Online demo
Contact us
11.4. ACL Commands
11.4.1. mac access-list
Command Purpose
Use this command to create MAC ACL and then enter MAC ACL in global configuration mode. Use no mac access-list command to delete the MAC ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
mac access-list ACL_NAME
no mac access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the MAC ACL |
A string with up to 40 characters |
Command Mode
Global Config
Default
None
Usage
If the system already has a MAC ACL with the same name, this command will enter the MAC ACL configuration mode. However, if the ACL name is used by other type of ACL, a prompt message will be shown.
When the name is not used by any ACL, this command is to create the MAC ACL firstly and then enter the MAC ACL configuration mode.
Examples
This example shows how to create a MAC ACL named list_mac_1 and then enter the MAC ACL configuration mode:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)#
This example shows how to remove the MAC ACL named list_mac_1:
Switch# configure terminal
Switch(config)# no mac access-list list_mac_1
11.4.2. sequence-num
Command Purpose
Use this command to remove a filter from MAC ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
no sequence-num SEQUENCE_NUM
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of a IP/MAC filter |
1-131071 |
Command Mode
MAC ACL Configuration
IP ACL Configuration
Default
None
Usage
User can delete a ACL which is already attached to the class-map and used by a interface immediately.
Examples
This example shows how to remove a filter with the sequence-num 10 from MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# no sequence-num 10
This example shows how to remove a filter with the sequence-num 10 from IP ACL:
Switch# configure terminal
Switch(config)# ip access-list list_ip_1
Switch(config-ip-acl)# no sequence-num 10
Related Commands
deny
deny tcp
deny udp
deny icmp
deny igmp
permit
permit tcp
permit udp
permit icmp
permit igmp
11.4.3. deny src-mac
Command Purpose
Use this command to create a MAC filter for discarding ongoing packets matching the filter rule.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny src-mac ( any | MAC_ADDR MAC_ADDR_MASK | host MAC_ADDR ) ( dest-mac ( any | MAC_ADDR MAC_ADDR_MASK | host MAC_ADDR ) | ) ( untag-vlan | ( ( vlan VLAN_ID | ) ( cos COS | ) ( inner-vlan INNER_VLAN | ) ( inner-cos INNER_COS | ) ) ( protocol ( arp ( arp-op-code ) | rarp | ETH_TYPE mask ETH_TYPE_MASK ) | packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in MAC ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
untag-vlan |
Without vlan tag |
- |
VLAN_ID |
VLAN-ID |
1-4094 |
COS |
CoS Value |
0-7 |
INNER_VLAN |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS value |
0-7 |
protocol |
The protocol type which including ARP, RARP or Ether type |
- |
arp |
ARP protocol |
- |
arp-op-code |
arp-op-code |
0-65535 |
rarp |
RARP protocol |
- |
ETH_TYPE |
Ether type |
0-0xFFFF |
ETH_TYPE_MASK |
Ether type mask |
0-0xFFFF |
TIME_RANGE_NAME |
The time-range used by the MAC filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
MAC ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the MAC ACL. i.e. when the maximum existing sequence number is 100, the sequence number of subsequent created MAC filter is 110. Eth-type is not supported in egress ACL.
Examples
This example shows how to create a filter in MAC ACL to deny the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 1 deny src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in MAC ACL to deny all the packets:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 2 deny src-mac any
This example shows how to create a filter in MAC ACL to deny the packet whose source MAC address is between the ranges specified:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 3 deny src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.4.4. permit src-mac
Command Purpose
Use this command to create a MAC filter for allowing packets matching the filter rule to be delivered.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit src-mac ( any | MAC_ADDR MAC_ADDR_MASK | host MAC_ADDR ) ( dest-mac ( any | MAC_ADDR MAC_ADDR_MASK | host MAC_ADDR ) | ) ( untag-vlan | ( vlan VLAN | ) ( cos COS | ) ( inner-vlan INNER_VLAN | ) ( inner-cos INNER_COS | ) ) ( protocol ( arp ( arp-op-code ) | rarp | ETH_TYPE mask ETH_TYPE_MASK ) | packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in MAC ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
untag-vlan |
Without vlan tag |
- |
VLAN |
VLAN-ID |
1-4094 |
COS |
CoS |
0-7 |
INNER_VLAN |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS |
0-7 |
protocol |
The protocol type which including ARP, RARP or Ether type |
- |
arp |
ARP protocol |
- |
arp-op-code |
arp op code |
0-65535 |
rarp |
RARP protocol |
- |
ETH_TYPE |
Ether type |
0-0xFFFF |
ETH_TYPE_MASK |
Ether type mask |
0-0xFFFF |
TIME_RANGE_NAME |
Specify the name of time-range used by the MAC filter |
String with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
MAC ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the MAC ACL. i.e. when the maximum existing sequence number is 105, the sequence number of subsequent created MAC filter is 115. Eth-type is not supported in egress ACL.
