Онлайн-демонстрация
Связаться с нами
11.5. FLEX ACL Commands
11.5.1. sequence-num
Command Purpose
Use this command to remove a filter from FLEX MAC ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
- |
AQ-N5000 |
7.0 |
Base |
- |
AQ-N6000 |
7.0 |
Base |
- |
Command Syntax
no sequence-num SEQUENCE_NUM
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of a IP/MAC filter |
1 - 131071 |
Command Mode
FLEX MAC ACL Configuration
FLEX IP ACL Configuration
Default
None
Usage
User can delete a ACL which is already attached to the class-map and used by a interface immediately.
Examples
This example shows how to remove a filter with the sequence-num 10 from FLEX MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# no sequence-num 10
This example shows how to remove a filter with the sequence-num 10 from FLEX IP ACL:
Switch# configure terminal
Switch(config)# ip access-list list_ip_1
Switch(config-ip-acl)# no sequence-num 10
11.5.2. deny src-mac
Command Purpose
Use this command to create a MAC filter for discarding ongoing packets matching the filter rule.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
- |
AQ-N5000 |
7.0 |
Base |
- |
AQ-N6000 |
7.0 |
Base |
- |
Command Syntax
(SEQUENCE_NUM| ) deny src-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR) (dest-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR)| ) (untag-vlan|vlan VLAN_ID| ) (cos COS| ) (inner-vlan INNER_VLAN| ) (inner-cos INNER_COS| ) (protocol (arp (arp-op-code)|rarp|ETH_TYPE mask ETH_TYPE_MASK)|packet-length OPERATOR LENGTH| ) (TIME_RANGE_NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in FLEX MAC ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
untag-vlan |
Without vlan tag |
- |
VLAN_ID |
VLAN-ID |
1-4094 |
COS |
CoS Value |
0-7 |
INNER_VLAN |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS value |
0-7 |
protocol |
The protocol type which including ARP, RARP or Ether type |
- |
arp |
ARP protocol |
- |
arp-op-code |
arp-op-code |
0-65535 |
rarp |
RARP protocol |
- |
ETH_TYPE |
Ether type |
0-0xFFFF |
ETH_TYPE_MASK |
Ether type mask |
0-0xFFFF |
TIME_RANGE_NAME |
The time-range used by the MAC filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX MAC ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the FLEX MAC ACL. i.e. when the maximum existing sequence number is 100, the sequence number of subsequent created MAC filter is 110. Eth-type is not supported in egress ACL.
Examples
This example shows how to create a filter in FLEX MAC ACL to deny the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 1 deny src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in FLEX MAC ACL to deny all the packets:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 2 deny src-mac any
This example shows how to create a filter in FLEX MAC ACL to deny the packet whose source MAC address is between the ranges specified:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 3 deny src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.5.3. permit src-mac
Command Purpose
Use this command to create a MAC filter for allowing packets matching the filter rule to be delivered.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) permit src-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR) (dest-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR)| ) (untag-vlan|(vlan VLAN| ) (cos COS| ) (inner-vlan INNER_VLAN| ) (inner-cos INNER_COS| ) ) (protocol (arp (arp-op-code)|rarp|ETH_TYPE mask ETH_TYPE_MASK)|packet-length OPERATOR LENGTH| ) (TIME_RANGE_NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in FLEX MAC ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
untag-vlan |
Without vlan tag |
- |
VLAN |
VLAN-ID |
1-4094 |
COS |
CoS |
0-7 |
INNER_VLAN |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS |
0-7 |
protocol |
The protocol type which including ARP, RARP or Ether type |
- |
arp |
ARP protocol |
- |
arp-op-code |
arp op code |
0-65535 |
rarp |
RARP protocol |
- |
ETH_TYPE |
Ether type |
0-0xFFFF |
ETH_TYPE_MASK |
Ether type mask |
0-0xFFFF |
TIME_RANGE_NAME |
Specify the name of time-range used by the MAC filter |
String with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX MAC ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the FLEX MAC ACL. i.e. when the maximum existing sequence number is 105, the sequence number of subsequent created MAC filter is 115. Eth-type is not supported in egress ACL.
