000-0x0FFF

action

Action name (free string)

log

Enable the log option

counter

Attach a unique counter to rule

shared-counter

Attach a predefined shared-counter to rule

udk

UDK name must be set by user before the rule configuration

val

The value of the UDK (up to 4 bytes)

mask

Mask for the UDK value

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config mac-udk acl

History

3.6.5000

3.6.6000

Added policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config mac-udk access-list mac_udk_acl) # permit any any udk myUdk 10 mask 0xff

Related Commands

Notes

  • User cannot attach a shared counter defined on a different ACL table

  • The parameter shared-counter must be defined before attaching it to the scope of the ACL table

  • UDK fields must come at the end of the rule configuration

  • The default mask is 0xff-0xffffffff (depends on value length)

  • UDK cannot be deleted while it is attached to a rule

  • 1-4 UDKs per rule may be configured

  • Values and masks of the UDK can be decimal or hexadecimal

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {permit | deny} ip {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 ACL.
The no form of the command deletes a rule from the IPv4 ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

{any | <source-ip> mask <ip>}

Sets source IP and optionally sets a mask for that IP address. The “any” option causes the rule to not check the source IP. Range: 0-255.

{any | <destination-ip> mask <ip>}

Sets destination IP and optionally sets a mask for that IP. The “any” option causes the rule to not check the destination IP.

action

Action needs to be defined before attaching to rule

log

Enable the log option

counter

Attach a unique counter to rule

shared-counter

Attach a predefined shared-counter to rule

udk

UDK name must be set by user before the rule configuration

val

The value of the UDK (up to 4 bytes)

mask

Mask for the UDK value

ecn

ECN ACL filter|
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list) # deny ip any any action act shared-counter

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • User cannot attach a shared counter defined on a different ACL table

  • The parameter shared-counter must be defined before attaching it to the scope of the ACL table

  • UDK fields must come at the end of the rule configuration

  • The default mask is 0xff-0xffffffff (depends on value length)

  • UDK cannot be deleted while it is attached to a rule

  • 1-4 UDKs per rule may be configured

  • Values and masks of the UDK can be decimal or hexadecimal

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 TCP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> [mask <ip>] | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> [mask <ip>] | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

eq-source <src-port>

TCP source port number
Range: 0-65535

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

eq-destination <dest-port>

TCP destination port number
Range: 0-65535

dest-port-range

Sets a range of L4 destination ports to match
Note: User may configure either a single destination port or a range

action

Action needs to be defined before attaching to rule

established

Matches flows which are in established state (“ack” or “rst” flags are set)

ack; urg; rst; syn; fin; psh; ns; ece; cwr

Matches flows with specific flag
Possible match: 0 or 1

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

udk

UDK name must be set by user before the rule configuration

val

The value of the UDK (up to 4 bytes)

mask

Mask for the UDK value

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, policer, and flag parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • UDK fields must come at the end of the rule configuration

  • The default mask is 0xff-0xffffffff (depends on value length)

  • UDK cannot be deleted while it is attached to a rule

  • 1-4 UDKs per rule may be configured

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} {tcp-udp | udp} {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 TCP-UDP/UDP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> mask <ip> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> mask <ip> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port

L4 source port
Note: User may only choose one of the following options to configure source port: src-port; eq-source

eq-source <src-port>

TCP-UDP/UDP source port number
Range: 0-65535

src-port-range

Sets a range of L4 source ports to match
Note: User may configure either a single source port or a range

dest-port

L4 destination port
Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

eq-destination <dest-port>

TCP-UDP/UDP destination port number
Range: 0-65535

dest-port-range

Sets a range of L4 destination ports to match.
Note: User may configure either a single destination port or a range.

action

Action needs to be defined before attaching to rule

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

udk

UDK name must be set by user before the rule configuration

val

The value of the UDK (up to 4 bytes)

mask

Mask for the UDK value

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit tcp-udp any any eq-destination 100 eq-source 300
switch (config ipv4 access-list my-list)# permit udp any any eq-destination 100 eq-source 300

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • UDK fields must come at the end of the rule configuration

  • The default mask is 0xff-0xffffffff (depends on value length)

  • UDK cannot be deleted while it is attached to a rule

  • 1-4 UDKs per rule may be configured

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

[seq-number <sequence-number>] {deny | permit} icmp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [eq-code <icmp-code>] [eq-type <icmp-type>] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]}
no <sequence-number>

Creates a rule for IPv4 ICMP ACL.
The no form of the command deletes a rule from the ACL.

