The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security commands that begin with P.
To create an ARP ACL rule that permits ARP traffic that matches its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac any
[ sequence-number ] permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] permit request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] permit response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
no permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac any
no permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no permit request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no permit response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
|
|
Note An ARP access list is supported only for Control Plane Policing (CoPP). The permit command is ignored for CoPP ARP ACLs.
A newly created ARP ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
When the device applies an ARP ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message.
This example shows how to enter ARP access list configuration mode for an ARP ACL named copp-arp-acl and add a rule that permits ARP request messages that contain a sender IP address that is within the 192.0.32.14/24 subnet and associate them with the copp-arp-acl class:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv4 ICMP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
Need to test this: sequence-number ] permit icmp source destination [ icmp-message ]
[ sequence-number ] permit icmp source destination [ icmp-message | dscp dscp | fragments | log | precedence precedence ]
no permit icmp source destination [ icmp-message | dscp dscp | fragments | log | precedence precedence ]
Note You can also specify the icmp keyword by its protocol number. Valid numbers are from 0 to 255.
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “iSource and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “iSource and Destination” section in the “Usage Guidelines” section. |
|
ICMP message number, which is an integer from 0 to 255, or a keyword. For a list of keywords, see the “ICMP Message Types” section in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all ICMP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv4 IGMP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit igmp source destination [ igmp-message | dscp dscp | fragments | log | precedence precedence ]
no permit igmp source destination [ igmp-message | dscp dscp | fragments | log | precedence precedence ]
Note You can also specify the igmp keyword by its protocol number. Valid numbers are from 0 to 255.
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-message argument is available. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Rule that matches only packets of the specified IGMP message type. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all IGMP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv4 traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit ip source destination [ dscp dscp | fragments | log | precedence precedence ]
no permit ip source destination [ dscp dscp | fragments | log | precedence precedence ]
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv4 TCP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | fragments | log | precedence precedence | flags | established ]
no permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | fragments | log | precedence precedence | flags | established ]
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see the “TCP Port Names” section in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
|
|
(Optional) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: |
|
(Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The switch considers TCP packets with the ACK or RST bits set to belong to an established connection. |
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv4 UDP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | fragments | log | precedence precedence ]
no permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | fragments | log | precedence precedence ]
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see the “UDP Port Names” section in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv6 ICMP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit icmp source destination [ icmp-message | dscp dscp | flow-label flow-label-value | fragments | log ]
no permit permit icmp source destination [ icmp-message | dscp dscp | flow-label flow-label-value | fragments | log ]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under the “ICMPv6 Message Types” section in the “Usage Guidelines” section. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords:
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all ICMP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv6 traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit ipv6 source destination [ dscp dscp | flow-label flow-label-value | fragments | log ]
no permit ipv6 source destination [ dscp dscp | flow-label flow-label-value | fragments | log ]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all IPv6 traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv6 sctp traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit sctp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flow-label flow-label-value | fragments | log ]
no permit sctp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flow-label flow-label-value | fragments | log ]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to use an IPv6 address object group named lab-svrs-1301 to specify the destination argument:
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all SCTP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv6 TCP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flags | flow-label flow-label-value | fragments | log | established ]
no permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flags | flow-label flow-label-value | fragments | log | established ]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see the “TCP Port Names” section in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
|
(Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: |
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all TCP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 TCP traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create an access control list (ACL) rule that permits IPv6 UDP traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flow-label flow-label-value | fragments | log ]
no permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | flow-label flow-label-value | fragments | log ]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. |
|
(Optional) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see the “UDP Port Names” section in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all UDP traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create a MAC access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no permit source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
MAC ACL configuration mode (config-mac-acl)
|
|
When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
This example specifies the source argument with the MAC address 00c0.4f03.0a72:
This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-filter with a rule that permits traffic between two groups of MAC addresses:
|
|
---|---|
To add interfaces for a user role interface policy, use the permit interface command. To remove interfaces, use the no form of this command.
permit interface interface-list
List of interfaces that the user role has permission to access. |
Interface policy configuration mode
|
|
For permit interface statements to work, you need to configure a command rule to allow interface access, as shown in the following example:
This example shows how to configure a range of interfaces for a user role interface policy:
This example shows how to configure a list of interfaces for a user role interface policy:
This example shows how to remove an interface from a user role interface policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To add VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.
VLAN policy configuration mode
|
|
For permit vlan statements to work, you need to configure a command rule to allow VLAN access, as shown in the following example:
This example shows how to configure a range of VLANs for a user role VLAN policy:
This example shows how to configure a list of VLANs for a user role VLAN policy:
This example shows how to remove a VLAN from a user role VLAN policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To add virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.
|
|
This example shows how to configure a range of VRFs for a user role VRF policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To permit access to a VSAN policy for a user role, use the permit vsan command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
Range of VSANs accessible to a user role. The range is from 1 to 4093. |
|
|
---|---|
This command is enabled only after you deny a VSAN policy by using the vsan policy deny command.
This example shows how to permit access to a VSAN policy for a user role:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|