Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
deny log 1.2.4.0 0.0.0.15
before permit1.2.3.0 0.0.0.31
after deny log 1.2.4.0 0.0.0.15
no permit1.2.3.0 0.0.0.31
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
Important: It is suggested that any rule which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security. The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
after deny log host 1.2.3.5
{ deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
after { deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
no { deny | permit } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny : indicates the rule, when matched, drops the corresponding packets.
permit : indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
permit icmp host 1.2.3.4 any 168
deny log icmp 1.2.3.0 0.0.0.31 host 1.2.4.16 168 11
after deny log icmp 1.2.3.0 0.0.0.31 host 1.2.4.16 168 11
{ deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
after { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
before { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
no { deny | permit } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: This keyword is not applicable to a SPIO interface. Instead, you must specify the type of protocol packets for which you want to deny/permit processing on a SPIO. For example,
deny icmp,
deny tcp, or
deny udp.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
permit ip host 1.2.3.4 any fragment
deny log ip 1.2.3.0 0.0.0.31 host 1.2.4.16
before permit ip host 1.2.3.4 any fragment
after deny log ip 1.2.3.0 0.0.0.31 host 1.2.4.16
no permit ip host 1.2.3.4 any fragment
{ deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port | range start_port end_port ]}
after { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port | range start_port end_port ] }
before { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port | range start_port end_port ] }
no { deny | permit } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port | range start_port end_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
deny: indicates the rule, when matched, drops the corresponding packets.
permit: indicates the rule, when matched, allows the corresponding packets.
tcp: filter applies to TPC packets.
udp: filter applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_port end_port
start_port must be an integer from 0 to 65535, and must be less than the
end_port value.
end_port must be an integer from 0 to 65535, and must be greater than the
start_port value.
Important: This option is supported in PDIF Release 8.3.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
deny log udp 1.2.3.0 0.0.0.31 host 1.2.4.16
permit tcp host 1.2.3.64 gt 1023 any
deny log udp 1.2.3.0 0.0.0.31 1.2.4.127 0.0.0.127
after deny log udp 1.2.3.0 0.0.0.31 host 1.2.4.16
no permit tcp host 1.2.3.64 gt 1023 any
readdressserverredirect_address [ portport_no ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
afterreaddressserverredirect_address [ portport_no ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
beforereaddressserverredirect_address [ portport_no ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
noreaddressserverredirect_address [ portport_no ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
tcp : redirect applies to TCP packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Prior to Release 8.3, for packets received from the packet data network destined for a subscriber's UE, the system applied logic to reset the source address of a packet to the original destination address of the input packet before applying the outbound access control list (ACL). In Release 8.3 and higher, the system reverses the order and applies the outbound ACL before resetting the source address. This change impacts all current readdress server rules in inbound IPv4 ACLs.
Important: After upgrading to Release 8.3, for every readdress server rule in an inbound IPv4 ACL, customers must now add a permit rule to an outbound ACL that explicitly permits packets from the readdress rule's redirect address and port number. If customers omit this permit rule, the system will reject all packets destined for the subscriber's UE from the readdress rule's redirect address and port number.