Syntax Description

sequence-number

Optional parameter to set a specific sequence number for the rule
Range: 1-65535

deny

Drop all matching traffic

permit

Allow matching traffic to pass

<source-ip> mask <ip> | any

Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> mask <ip> | any

Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

eq-code

Matches ICMP code value
Range: 0-255

eq-type

Matches ICMP type value
Range: 0-255

log

Enables the log option

counter

Attaches a unique counter to rule

shared-counter

Attaches a predefined shared-counter to rule

udk

UDK name must be set by user before the rule configuration

val

The value of the UDK (up to 4 bytes)

mask

Mask for the UDK value

ecn

ECN ACL filter
Range: 0-3

ttl

Time to live ACL filter
Range: 0-225

dscp

DSCP ACL filter
Range: 0-63

policer

Attaches shared policer to a rule

bytes

Attaches bytes type policer

bits

Attaches bits type policer. Min value: 8000 bits.

packets

Attaches packets type policer

rate

Policer rate value
Range: 100-1000000000000

k | m | g

Specifies kilo, mega, giga

burst

Sets burst to policer.
If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000.
For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value>

Mapping of matched traffic to switch-priority
Range: 0-7

tc <tc_value>

Mapping of matched traffic to TC
Range: 0-7

Default

No rule is added by default to access control list
Default sequence number is by increments of 10

Configuration Mode

config ipv4 acl

History

3.6.5000

3.6.6000

Added ECN, TTL, DSCP, and policer parameters

3.7.0000

Added bits, switch-priority and tc parameters

Example

switch (config ipv4 access-list my-list)# permit icmp any any eq-code 10 eq-type 155

Related Commands

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

  • ICMP code must be specified in conjunction with an ICMP type. If ICMP type is specified but no ICMP code is specified, the rule matches all ICMP packets of the given type.

  • If no ICMP type or code are specified, the rule matches all ICMP packets from the specified source/destination address.

  • UDK fields must come at the end of the rule configuration

  • The default mask is 0xff-0xffffffff (depends on value length)

  • UDK cannot be deleted while it is attached to a rule

  • 1-4 UDKs per rule may be configured

  • It is possible to attach the rule to a unique policer, or to create a policer only for the rule

  • The policer configuration will always be displayed in bytes

  • This ACL policer is shared when this table is bound to two or more ports.

{ipv4 | ipv4-udk | ipv6 | mac | mac-udk} port access-group <acl-name>
no {mac | ipv4 | ipv6 | mac-udk | ipv4-udk} port access-group

Attaches an ACL table with bind-point RIF to a VLAN interface.
The no form of the command unmaps ACL table with bind-point RIF from a VLAN interface.

Syntax Description

acl-name

ACL table name

Default

N/A

Configuration Mode

config interface vlan

History

3.6.5000

Example

switch (config interface vlan 10)# ipv4 port access-group ipv4_acl2

Related Commands

show access list summary

Notes

  • Only ACL tables with bind-point set to RIF can be attached to a VLAN interface

  • Interface VLAN must be configured before binding operation

access-list action <action-profile-name>
no access-list action <action-profile-name>

Creates access-list action profile and entering the action profile configuration mode.
The no form of the command deletes the action profile.

Syntax Description

action-profile-name

Given name for the profile

Default

N/A

Configuration Mode

config

History

3.2.0230

Example

switch (config)# access-list action my-action
switch (config access-list action my-action)#

Related Commands

Notes

access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]
no access-list log [interval <int_num>] [memory <packet_num>] [syslog <packet_num>]

Configures access list logger.
The no form of the command resets parameters for access list logger.

Syntax Description

interval

Logging interval length in minutes
Range: 1min-24hrs

memory

Maximal number of packets to save in memory
Range: 1-3600

syslog

Maximal number of packets to show in syslog
Range: 1-3600

Default

N/A

Configuration Mode

config

History

3.6.5000

Example

switch (config)# access-list log interval 10
switch (config)# access-list log memory 300
switch (config)# access-list log syslog 200

Related Commands

Notes

  • The packet number in syslog configuration must not be greater than the maximal packets number in memory

  • When configuring interval, the interval will restart resulting in a log dump to syslog and memory clear

vlan-map <vid>
no vlan-map

Adds action to map a new VLAN to the packet (in the ingress port or VLAN).
The no form of the command removes the action to map a new VLAN.

Syntax Description

vid

VLAN ID
Range: 1-4094

Default

N/A

Configuration Mode

config acl action

History

3.2.0230

Example

switch (config access-list action my-action)# vlan-map 10

Related Commands

Notes

vlan-pop

Pops VLAN frames from traffic.