Examples
This example shows how to create a filter in MAC ACL to permit the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 1 permit src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in MAC ACL to permit all the packets:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 2 permit src-mac any
This example shows how to create a filter in MAC ACL to permit the packets with source MAC address between the ranges specified:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 3 permit src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.4.5. remark
Command Purpose
Use this command to add remarks for the MAC ACL.
To remove remarks of the MAC ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
remark REMARK
no remark
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
REMARK |
The remarks of the MAC ACL |
String with up to 100 characters |
Command Mode
MAC ACL Configuration
IP ACL Configuration
Default
None
Usage
The remarks are up to 100 characters. The exceed parts will not be stored and will be truncated.
Examples
This example shows how to add a remark to describe the MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# remark remark of List for mac
This example shows how to remove the remark of the MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# no remark
Related Commands
mac access-list
11.4.6. show access-list mac
Command Purpose
Use this command to show the MAC ACL information.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list mac ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the MAC ACL |
String with up to 40 characters |
Command Mode
Privileged EXEC
Default
None
Usage
If no mac acl are specified, all mac access-lists in the system should be shown.
Examples
This example shows how to show the MAC ACL information:
Switch# show access-list mac
mac access-list list_mac_1
10 deny src-mac host 0000.0001.0002
20 permit src-mac any
Related Commands
mac access-list
11.4.7. ip access-list
Command Purpose
Use this command to create IP ACL and then enter IP ACL configuration mode.
To remove this ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip access-list ACL_NAME
no ip access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of an IP ACL |
String with up to 40 characters |
Command Mode
Global Config
Default
None
Usage
If the system already has an IP ACL with the same name, this command will enter the IP ACL configuration mode. However, if the ACL name is used by other type of ACL, a prompt message will be shown.
When the name is not used by any ACL, this command is to create the IP ACL firstly and then enter the IP ACL configuration mode.
Examples
This example shows how to create an IP ACL named list_ipv4_1 and then enter the IP ACL configuration mode:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)#
This example shows how to remove the IP ACL named list_ipv4_1:
Switch# configure terminal
Switch(config)# no ip access-list list_ipv4_1
Related Commands
match access-group
11.4.8. deny
Command Purpose
Use this command to discard ongoing IP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny ( PROTO_NUM | any ) ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number |
0-255 |
any |
Any IP protocol |
- |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
If IP address wildcard bit is provided, the IP address is logical-and in bitwise with the reverse bits of the wildcard bits. For example, 10.10.10.0 0.0.0.255 means the addresses from 10.10.10.0 to 10.10.10.255 are matched.
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the IP ACL. i.e. when the maximum existing sequence number is 100, the sequence number of subsequent created IP filter is 110.