Examples
This example shows how to create a filter in FLEX MAC ACL to permit the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 1 permit src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in FLEX MAC ACL to permit all the packets:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 2 permit src-mac any
This example shows how to create a filter in FLEX MAC ACL to permit the packets with source MAC address between the ranges specified:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# 3 permit src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.5.4. remark
Command Purpose
Use this command to add remarks for the FLEX MAC ACL.
To remove remarks of the FLEX MAC ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
remark REMARK
no remark
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
REMARK |
The remarks of the FLEX MAC ACL |
String with up to 100 characters |
Command Mode
FLEX MAC ACL Configuration
FLEX IP ACL Configuration
Default
None
Usage
The remarks are up to 100 characters. The exceed parts will not be stored and will be truncated.
Examples
This example shows how to add a remark to describe the FLEX MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# remark remark of List for mac
This example shows how to remove the remark of the FLEX MAC ACL:
Switch# configure terminal
Switch(config)# mac access-list list_mac_1
Switch(config-mac-acl)# no remark
Related Commands
11.5.5. ip access-list
Command Purpose
Use this command to create FLEX IP ACL and then enter FLEX IP ACL configuration mode.
To remove this ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip access-list ACL_NAME
no ip access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of an FLEX IP ACL |
String with up to 40 characters |
Command Mode
Global Config
Default
None
Usage
If the system already has an FLEX IP ACL with the same name, this command will enter the FLEX IP ACL configuration mode. However, if the ACL name is used by other type of ACL, a prompt message will be shown.
When the name is not used by any ACL, this command is to create the FLEX IP ACL firstly and then enter the FLEX IP ACL configuration mode.
Examples
This example shows how to create an FLEX IP ACL named list_ipv4_1 and then enter the FLEX IP ACL configuration mode:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1
Switch(config-ip-acl)#
This example shows how to remove the FLEX IP ACL named list_ipv4_1:
Switch# configure terminal
Switch(config)# no ip access-list list_ipv4_1
Related Commands
match access-group
11.5.6. sequence-num
Command Purpose
Use this command to delete a filter from extend FLEX IP ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
no sequence-num SEQUENCE_NUM
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of an IP filter |
1-131071 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
None
Examples
This example shows how to delete an IP or MAC filter with sequence number 10 from an extend FLEX IP ACL:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# no sequence-num 10
Related Commands
deny
deny udp
deny icmp
deny igmp
permit
permit tcp
permit udp
permit icmp
permit igmp
deny src-mac
permit src-mac
11.5.7. deny src-mac
Command Purpose
Use this command to create a filter for discarding ongoing packets matching the filter rule.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
- |
AQ-N5000 |
7.0 |
Base |
- |
AQ-N6000 |
7.0 |
Base |
- |
Command Syntax
(SEQUENCE_NUM| ) deny src-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR) (dest-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR)| ) (vlan VLAN_ID| ) (cos COS| ) (inner-vlan INNER_VLAN_ID| ) (inner-cos INNER_COS| ) (arp-packet ((arp-op-code) (sender-ip (IP_ADDR IP_ADDR_MASK|any|host IP_ADDR)| ) (target-ip (IP_ADDR IP_ADDR_MASK|any|host IP_ADDR)| ))|packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in FLEX MAC ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
VLAN_ID |
VLAN-ID |
1-4094 |
COS |
CoS |
0-7 |
INNER_VLAN_ID |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS |
0-7 |
arp |
ARP protocol |
- |
arp-op-code |
arp-op-code |
0-65535 |
sender-ip |
sender-ip |
- |
target-ip |
target-ip |
- |
IP_ADDR IP_ADDR_MASK |
The ip address and wildcard bits |
IPv4 Address and Mask |
host IP_ADDR |
The host with a specified ip address |
IPv4 Address |
TIME-RANGE-NAME |
The time-range used by the extend IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the extend FLEX IP ACL. i.e. when the maximum existing sequence number is 100, the sequence number of subsequent created MAC filter is 110.