Syntax Description

N/A

Default

N/A

Configuration Mode

config acl action

History

3.4.3000

Example

switch (config access-list action my-action)# vlan-pop

Related Commands

Notes

vlan-push <vid>

Pushes (or adds) VLAN frames to traffic.

Syntax Description

vid

VLAN ID
Range: 1-4094

Default

N/A

Configuration Mode

config acl action

History

3.4.3000

Example

switch (config access-list action my-action)# vlan-push 10

Related Commands

Notes

monitor session <session_id>

Mirrors traffic to monitor session.

Syntax Description

session_id

The monitor session.
Range: 1-3

Default

N/A

Configuration Mode

config acl action

History

3.9.3100

Example

switch (config access-list action my-action)# monitor session 1

Related Commands

show ipv4 access-lists <access-list-name>

Displays configuration of IPv4 rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.1.1400

3.3.4500

Updated example

3.6.6000

Updated example

Example

switch (config) # show ipv4 access-lists my-list

Table Type: ipv4
Table Name: my-list
Bind-point: port

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
seq-number p/d protocol s-ipv4 d-ipv4 sport/type end-sport dport/code end-dport tcp-control action counter Packets ttl ecn dscp policer log
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10 permit ip any any any none any none N/A none N/A N/A none none none none NO
20 permit ip any any any none any none N/A none N/A N/A none none none YES NO

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show ipv4-udk access-lists <access-list-name>

Displays configuration of IPv4 UDK rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

3.6.6000

Updated example

Example

switch (config) # show ipv4-udk access-lists my-list

Table Type: ipv4-udk
Table Name: my-list
Bind-point: port

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
seq-number p/d protocol s-ipv4 d-ipv4 sport/type end-sport dport/code end-dport tcp-control action counter Packets udk ttl ecn dscp policer log
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
7 permit tcp any any any none any none any none N/A N/A none none none none NO
8 deny tcp 1.1.1.1/32 any any none any none -U +F none N/A N/A aaa value 5 none none none none NO
10 permit tcp 1.1.1.1/32 2.2.2.2/32 any none any none +P-R none N/A N/A bbb value 6 mask 0x8 none none none none NO

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show ipv6 access-lists <access-list-name>

Displays configuration of IPv6 rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

3.6.6000

Updated example

Example

switch (config) # show ipv6 access-lists my-list

Table Type: ipv6
Table Name: my-list
Bind-point: port

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
seq-number p/d protocol s-ipv6 d-ipv6 sport/type end-sport dport/code end-dport tcp-control action counter Packets ttl ecn dscp policer log
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10 permit ip any any any none any none N/A none N/A N/A 33 none none none YES
20 permit ip any any any none any none N/A none N/A N/A none none none none NO
30 permit ip any any any none any none N/A none N/A N/A none none none none NO

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show mac access-lists <access-list-name>

Displays configuration of MAC rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.1.1400

3.3.4500

Updated example

3.6.6000

Updated example

Example

switch (config) # show mac access-lists my-list

Table Type: mac
Table Name: my-list
Bind-point: port

--------------------------------------------------------------------------------------------------------------------------------------------------
seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets policer log
--------------------------------------------------------------------------------------------------------------------------------------------------
10 permit any any any any any N/A none N/A N/A roe NO

Related Commands

deny/permit

{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list

{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show mac access-lists <access-list-name>

Displays configuration of MAC rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.8100

Example

switch (config) # show mac access-lists summary 
----------------------------------------------------------------------------------------
Table type Table Name Bind Point Total entries Bound to interfaces
----------------------------------------------------------------------------------------
mac mac1 port 1 Eth1/16

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show mac-udk access-lists <access-list-name>

Displays configuration of MAC UDK rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

3.6.6000

Updated example

Example

switch (config) # show mac-udk access-lists my-list

Table Type: mac
Table Name: my-list
Bind-point: port

----------------------------------------------------------------------------------------------------------------------------------
seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets udk policer log
---------------------------------------------------------------------------------------------------------------------------------
10 permit any any any any any N/A none N/A 0 YES NO
20 permit any any any any any N/A none N/A N/A none NO

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show access-lists action <action-profile-name>

Displays the access-list action profiles summary.

