[seq-number <sequence-number>] {deny | permit} tcp {<source-ip> mask <ip> | any} {<dest-ip> mask <ip> | any} [src-port <src-port> | eq-source <src-port> | src-port-range <from> <to>] [dest-port <dest-port> | eq-destination <dest-port> | dest-port-range <from> <to>] [action <action-id>] [established | [ack {0 | 1}] [urg {0 | 1}] [rst {0 | 1}] [syn {0 | 1}] [fin {0 | 1}] [psh {0 | 1}] [ns {0 | 1}] [ece {0 | 1}] [cwr {0 | 1}]] [log] [counter | shared-counter <name>] [udk <udk1> <val> [mask <mask>]] [<udk2> <val> [mask <mask>]] [<udk3> <val> [mask <mask>]] [<udk4> <val> [mask <mask>]] [ecn <val>] [ttl <val>] [dscp <val>] [policer {<name> | [bytes | packets] rate <rate_value> [k | m | g] [burst <burst_value> [k | m | g]]} no <sequence-number> Creates a rule for IPv4 TCP ACL. The no form of the command deletes a rule from the ACL.

Syntax Description sequence-number Optional parameter to set a specific sequence number for the rule Range: 1-65535

deny Drop all matching traffic

permit Allow matching traffic to pass

<source-ip> [mask <ip>] | any Sets source IP and optionally sets a mask for that IP address. The “any” option will cause the rule not to check the source IP.

<dest-ip> [mask <ip>] | any Sets destination IP and optionally sets a mask for that IP. The “any” option will cause the rule not to check the destination IP.

src-port L4 source port Note: User may only choose one of the following options to configure source port: src-port; eq-source

eq-source <src-port> TCP source port number Range: 0-65535

src-port-range Sets a range of L4 source ports to match Note: User may configure either a single source port or a range

dest-port L4 destination port Note: User may only choose one of the following options to configure destination port: dest-port; eq-destination

eq-destination <dest-port> TCP destination port number Range: 0-65535

dest-port-range Sets a range of L4 destination ports to match Note: User may configure either a single destination port or a range

action Action needs to be defined before attaching to rule

established Matches flows which are in established state (“ack” or “rst” flags are set)

ack; urg; rst; syn; fin; psh; ns; ece; cwr Matches flows with specific flag Possible match: 0 or 1

log Enables the log option

counter Attaches a unique counter to rule

shared-counter Attaches a predefined shared-counter to rule

udk UDK name must be set by user before the rule configuration

val The value of the UDK (up to 4 bytes)

mask Mask for the UDK value

ecn ECN ACL filter Range: 0-3

ttl Time to live ACL filter Range: 0-225

dscp DSCP ACL filter Range: 0-63

policer Attaches shared policer to a rule

bytes Attaches bytes type policer

bits Attaches bits type policer. Min value: 8000 bits.

packets Attaches packets type policer

rate Policer rate value Range: 100-1000000000000

k | m | g Specifies kilo, mega, giga

burst Sets burst to policer. If no burst is configured, the default value for type “packets” is 100 and for “bytes” is 10000. For bits there is no default burst. Min value: 2000 bytes.

switch-priority <switch-priority_value> Mapping of matched traffic to switch-priority Range: 0-7

tc <tc_value> Mapping of matched traffic to TC Range: 0-7

Default No rule is added by default to access control list Default sequence number is by increments of 10

Configuration Mode config ipv4 acl

History 3.6.5000

3.6.6000 Added ECN, TTL, DSCP, policer, and flag parameters

3.7.0000 Added bits, switch-priority and tc parameters

Example switch (config ipv4 access-list my-list)# permit tcp any any src-port 200 dest-port-range 200 400 established

Related Commands {ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list {ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group