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 deny src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in extend FLEX IP ACL to deny all the packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 deny src-mac any
This example shows how to create a filter in extend FLEX IP ACL to deny the packet whose source MAC address is between the ranges specified:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 3 deny src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.5.8. permit src-mac
Command Purpose
Use this command to create a filter for allowing packets matching the filter rule to be delivered.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) permit src-mac (any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR) (dest-mac(any|MAC_ADDR MAC_ADDR_MASK|host MAC_ADDR)| ) (vlan VLAN_ID| ) (cos VALUE| ) (inner-vlan INNER_VLAN_ID| ) (inner-cos INNER_COS| ) (arp-packet ((arp-op-code) (sender-ip (IP_ADDR IP_ADDR_MASK|any|host IP_ADDR)| ) (target-ip (IP_ADDR IP_ADDR_MASK|any|host IP_ADDR)| ))|packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP Extend ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
any |
Any host |
- |
MAC_ADDR MAC_ADDR_MASK |
The MAC address and its wildcard bits |
MAC and wildcard in HHHH.HHHH.HHHH format |
host MAC_ADDR |
The host with a specified MAC address |
MAC address in HHHH.HHHH.HHHH format |
dest-mac |
Destination MAC address |
- |
VLAN_ID |
VLAN-ID |
1-4094 |
COS |
CoS |
0-7 |
INNER_VLAN_ID |
Inner VLAN-ID |
1-4094 |
INNER_COS |
Inner CoS |
0-7 |
arp |
ARP protocol |
- |
arp-op-code |
arp-op-code |
0-65535 |
sender-ip |
sender-ip |
- |
target-ip |
target-ip |
- |
IP_ADDR IP_ADDR_MASK |
The ip address and wildcard bits |
IPv4 Address and Mask |
host IP_ADDR |
The host with a specified ip address |
IPv4 Address |
TIME-RANGE-NAME |
The time-range used by the extend IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the extend FLEX IP ACL. i.e. when the maximum existing sequence number is 105, the sequence number of subsequent created MAC filter is 115.
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit the packets with source MAC address 0058.3f2C.A1DF:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-ac)# 1 permit src-mac host 0058.3f2C.A1DF
This example shows how to create a filter in extend FLEX IP ACL to permit all the packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-ac)# 2 permit src-mac any
This example shows how to create a filter in FLEX MAC ACL to permit the packets with source MAC address between the ranges specified:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 3 permit src-mac 0058.3f2C.A1DF 0058.3f2C.0000
Related Commands
no sequence-num
11.5.9. deny
Command Purpose
Use this command to discard ongoing IP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) deny (PROTO_NUM|any) (SRC_IP SRC_IP_MASK|any|host SRC_IP) (DST_IP DST_IP_MASK|any|host DST_IP) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number, the range is 0 to 255 |
0-255 |
any |
Any protocol |
- |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
If an IP address wildcard bit is provided, the IP address is logically-anded in bitwise with the reverse bits of the wildcard bits. For example, 10.10.10.0 0.0.0.255 means the addresses from 10.10.10.0 to 10.10.10.255 are matched.
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the extend FLEX IP ACL. i.e. when the maximum existing sequence number is 100, the sequence number of subsequent created IP filter is 110.
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any IP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 deny any any any
This example shows how to create a filter in extend FLEX IP ACL to deny the fragment packets with the source IP addresss 1.1.1.1:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 deny any host 1.1.1.1 any fragments
This example shows how to create a filter in extend FLEX IP ACL to deny any routed packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 3 deny any any any routed-packet
Related Commands
no sequence-num
11.5.10. deny tcp
Command Purpose
Use this command to reject TCP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) deny tcp (SRC_IP SRC_IP_MASK|any|host SRC_IP) (src-port OPERATOR SRC_PORT| ) (DST_IP DST_IP_MASK|any|host DST_IP) (dst-port OPERATOR DST_PORT| ) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (established| (match-any|match-all FLAG-NAME| )| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP Extend ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), |
lt (less than), gt (greater than), neq (not equal to) and range |
||
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
established |
Match established connections |
- |
match-any |
Match any of the flag-name |
- |
FLAG-NAME |
Match all the flag-name, including ack, fin, psh, rst, syn and urg |
ack, fin, psh, rst, syn and urg |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any TCP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 deny tcp any any
This example shows how to create a filter in extend FLEX IP ACL to deny the TCP packets with the source IP address 1.1.1.1, source port 0-100:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 deny tcp host 1.1.1.1 src-port range 0 100 any