Syntax Description

action-profile-name

Filter the table according to the action profile name

summary

Display summary of the action list

Default

N/A

Configuration Mode

Any command mode

History

3.2.0230

3.7.1000

Updated example

3.9.3100

Updated example to reflect ACL-based monitoring

Example

switch (config)# show access-lists action test_action_1

Access-list Action test_action:
----------------------------------------------------------------------------------
Type Mapped_Vlan_ID Mapped_port Counter_set Policer_ID
----------------------------------------------------------------------------------
vlan-map 1 N/A N/A N/A

switch (config)# show access-lists action test_action_2
Access-list Action test_action:
---------------------------------------------------------------------------------
Type Monitor_Sesion Mapped_port Counter_set Policer_ID
---------------------------------------------------------------------------------
monitor 1 N/A N/A N/A

Related Commands

Notes

show mac-udk access-lists <access-list-name>

Displays configuration of MAC UDK rules in a specific table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

3.6.6000

Updated example

Example

switch (config) # show mac-udk access-lists my-list

Table Type: mac
Table Name: my-list
Bind-point: port

--------------------------------------------------------------------------------------------------------------------------------
seq-number p/d smac dmac protocol cos vlan vlan-mask action counter Packets udk policer log
--------------------------------------------------------------------------------------------------------------------------------
10 permit any any any any any N/A none N/A 0 YES NO
20 permit any any any any any N/A none N/A N/A none NO

Related Commands

deny/permit
{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list
{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

Notes

show access-lists log config <action-profile-name>

Displays the access-list log configuration information.

Syntax Description

action-profile-name

Filter the table according to the action profile name

Default

N/A

Configuration Mode

Any command mode

History

3.2.0230

3.6.8008

Updated example

Example

switch (config)# show access-lists log config

access-list log configuration:
Memory packets : 1000
Syslog packets : 10
Interval (minutes): 1

Related Commands

Notes

show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> policers [name | seq-number]

Displays all configured policers on a specific ACL table.

Syntax Description

access-list-name

ACL name

name

Policer name filter

seq-number

Filter by sequence number

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

Example

switch (config) # show ipv6 access-lists my-list policers
-----------------------------------------------------------------
Name Type Rate Burst Sequence Number
-----------------------------------------------------------------
pol packets 1000 200 50,60,70
rom packets 1000 200 80
N/A bytes 12345 20000 40

Related Commands

Notes

show {ipv4 | ipv4-udk | ipv6 | mac | mac-udk} access-lists <access-list-name> shared-counters

Displays all configured shared-counters on a specific ACL table.

Syntax Description

access-list-name

ACL name

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

Example

switch (config mac access-list my-list) # show mac access-lists mac_acl shared-counters
-------------------------------------------------
counter packets total Rules rule IDs
-------------------------------------------------
cnt1 0 3 20 30 40
cnt2 0 2 50 60
cnt3 0 1 70

Related Commands

Notes

  • For each configured shared counter it also displays the counter value (packets), the number of rules attached to this counter and the rule IDs

  • Up to 5 rule IDs are displayed even though there is no limitation on how many rules can be attached to a counter

show [ipv4 | mac | ipv6 | ipv4-udk | mac-udk] access-lists summary

Displays the summary of number of rules per ACL, and the interfaces attached.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

3.1.1400

3.6.5000

Updated example

Example

switch (config) # show access-lists summary
-----------------------------------------------------------------------------------
Table type Table Name Bind type Total entries Bound to interfaces
-----------------------------------------------------------------------------------
mac aaa port 0 Mpo55
ipv4 ddd port 1 Eth1/3, Po1
ipv4 ggg rif 0 VlanIf555
ipv6 table1 port 9 Eth1/9

Related Commands

Notes

show access-lists log [last <num>]

Displays captured packets on all access list rules.

Syntax Description

num

Number of packets to show

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

Example

switch (config) # show access-lists log
 

Log status: Normal

Log MAC rules:
----------------------------------------------------------------------------------
IF Table(rule) Source MAC Dest MAC Ethertype VLAN Hits
----------------------------------------------------------------------------------
1/2 mac_al_log(10) 44:44:44:44:44:44 22:22:22:22:22:22 IPv4 N/A 5

Log IPv4 rules:
-------------------------------------------------------------------------------------
IF Table(rule) Source IPv4 Dest IPv4 Protocol Source Dest Hits
port port
-------------------------------------------------------------------------------------
1/3 ipv4_al_lo(10) 1.1.1.1 2.2.2.2 UDP 44 33 11


Related Commands

Notes

show access-lists log config

Displays configuration of access-list logger.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

3.6.5000

Example

switch (config) # show access-lists log config
access-list log configuration:
Memory packets: 1000
Syslog packets: 10
Interval (minutes): 60

Related Commands

Notes

© Copyright 2023, NVIDIA. Last updated on May 23, 2023.