readdress server 192.168.10.4 udp any any
before readdress server 192.168.10.4 udp any any
after readdress server 192.168.10.4 udp any any
no readdress server 192.168.10.4 udp any any
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect context 23 198.162.22.0 0.0.0.31
before redirect context 23 198.162.22.0 0.0.0.31
after redirect context 23 198.162.22.0 0.0.0.31
no redirect context 23 198.162.22.0 0.0.0.31
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: It is suggested that any rule which is added to be a catch all should also have the log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect context 23 host 192.168.200.11
before redirect context 23 host 192.168.200.11
after redirect context 23 host 192.168.200.11
no redirect context 23 host 192.168.200.11
redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [icmp_type [ icmp_code ] ]
after redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
before redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
no redirect contextcontext_id [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect context 23 icmp host 192.168.100.25
before redirect context 23 icmp host 192.168.100.25
after redirect context 23 icmp host 192.168.100.25
no redirect context 23 icmp host 192.168.100.25
redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
after redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
before redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
no redirect contextcontext_id [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdst_host_address } [ fragment] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect context 23 ip host 198.162.100.25 any fragment
before redirect context 23 ip host 198.162.100.25 any fragment
after redirect context 23 ip host 198.162.100.25 any fragment
no redirect context 23 ip host 198.162.100.25 any fragment
redirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
afterredirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
before redirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
noredirect contextcontext_id [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
host source_host_address
before redirect css service svc_name [
log ]
host source_host_address
after redirect css service svc_name [
log ]
host source_host_address
no redirect css service svc_name [
log ]
host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 host 192.168.200.11
before redirect css service chgsvc1 host 192.168.200.11
after redirect css service chgsvc1 host 192.168.200.11
no redirect css service chgsvc1 host 192.168.200.11
redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 icmp host 192.168.200.11
before redirect css service chgsvc1 icmp host 192.168.200.11
after redirect css service chgsvc1 icmp host 192.168.200.11
no redirect css service chgsvc1 icmp host 192.168.200.11
redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
The following command defines a rule definition that redirects packets to the charging service named chgsvc1, and IP packets coming from the host with the IP address
198.162.100.25, and fragmented packets for any destination are matched.
redirect css service chgsvc1 ip host 198.162.100.25 any fragment
before redirect css service chgsvc1 ip host 198.162.100.25 any fragment
after redirect css service chgsvc1 ip host 198.162.100.25 any fragment
no redirect css service chgsvc1 ip host 198.162.100.25 any fragment
redirect css service svc_name [
log ]
source_address source_wildcard
before redirect css service svc_name [
log ]
source_address source_wildcard
after redirect css service svc_name [
log ]
source_address source_wildcard
no redirect css service svc_name [
log ]
source_address source_wildcard
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL.
redirect css service chgsvc1 1.2.3.0 0.0.0.31
redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ] {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
downlink any
before redirect css service svc_name [
log ]
downlink any
after redirect css service svc_name [
log ]
downlink any
no redirect css service svc_name [
log ]
downlink any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 downlink any
no redirect service chgsvc1 downlink any
redirect css service svc_name [
log ]
downlink host source_host_address
before redirect css service svc_name [
log ]
downlink host source_host_address
after redirect css service svc_name [
log ]
downlink host source_host_address
no redirect css service svc_name [
log ]
downlink host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect service chgsvc1 downlink host 192.168.200.11
before redirect service chgsvc1 downlink host 192.168.200.11
after redirect service chgsvc1 downlink host 192.168.200.11
no redirect service chgsvc1 downlink host 192.168.200.11
redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
downlink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
The following command defines a rule definition that redirects packets to the charging service named chgsvc1, and ICMP packets coming in the downlink (from the Mobile Node) direction from the host with the IP address 198.162.100.25.
redirect css service chgsvc1 downlink icmp host 192.168.100.25
before redirect css service chgsvc1 downlink icmp host 192.168.100.25
after redirect css service chgsvc1 downlink icmp host 192.168.100.25
no redirect css service chgsvc1 downlink icmp host 192.168.100.25
redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
downlink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
The following command defines a rule definition that redirects packets to the charging service named chgsvc1, and downlink IP packets coming from the host with the IP address
198.162.100.25, and fragmented packets for any destination are matched.
redirect css service chgsvc1 downlink ip host 198.162.100.25 any fragment
before redirect css service chgsvc1 downlink ip host 198.162.100.25 any fragment
after redirect css service chgsvc1 downlink ip host 198.162.100.25 any fragment
no redirect css service chgsvc1 downlink ip host 198.162.100.25 any fragment
redirect css service svc_name [
log ]
downlink source_address source_wildcard
before redirect css service svc_name [
log ]
downlink source_address source_wildcard
after redirect css service svc_name [
log ]
downlink source_address source_wildcard
no redirect css service svc_name [
log ]
downlink source_address source_wildcard
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL.