This example shows how to create a filter in extend FLEX IP ACL to deny any TCP packets in established TCP streams:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 3 deny tcp any any established
This example shows how to create a filer in extend FLEX IP ACL to deny the TCP ACK packets with the source IP address 10.10.10.10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 4 deny tcp 10.10.10.0 0.0.0.0 any match-any ack
Related Commands
no sequence-num
11.5.11. deny udp
Command Purpose
Use this command to reject UDP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) deny udp (SRC_IP SRC_IP_MASK|any|host SRC_IP) (src-port OPERATOR SRC_PORT| ) (DST_IP DST_IP_MASK|any|host DST_IP) (dst-port OPERATOR DST_PORT| ) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP Extend ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the IP filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in FLEX IP ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 deny udp any any
This example shows how to create a filter in FLEX IP ACL to deny the UDP packets with the source IP 1.1.1.1, source port 10, and destination port less than 2000:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 deny udp host 1.1.1.1 src-port eq 10 any dst-port lt 2000
Related Commands
`no sequence-num``
11.5.12. deny icmp
Command Purpose
Use this command to reject ICMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
(SEQUENCE_NUM| ) deny icmp (SRC_IP SRC_IP_MASK|any|host SRC_IP) (DST_IP DST_IP_MASK|any|host DST_IP) (icmp-type TYPE-NUM (icmp-code CODE-NUM| )| ) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
TYPE-NUM |
ICMP message type |
0-255 |
CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 deny udp any any
This example shows how to create a filter in extend FLEX IP ACL to deny the UDP packets with the source IP 1.1.1.1, source port 10, and destination port less than 2000:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 deny udp host 1.1.1.1 src-port eq 10 any dst-port lt 2000
Related Commands
no sequence-num
11.5.13. deny igmp
Command Purpose
Use this command to reject IGMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
- |
AQ-N5000 |
7.0 |
Base |
- |
AQ-N6000 |
7.0 |
Base |
- |
Command Syntax
(SEQUENCE_NUM| ) deny igmp (SRC_IP SRC_IP_MASK|any|host SRC_IP) (DST_IP DST_IP_MASK|any|host DST_IP) (IGMP-TYPE| ) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
IGMP-TYPE |
IGMP type |
including dvmrp, host-query, host-report, mtrace, mtrace-response, pim, precedence, trace, v2-leave, v2-report, v3-report |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any ICMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 deny icmp any any
This example shows how to create a filter in extend FLEX IP ACL to deny the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 deny icmp any any icmp-type 3 icmp-code 3
Related Commands
no sequence-num
11.5.14. deny gre
Command Purpose
Use this command to reject GRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
- |
AQ-N5000 |
7.0 |
Base |
- |
AQ-N6000 |
7.0 |
Base |
- |
Command Syntax
(SEQUENCE_NUM| ) deny gre (SRC_IP SRC_IP_MASK|any|host SRC_IP) (DST_IP DST_IP_MASK|any|host DST_IP) (key KEY mask KEY-MASK) (ip-precedence PRECEDENCE|dscp DSCP| ) (ecn <0-3>| ) (non-fragment|first-fragment|non-or-first-fragment|small-fragment|non-first-fragment| ) (routed-packet| ) (options| ) (packet-length OPERATOR LENGTH| ) (time-range TIME-RANGE-NAME| )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject GRE packets.
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any IGMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 deny igmp any any
This example shows how to create a filter in extend FLEX IP ACL to deny the IGMP packets with the source IP address 1.1.1.1, any destination IP address and the igmp-type pim:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 deny igmp host 1.1.1.1 any pim
Related Commands
no sequence-num
11.5.15. deny nvgre
Command Purpose
Use this command to reject NVGRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny nvgre ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( vsid VSID mask VSID-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VSID |
NVGRE vsid |
0-16777215 |
VSID-MASK |
NVGRE vsid mask |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to reject NVGRE packets.
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any GRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 deny gre any any key 0 mask 0
This example shows how to create a filter in extend FLEX IP ACL to deny the GRE packets with the source IP address 1.1.1.1, any destination IP address and the gre key is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 deny gre host 1.1.1.1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.5.16. permit
Command Purpose
Use this command to permit packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit ( PROTO_NUM | any ) ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number, the range is 0 to 255 |
0-255 |
any |
Any protocol |
- |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
If an IP address wildcard bit is provided, the IP address is logically-anded in bitwise with the reverse bits of the wildcard bits. For example, 10.10.10.0 0.0.0.255 means the addresses from 10.10.10.0 to 10.10.10.255 are matched.