Examples
This example shows how to create a filter in IP ACL to deny any IP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny any any
This example shows how to create a filter in IP ACL to deny the fragment packets with the source IP addresss 1.1.1.1:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny any host 1.1.1.1 any fragments
This example shows how to create a filter in IP ACL to deny any routed packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 3 deny any any any routed-packet
Related Commands
no sequence-num
11.4.9. deny tcp
Command Purpose
Use this command to reject TCP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny tcp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( src-port OPERATOR SRC_PORT | ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( established | ( match-any | match-all FLAG-NAME | ) | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
established |
Match established connections |
- |
match-any |
Match any of the flag-name |
- |
FLAG-NAME |
Match all the flag-name, including ack, fin, psh, rst, syn and urg |
ack, fin, psh, rst, syn and urg |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in IP ACL to deny any TCP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny tcp any any
This example shows how to create a filter in IP ACL to deny the TCP packets with the source IP address 1.1.1.1, source port 0-100:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny tcp host 1.1.1.1 src-port range 0 100 any
This example shows how to create a filter in IP ACL to deny any TCP packets in established TCP streams:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 3 deny tcp any any established
This example shows how to create a filer in IP ACL to deny the TCP ACK packets with the source IP address 1.1.1.1:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 4 deny tcp 10.10.10.0 0.0.0.0 any match-any ack
Related Commands
no sequence-num
11.4.10. deny udp
Command Purpose
Use this command to reject UDP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny udp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( src-port OPERATOR SRC_PORT | ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in IP ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny udp any any
This example shows how to create a filter in IP ACL to deny the UDP packets with the source IP 1.1.1.1, source port 10, and destination port less than 2000:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny udp host 1.1.1.1 src-port eq 10 any dst-port lt 2000
Related Commands
no sequence-num
11.4.11. deny icmp
Command Purpose
Use this command to reject ICMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny icmp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( icmp-type TYPE-NUM ( icmp-code CODE-NUM | ) | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
TYPE-NUM |
ICMP message type |
0-255 |
CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject ICMP packets.
Examples
This example shows how to create a filter in IP ACL to deny any ICMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny icmp any any
This example shows how to create a filter in IP ACL to deny the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny icmp any any icmp-type 3 icmp-code 3
Related Commands
no sequence-num
11.4.12. deny igmp
Command Purpose
Use this command to reject IGMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny igmp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( IGMP-TYPE | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
IGMP-TYPE |
IGMP type |
including dvmrp, host-query, host-report, mtrace, mtrace-response, pim, precedence, trace, v2-leave, v2-report, v3-report |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject IGMP packets.
Examples
This example shows how to create a filter in IP ACL to deny any IGMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny igmp any any
This example shows how to create a filter in IP ACL to deny the IGMP packets with the source IP address 1.1.1.1, any destination IP address and the igmp-type pim:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny igmp host 1.1.1.1 any pim
Related Commands
no sequence-num
11.4.13. deny gre
Command Purpose
Use this command to reject GRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny gre ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( key KEY mask KEY-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject GRE packets.
Please reference to command “deny” for the other parameters.
Examples
This example shows how to create a filter in IP ACL to deny any GRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny gre any any key 0 mask 0
This example shows how to create a filter in IP ACL to deny the GRE packets with the source IP address 1.1.1.1, any destination IP address and the gre key is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny gre host 1.1.1.1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.4.14. deny nvgre
Command Purpose
Use this command to reject NVGRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny nvgre ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( vsid VSID mask VSID-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Please reference to command “deny” for the other parameters.
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VSID |
NVGRE vsid |
0-16777215 |
VSID-MASK |
NVGRE vsid mask |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number |
0-255 |
any |
Any IP protocol |
- |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject NVGRE packets.
Examples
This example shows how to create a filter in IP ACL to deny any NVGRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 deny nvgre any any vsid 0 mask 0
This example shows how to create a filter in IP ACL to deny the NVGRE packets with the source IP address 1.1.1.1, any destination IP address and the nvgre vsid is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny gre host 1.1.1.1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.4.15. permit
Command Purpose
Use this command to permit packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit ( PROTO_NUM | any ) ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number |
0-255 |
any |
Any IP protocol |
- |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
If IP address wildcard bits are provided, the IP address is logical-and in bitwise with the reverse bits of the wildcard bits. For example, 10.10.10.0 0.0.0.255 means the addresses from 10.10.10.0 to 10.10.10.255 are matched.
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the IP ACL. i.e. when the maximum existing sequence number is 105, the sequence number of subsequent created IP filter is 115.