redirect css service chgsvc1 downlink 1.2.3.0 0.0.0.31
redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ]
downlink {
tcp |
udp } {{ {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ]
downlink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service chgsvc1 downlink udp any
no redirect
css service chgsvc1 downlink udp any
redirect css service svc_name [
log ]
uplink any
before redirect css service svc_name [
log ]
uplink any
after redirect css service svc_name [
log ]
uplink any
no redirect css service svc_name [
log ]
uplink any
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: It is suggested that any rule definition which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rule definitions is adequate or needs modification to ensure proper security.
Important: A maximum of 16 rule definitions can be configured per ACL.
Important: Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect css service svc_name [
log ]
uplink host source_host_address
before redirect css service svc_name [
log ]
uplink host source_host_address
after redirect css service svc_name [
log ]
uplink host source_host_address
no redirect css service svc_name [
log ]
uplink host source_host_address
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect service chgsvc1 uplink host 192.168.200.11
before redirect service chgsvc1 uplink host 192.168.200.11
after redirect service chgsvc1 uplink host 192.168.200.11
no redirect service chgsvc1 uplink host 192.168.200.11
redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
before redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
after redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
no redirect css service svc_name [
log ]
uplink icmp {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
icmp_type [
icmp_code ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: A maximum of 16 rule definitions can be configured per ACL. Also note that “redirect” rule definitions are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
The following command defines a rule definition that redirects packets to the charging service named chgsvc1, and ICMP packets in the uplink (to the Mobile Node) direction from the host with the IP address
198.162.100.25.
redirect css service chgsvc1 uplink icmp host 192.168.100.25
before redirect css service chgsvc1 uplink icmp host 192.168.100.25
after redirect css service chgsvc1 uplink icmp host 192.168.100.25
no redirect css service chgsvc1 uplink icmp host 192.168.100.25
redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
before redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
after redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
no redirect css service svc_name [
log ]
uplink ip {
any |
host source_host_address |
source_address source_wildcard } {
any |
host dest_host_address |
dest_address dest_wildcard } [
fragment ]
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule definition, the insertion point does not change.
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
The following command defines a rule definition that redirects packets to the charging service named chgsvc1, and uplink IP packets going to the host with the IP address
198.162.100.25, and fragmented packets for any destination are matched.
redirect css service chgsvc1 uplink ip host 198.162.100.25 any fragment
before redirect css service chgsvc1 uplink ip host 198.162.100.25 any fragment
after redirect css service chgsvc1 uplink ip host 198.162.100.25 any fragment
no redirect css service chgsvc1 uplink ip host 198.162.100.25 any fragment
redirect css service svc_name [
log ]
uplink source_address source_wildcard
before redirect css service svc_name [
log ]
uplink source_address source_wildcard
after redirect css service svc_name [
log ]
uplink source_address source_wildcard
no redirect css service svc_name [
log ]
uplink source_address source_wildcard
svc_name must be a string from 1 through 15 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
redirect css service chgsvc1 uplink 1.2.3.0 0.0.0.31
redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
before redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
after redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
no redirect css service svc_name [
log ]
uplink {
tcp |
udp } { {
source_address source_wildcard |
any |
host source_host_address } [
eq source_port |
gt source_port |
lt source_port |
neq source_port | range
start_source_port end_source_port ] } { {
dest_address dest_wildcard |
any |
host dest_host_address } [
eq dest_port |
gt dest_port |
lt dest_port |
neq dst_port | range
start_dest_port end_dest_port ] }
svc_name must be a string from 1 through 15 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
range start_source_port end_source_port
start_source_port is the initial port in the range and
end_source_port is the final port in the range.
Both start_source_port and
end_source_port can be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
range start_dest_port end_dest_port
start_dest_port is the initial port in the range and
end_dest_port is the final port in the range.