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the extend FLEX IP ACL. i.e. when the maximum existing sequence number is 105, the sequence number of subsequent created IP filter is 115.
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any NVGRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 deny nvgre any any vsid 0 mask 0
This example shows how to create a filter in extend FLEX IP ACL to deny the NVGRE packets with the source IP address 1.1.1.1, any destination IP address and the nvgre vsid is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 deny gre host 1.1.1.1 any vsid 10 mask 0xffffff
This example shows how to create a filter in extend FLEX IP ACL to permit any routed packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 30 permit any any any routed-packet
Related Commands
no sequence-num
11.5.17. permit tcp
Command Purpose
Use this command to permit TCP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit tcp ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( src-port OPERATOR SRC_PORT | ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( established | ( match-any | match-all FLAG-NAME | ) | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options |) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP Extend ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
established |
Match established connections |
- |
match-any |
Match any of the flag-name |
- |
FLAG-NAME |
Match all the flag-name, including ack, fin, psh, rst, syn and urg |
ack, fin, psh, rst, syn and urg |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the IP filter |
- |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit any TCP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 10 permit tcp any any
This example shows how to create a filter in extend FLEX IP ACL to permit the TCP packets with the source IP address 1.1.1.1, and source port ranges from 0 to 100:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 20 permit tcp host 1.1.1.1 src-port range 0 100 any
This example shows how to create a filter in extend FLEX IP ACL to permit any TCP packets in established TCP streams:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 30 permit tcp any any established
This example shows how to create a filter in extend FLEX IP ACL to permit the TCP ACK packets with the source IP address 10.10.10.0:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 4 permit tcp 10.10.10.0 0.0.0.0 any match-any ack
Related Commands
no sequence-num
11.5.18. permit udp
Command Purpose
Use this command to permit UDP packets when the packets match this access-list.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit udp ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( src-port OPERATOR SRC_PORT | ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( dst-port OPERATOR DST_PORT | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IP Extend ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source host |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
OPERATOR SRC_PORT |
Source port operator and value |
Source port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address and Mask |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
OPERATOR DST_PORT |
Destination port operator and value |
Destination port, the range is 0-65535. Operator including eq (equal to), lt (less than), gt (greater than), neq (not equal to) and range |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the IP filter |
- |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
The fragments will be invalid when the layer 4 information is specified (i.e. src-port).
Examples
This example shows how to create a filter in extend FLEX IP ACL to deny any UDP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 permit udp any any
This example shows how to create a filter in extend FLEX IP ACL to deny the UDP packets with the source IP address 1.1.1.1, source port 10, and destination port less than 2000:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 permit udp host 1.1.1.1 src-port eq 10 any dst-port lt 2000
Related Commands
no sequence-num
11.5.19. permit icmp
Command Purpose
Use this command to permit ICMP packets when the packets match this access-list.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit icmp ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( icmp-type TYPE-NUM ( icmp-code CODE-NUM | ) | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
icmp-type TYPE-NUM |
ICMP message type |
0-255 |
icmp-code CODE-NUM |
ICMP message code |
0-255 |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit any ICMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 permit icmp any any
This example shows how to create a filter in extend FLEX IP ACL to permit the ICMP packets with the icmp-type 3 and icmp-code 3:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 permit icmp any any icmp-type 3 icmp-code 3
Related Commands
None
11.5.20. permit igmp
Command Purpose
Use this command to permit IGMP packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit igmp ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( IGMP-TYPE | ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
IGMP-TYPE |
IGMP type |
including dvmrp, host-query, host-report, mtrace, mtrace-response, pim, precedence, trace, v2-leave, v2-report, v3-report |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
PROTO_NUM |
An IP protocol number, the range is 0 to 255 |
0-255 |
any |
Any protocol |
- |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
None
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit any IGMP packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 1 permit igmp any any
This example shows how to create a filter in extend FLEX IP ACL to permit the IGMP packets with the source IP address 1.1.1.1, any destination IP address and the igmp-type pim:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# 2 permit igmp host 1.1.1.1 any pim
Related Commands
no sequence-num
11.5.21. permit gre
Command Purpose
Use this command to permit GRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit gre ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( key KEY mask KEY-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
KEY |
GRE key |
0-4294967295 |
KEY-MASK |
GRE key mask |
0-0xFFFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
IPv4 Address |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit GRE packets.