Examples
This example shows how to create a filter in IP ACL to permit any IP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 deny gre host 1.1.1.1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.4.16. permit tcp
Command Purpose
Use this command to permit TCP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit tcp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( src-port OPERATOR SRC_PORT | ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( established | ( match-any | match-all FLAG-NAME | ) | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
established |
Match established connections |
- |
match-any |
Match any of the flag-name |
- |
FLAG-NAME |
Match all the flag-name, including ack, fin, psh, rst, syn and urg |
ack, fin, psh, rst, syn and urg |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in IP ACL to permit any TCP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 10 permit any any any
This example shows how to create a filter in IP ACL to permit the TCP packets with the source IP address 1.1.1.1, and source port ranges from 0 to 100:
Switch# configure terminal
Switch(config-ex-ip-acl)# 20 permit tcp host 1.1.1.1 any non-first-fragments
This example shows how to create a filter in IP ACL to permit any TCP packets in established TCP streams:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 30 permit any any any routed-packet
This example shows how to create a filter in IP ACL to permit the TCP ACK packets with the source IP address 10.10.10.0:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 4 permit tcp 10.10.10.0 0.0.0.0 any match-any ack
Related Commands
no sequence-num
11.4.17. permit udp
Command Purpose
Use this command to permit UDP packets when the packets match this access-list.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit udp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( src-port OPERATOR SRC_PORT | ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in IP ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 permit udp any any
This example shows how to create a filter in IP ACL to deny the UDP packets with the source IP address 1.1.1.1, source port 10, and destination port less than 2000:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 permit udp host 1.1.1.1 src-port eq 10 any dst-port lt 2000
Related Commands
no sequence-num
11.4.18. permit icmp
Command Purpose
Use this command to permit ICMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit icmp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( icmp-type TYPE-NUM ( icmp-code CODE-NUM | ) | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
icmp-type TYPE-NUM |
ICMP message type |
0-255 |
icmp-code CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit ICMP packets.
Examples
This example shows how to create a filter in IP ACL to permit any ICMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 permit icmp any any
This example shows how to create a filter in IP ACL to permit the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 permit icmp any any icmp-type 3 icmp-code 3
Related Commands
deny icmp
no sequence-num
11.4.19. permit igmp
Command Purpose
Use this command to permit IGMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit igmp ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( IGMP-TYPE | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
IGMP-TYPE |
IGMP type |
IGMP type, including dvmrp, host-query, host-report, mtrace, mtrace-response, pim, precedence, trace, v2-leave, v2-report, v3-report |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit IGMP packets.
Examples
This example shows how to create a filter in IP ACL to permit any IGMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 permit igmp any any
This example shows how to create a filter in IP ACL to permit the IGMP packets with the source IP address 1.1.1.1, any destination IP address and the igmp-type pim:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 permit igmp host 1.1.1.1 any pim
Related Commands
no sequence-num
11.4.20. permit gre
Command Purpose
Use this command to permit GRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit gre ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( key KEY mask KEY-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit GRE packets.
Examples
This example shows how to create a filter in IP ACL to permit any GRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 permit gre any any key 0 mask 0
This example shows how to create a filter in IP ACL to permit the GRE packets with the source IP address 1.1.1.1, any destination IP address and the gre key is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 permit gre host 1.1.1.1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.4.21. permit nvgre
Command Purpose
Use this command to permit NVGRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit nvgre ( SRC_MAC SRC_MAC_MASK | any | host SRC_MAC ) ( DST_MAC DST_MAC_MASK | any | host DST_MAC ) ( vsid VSID mask VSID-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( TIME_RANGE_NAME | )
Please reference to command “deny nvgre” for the other parameters.
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VSID |
NVGRE vsid |
0-16777215 |
VSID-MASK |
NVGRE vsid mask |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_MAC SRC_MAC_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_MAC |
The source IP address of a host |
IPv4 Address |
DST_MAC DST_MAC_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_MAC |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME_RANGE_NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit NVGRE packets.