Both start_dest_port and
end_dest_port can be configured to any integer value from 0 to 65535.
redirect css service chgsvc1 uplink udp any
before redirect
css service chgsvc1 uplink udp any
after redirect
css service chgsvc1 uplink udp any
no redirect
css service chgsvc1 uplink udp any
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
afterredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
beforeredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] source_address source_wildcard
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 198.162.22.0 0.0.0.31
before redirect nexthop 192.168.10.4 context 23 198.162.22.0 0.0.0.31
after redirect nexthop 192.168.10.4 context 23 198.162.22.0 0.0.0.31
no redirect nexthop 192.168.10.4 context 23 198.162.22.0 0.0.0.31
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] any
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
Important: It is suggested that any rule which is added to be a catch all should also have the
log option specified. The logged packets may be used to determine if the current list of rules is adequate or needs modification to ensure proper security.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 any
before redirect nexthop 192.168.10.4 context 23 any
after redirect nexthop 192.168.10.4 context 23 any
no redirect nexthop 192.168.10.4 context 23 any
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
after redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] hostsource_ip_address
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 host 192.168.200.11
before redirect nexthop 192.168.10.4 context 23 host 192.168.200.11
after redirect nexthop 192.168.10.4 context 23 host 192.168.200.11
no redirect nexthop 192.168.10.4 context 23 host 192.168.200.11
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
after redirectinterface_namenexthop_addrnexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
before redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdst_host_address } [ icmp_type [ icmp_code ] ]
no redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] icmp { source_address source_wildcard | any | hostsource_host_address } { dest_address dst_wildcard | any | hostdest_host_address } [ icmp_type [ icmp_code ] ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 icmp host 192.168.100.25
before redirect nexthop 192.168.10.4 context 23 icmp host 192.168.100.25
afterredirect nexthop 192.168.10.4 context 23 icmp host 192.168.100.25
no redirect nexthop 192.168.10.4 context 23 icmp host 192.168.100.25
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
after redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
before redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment] [ protocol num ]
no redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] ip { source_address source_wildcard | any | hostsource_host_address } { dest_address dest_wildcard | any | hostdest_host_address } [ fragment ] [ protocol num ]
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
num can be any integer ranging from 0 to 255.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 ip host 198.162.100.25 any fragment
before redirect nexthop 192.168.10.4 context 23 ip host 198.162.100.25 any fragment
after redirect nexthop 192.168.10.4 context 23 ip host 198.162.100.25 any fragment
no redirect nexthop 192.168.10.4 context 23 ip host 198.162.100.25 any fragment
redirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
afterredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
beforeredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
noredirect nexthopnexthop_addr { contextcontext_id | interfaceinterface_name } [ log ] { tcp | udp } { { source_address source_wildcard | any | hostsource_host_address } [ eqsource_port | gtsource_port | ltsource_port | neqsource_port ] } { { dest_address dest_wildcard | any | hostdest_host_address } [ eqdest_port | gtdest_port | ltdest_port | neqdst_port ] }
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
Important: If the options specified do not exactly match an existing rule, the insertion point does not change.
The name of the logical interface to which the packets should be redirected. interface_name must be an alpha and/or numeric string from 1 to 79 characters in length.
tcp : redirect applies to TPC packets.
udp : redirect applies to UDP packets.
This option is used in conjunction with the source_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
source_port must be configured to any integer value from 0 to 65535.
This option is used in conjunction with the dest_address option to specify a group of addresses for which packets are to be filtered.
Important: The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore, allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and 0.0.15.255. A wildcard of 0.0.7.15 is
not acceptable since the one-bits are not contiguous.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
dest_port must be configured to any integer value from 0 to 65535.
Important: The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. Refer to the Engineering Rules appendix located in the Administration and Configuration Guide for more information.
Important: Also note that “redirect” rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context.
redirect nexthop 192.168.10.4 context 23 udp any
before redirect nexthop 192.168.10.4 context 23 udp any
after redirect nexthop 192.168.10.4 context 23 udp any
no redirect nexthop 192.168.10.4 context 23 udp any