Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
Important: It is suggested that any rule which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security. The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
{ deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
after { deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
no { deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny : indicates the rule, when matched, drops the corresponding packets.
permit : indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
{ deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
after { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
before { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
no { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
{ deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ]}
after { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
before { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
no { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
tcp: filter applies to TPC packets.
udp: filter applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
tcp : redirect applies to TCP packets.
udp : redirect applies to UDP packets.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: It is suggested that any rule which is added to be a catch all should also have the log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security. The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
before redirect context
23 any
after redirect context
23 any
no redirect context
23 any
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
after redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
before redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
no redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
after redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
before redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
no redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdst_host_address } [ fragment] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
afterredirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
before redirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
noredirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
before redirect context
23 udp any
after redirect context
23 udp any
no redirect context
23 udp any
redirect css service svc_name [
log ]
any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
host source_host_address
before redirect css service svc_name [
log ]
host source_host_address
after redirect css service svc_name [
log ]
host source_host_address
no redirect css service svc_name [
log ]
host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
source_address source_wildcard
before redirect css service svc_name [
log ]
source_address source_wildcard
after redirect css service svc_name [
log ]
source_address source_wildcard
no redirect css service svc_name [
log ]
source_address source_wildcard
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL.
redirect css service chgsvc1 1:1:1:1:1:1:1:1
redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
downlink any
before redirect css service svc_name [
log ]
downlink any
after redirect css service svc_name [
log ]
downlink any
no redirect css service svc_name [
log ]
downlink any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 downlink any
no redirect service chgsvc1 downlink any
redirect css service svc_name [
log ]
downlink host source_host_address
before redirect css service svc_name [
log ]
downlink host source_host_address
after redirect css service svc_name [
log ]
downlink host source_host_address
no redirect css service svc_name [
log ]
downlink host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
downlink source_address source_wildcard
before redirect css service svc_name [
log ]
downlink source_address source_wildcard
after redirect css service svc_name [
log ]
downlink source_address source_wildcard
no redirect css service svc_name [
log ]
downlink source_address source_wildcard
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL.
redirect css service chgsvc1 downlink 1:1:1:1:1:1:1:1
redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ]
downlink {
tcp |
udp } {{ {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 downlink udp any
no redirect
css service chgsvc1 downlink udp any
redirect css service svc_name [
log ]
uplink any
before redirect css service svc_name [
log ]
uplink any
after redirect css service svc_name [
log ]
uplink any
no redirect css service svc_name [
log ]
uplink any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
uplink host source_host_address
before redirect css service svc_name [
log ]
uplink host source_host_address
after redirect css service svc_name [
log ]
uplink host source_host_address
no redirect css service svc_name [
log ]
uplink host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
redirect css service svc_name [
log ]
uplink source_address source_wildcard
before redirect css service svc_name [
log ]
uplink source_address source_wildcard
after redirect css service svc_name [
log ]
uplink source_address source_wildcard
no redirect css service svc_name [
log ]
uplink source_address source_wildcard
svc_name must be a string of 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
redirect css service chgsvc1 uplink 1:1:1:1:1:1:1:1
redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
svc_name must be a string of 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
redirect css service chgsvc1 uplink udp any
before redirect
css service chgsvc1 uplink udp any
after redirect
css service chgsvc1 uplink udp any
no redirect
css service chgsvc1 uplink udp any
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
afterredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
beforeredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] any
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
Important: It is suggested that any rule which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security. The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
after redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
after redirectinterface_namenexthop_addrnexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
before redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdst_host_address } [ icmp_type [ icmp_code ] ]
no redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
after redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
before redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
no redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
afterredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
beforeredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information. Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.