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit any GRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 permit gre any any key 0 mask 0
This example shows how to create a filter in extend FLEX IP ACL to permit the GRE packets with the source IP address 1.1.1.1, any destination IP address and the gre key is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 permit gre host 1.1.1.1 any key 10 mask 0xffffffff
Related Commands
no sequence-num
11.5.22. permit nvgre
Command Purpose
Use this command to permit NVGRE packets matching the IP filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) permit nvgre ( SRC_IP SRC_IP_MASK | any | host SRC_IP ) ( DST_IP DST_IP_MASK | any | host DST_IP ) ( vsid VSID mask VSID-MASK ) ( ip-precedence PRECEDENCE | dscp DSCP | ) ( ecn <0-3> | ) ( non-fragment | first-fragment | non-or-first-fragment | small-fragment | non-first-fragment | ) ( routed-packet | ) ( options | ) ( packet-length OPERATOR LENGTH | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VSID |
NVGRE vsid |
0-16777215 |
VSID-MASK |
NVGRE vsid mask |
0-0xFFFFFF |
SEQUENCE_NUM |
The sequence number of the filter in FLEX IP ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
SRC_IP SRC_IP_MASK |
The source IP address and its wildcard bits |
IPv4 Address and Mask |
any |
Any source IP address |
- |
host SRC_IP |
The source IP address of a host |
- |
DST_IP DST_IP_MASK |
The destination IP address and its wildcard bits |
IPv4 Address |
host DST_IP |
The destination IP address of a host |
IPv4 Address |
PRECEDENCE |
Match packets with given precedence value |
0-7 |
DSCP |
Match packets with given dscp value |
0-63 |
ECN |
ecn value |
0-3 |
non-fragment |
Match packets with non fragment |
- |
first-fragment |
Match packets with first fragment |
- |
-non-or-first-fragment |
Match packets with non first fragment |
- |
small-fragment |
Match packets with small fragment |
- |
non-first-fragment |
Match packets with non first fragment |
- |
routed-packet |
Match routed packet |
- |
options |
Match packets with IP options |
- |
TIME-RANGE-NAME |
The time-range used by the filter |
A string with up to 40 characters |
OPERATOR |
Packet length,operator including eq (equal to), lt (less than), gt (greater than), and range |
eq (equal to), lt (less than), gt (greater than), and range |
LENGTH |
The length value |
64-16382 |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
This type of filter is mostly used to permit NVGRE packets.
Examples
This example shows how to create a filter in extend FLEX IP ACL to permit any NVGRE packets:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 1 permit nvgre any any vsid 0 mask 0
This example shows how to create a filter in extend FLEX IP ACL to permit the NVGRE packets with the source IP address 1.1.1.1, any destination IP address and the nvgre vsid is 10:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acl)# 2 permit gre host 1.1.1.1 any vsid 10 mask 0xffffff
Related Commands
no sequence-num
11.5.23. remark
Command Purpose
Use this command to add remarks for the extend FLEX IP ACL.
To remove remarks from the extend FLEX IP ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
remark REMARK
no remark
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
REMARK |
The remarks of the extend FLEX IP ACL |
A string with up to 100 characters |
Command Mode
FLEX IP ACL Configuration
Default
None
Usage
The remark is up to 100 characters.
Examples
This example shows how to add a remark to describe the extend FLEX IP ACL:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# remark remard0flist1
This example shows how to remove the remark from the extend FLEX IP ACL:
Switch# configure terminal
Switch(config)# ip access-list list_ipv4_1 extend
Switch(config-ex-ip-acll)# no remark
Related Commands
None
11.5.24. sequence-num
Command Purpose
Use this command to remove a filter from MPLS ACL.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
no sequence-num SEQUENCE_NUM
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of a MPLS filter |
1-131071 |
Command Mode
MPLS ACL Configuration
Default
None
Usage
None
Examples
This example shows how to remove a filter with the sequence-num 10 from MPLS ACL:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# no sequence-num 10
Related Commands
deny
permit
11.5.25. remark
Command Purpose
Use this command to add remarks for the MPLS ACL.