Examples
This example shows how to create a filter in IP ACL to permit any NVGRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 1 permit nvgre any any vsid 0 mask 0
This example shows how to create a filter in IP ACL to permit the NVGRE packets with the source IP address 1.1.1.1, any destination IP address and the nvgre vsid is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)# 2 permit gre host 1.1.1.1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.4.22. show access-list ip
Command Purpose
Use this command to show the information of IP ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list ip ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the IP ACL |
A string with up to 40 characters |
Command Mode
Privileged EXEC
Default
None
Usage
None
Examples
This example shows how to show the information of IP ACL:
Switch# show access-list ip
ip access-list list_ipv4_1
2 permit tcp host 1.1.1.1 any
3 deny icmp any any
12 permit tcp any any
Related Commands
ip access-list
11.4.23. udf access-list
Command Purpose
Use this command to create UDF ACL and then enter UDF ACL in global configuration mode. Use no udf access-list command to delete the UDF ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
user-define access-list ACL_NAME
no user-define access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the UDF ACL |
A string with up to 40 characters |
Command Mode
Global Config
Default
None
Usage
If the system already has a UDF ACL with the same name, this command will enter the UDF ACL configuration mode. However, if the ACL name is used by other type of ACL, a prompt message will be shown.
When the name is not used by any ACL, this command is to create the UDF ACL firstly and then enter the UDF ACL configuration mode.
Examples
This example shows how to create a UDF ACL named list_udf_1 and then enter the UDF ACL configuration mode:
Switch# configure terminal
Switch(config)# user-define access-list list_udf_1
Switch(config-udf-acl)#
This example shows how to remove the UDF ACL named list_udf_1:
Switch# configure terminal
Switch(config)# no user-define access-list list_udf_1
Related Commands
permit udf deny udf
11.4.24. permit udf
Command Purpose
Use this command to permit packets matching the user-defined filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit ipv4-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) permit ipv6-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) permit l2-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) permit l4-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in UDF ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
HEX_RULE |
Rule string |
the string must be hexadecimal and start with `0x` no more than 10 characters(include `0x` ) |
HEX_MASK |
Mask to the rule string |
the string must be hexadecimal and start with `0x` no more than 10 characters(include `0x` ) |
OFFSET |
Offset of the rule mask in the packet(unit: byte) |
the value must equal `4n` (n=0, 1, 2 … ) |
TIME_RANGE_NAME |
The time-range used by the UDF filter |
A string with up to 40 characters |
Command Mode
UDF ACL Configuration
Default
None
Usage
None
Examples
This type of filter is used to permit any kind of packets.:
Switch# configure terminal
Switch(config)# user-define access-list list_udf_1
Switch(config-udf-acl)# 1 permit l4-head 0x10 0x01 20
Related Commands
None
11.4.25. deny udf
Command Purpose
Use this command to deny packets matching the UDF filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny ipv4-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) deny ipv6-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) deny l2-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
( SEQUENCE_NUM | ) deny l4-head HEX_RULE HEX_MASK OFFSET ( time-range TIME_RANGE_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in UDF ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
HEX_RULE |
Rule string |
the string must be hexadecimal and start with `0x` no more than 10 characters(include `0x` ) |
HEX_MASK |
Mask to the rule string |
the string must be hexadecimal and start with `0x` no more than 10 characters(include `0x` ) |
OFFSET |
Offset of the rule mask in the packet(unit: byte) |
the value must equal `4n` (n=0, 1, 2 … ) |
TIME_RANGE_NAME |
The time-range used by the UDF filter |
A string with up to 40 characters |
Command Mode
UDF ACL Configuration
Default
None
Usage
None
Examples
This type of filter is mostly used to permit any kind of packets.:
Switch# configure terminal
Switch(config)# user-define access-list list_udf_1
Switch(config-udf-acl)# 1 deny l4-head 0x10 0x01 20
Related Commands
None
11.4.26. show access-list udf
Command Purpose
Use this command to show the information of UDF ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list user-define ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the UDF ACL |
A string with up to 40 characters |
Command Mode
Privileged EXEC
Default
None
Usage
None
Examples
This example shows how to show the information of UDF ACL:
Switch# show access-list user-define
user-define access-list list_udf_1
10 permit l2-head 0x00000010 0x00000001 20
Related Commands
udf access-list