To remove remarks of the MPLS ACL, use the no form of this command.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
remark REMARK
no remark
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
REMARK |
The remarks of the MPLS ACL |
String with up to 100 characters |
Command Mode
MPLS ACL Configuration
Default
None
Usage
The remarks are up to 100 characters. The exceed parts will not be stored and will be truncated.
Examples
This example shows how to add a remark to describe the MPLS ACL:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# remark remark of list for mpls
This example shows how to remove the remark of the MPLS ACL:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# no remark
Related Commands
mpls access-list
11.5.26. show access-list mpls
Command Purpose
Use this command to show the MPLS ACL information.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list mpls ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
The name of the MPLS ACL |
A string with up to 40 characters |
Command Mode
Privileged EXEC
Default
None
Usage
If no mpls acl are specified, all mpls access-lists in the system should be shown.
Examples
This example shows how to show the MPLS ACL information:
Switch# show access-list mpls
mpls access-list list_mpls_1
10 permit topmost-label 1 next-label 2
20 deny topmost-label any
Related Commands
mpls access-list
11.5.27. deny
Command Purpose
Use this command to discard ongoing MPLS packets matching the MPLS filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny topmost-label ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) next-label | ) ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) next-label | ) ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) ( stack-bottom | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in MPLS ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
topmost-label |
mpls topmost label |
- |
next-label |
mpls next label |
- |
MPLS-LABEL |
mpls label value |
0-1048575 |
MPLS-LABEL-MASK |
mpls label mask |
0-0xFFFFF |
EXP-VALUE |
exp value |
0-7 |
TTL-VALUE |
ttl value |
0-255 |
TIME-RANGE-NAME |
The time-range used by the MPLS filter |
A string with up to 40 characters |
Command Mode
MPLS ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the MPLS ACL. For example, when the maximum existing sequence number is 100, the sequence number of subsequent created MPLS filter is 110.
Examples
This example shows how to create a filter in MPLS ACL to deny any MPLS packets:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# 1 deny topmost-label any
This example shows how to create a filter in MPLS ACL to deny any MPLS packets with first label is 1 and second label is 2:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# 2 deny topmost-label 1 next-label 2
Related Commands
no sequence-num
11.5.28. permit
Command Purpose
Use this command to permit ongoing MPLS packets matching the MPLS filter.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( SEQUENCE_NUM | ) deny topmost-label ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) next-label | ) ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) next-label | ) ( ( MPLS-LABEL ( mask MPLS-LABEL-MASK | ) | any ) ( exp EXP-VALUE | ) ( ttl TTL-VALUE | ) ( stack-bottom | ) ( time-range TIME-RANGE-NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
SEQUENCE_NUM |
The sequence number of the filter in IPv6 ACL. An auto-generated sequence number will be assigned to the filter if this field is not presented. |
1-131071 |
topmost-label |
mpls topmost label |
- |
next-label |
mpls next label |
- |
MPLS-LABEL |
mpls label value |
0-1048575 |
MPLS-LABEL-MASK |
mpls label mask |
0-0xFFFFF |
EXP-VALUE |
exp value |
0-7 |
TTL-VALUE |
ttl value |
0-255 |
TIME-RANGE-NAME |
The time-range used by the MPLS filter |
A string with up to 40 characters |
Command Mode
MPLS ACL Configuration
Default
None
Usage
An auto-generated sequence number will be assigned to the filter if the sequence-num field is not presented. The auto-generated sequence number is incremented by 10 on the maximum existing sequence number in the MPLS ACL. For example, when the maximum existing sequence number is 100, the sequence number of subsequent created MPLS filter is 110.
Examples
This example shows how to create a filter in MPLS ACL to permit any MPLS packets:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# 1 permit topmost-label any
This example shows how to create a filter in MPLS ACL to permit any MPLS packets with first label is 1 and second label is 2:
Switch# configure terminal
Switch(config)# mpls access-list list_mpls_1
Switch(config-mpls-acl)# 2 permit topmost-label 1 next-label 2
Related Commands
no sequence-num