SPECIAL-ACL Commands
arp_acl_rule (aclmgr)
ip_acl_rule (aclmgr)
ip_acl_rule (aclmgr)
ip_acl_rule (aclmgr)
ip_acl_rule (aclmgr)
ip_acl_rule (aclmgr)
ipv6_acl_rule (aclmgr)
ipv6_acl_rule (aclmgr)
ipv6_acl_rule (aclmgr)
ipv6_acl_rule (aclmgr)
ipv6_acl_rule (aclmgr)
mac_acl_rule (aclmgr)

SPECIAL-ACL Commands

arp_acl_rule (aclmgr)

{ [seqno] | no } permitdeny { [arp_request] req_ip { sender1_ip_any | { sender1_host sender1_ip | sender1_net_ip sender1_ip_mask } } mac { sender1_mac_any | { sender1_mac_host sender1_mac | sender1_net_mac sender1_mac_mask } } | arp_response resp_ip { sender2_ip_any | { sender2_host sender2_ip | sender2_net_ip sender2_ip_mask } } { target_ip_any | { target_host target_ip | target_net_ip target_ip_mask } } mac { sender2_mac_any | { sender2_mac_host sender2_mac | sender2_net_mac sender2_mac_mask } } [ target_mac_any | { target_mac_host target_mac | target_net_mac target_mac_mask } ] } [arp_log] [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
req_ip	Any IP protocol
resp_ip	Any IP protocol
`arp_request`	ARP_Request request value: 1 ARP requests
`arp_response`	ARP_Response response value: 1 ARP Responses
`sender1_ip_any`	Any any value: 1 Any IP address
`sender1_host`	Host host value: 1 host IP address
`sender1_ip`	Type: ipaddr IP address <a.b.c.d>
`sender1_net_ip`	Type: ipaddr IP address <a.b.c.d>
`sender1_ip_mask`	Type: ipaddr IP mask <a.b.c.d>
`sender2_ip_any`	Any any value: 1 Any IP address
`sender2_host`	Host host value: 1 host IP address
`sender2_ip`	Type: ipaddr IP address <a.b.c.d>
`sender2_net_ip`	Type: ipaddr IP address <a.b.c.d>
`sender2_ip_mask`	Type: ipaddr IP mask <a.b.c.d>
`target_ip_any`	Any any value: 1 Any IP address
`target_host`	Host host value: 1 host IP address
`target_ip`	Type: ipaddr IP address <a.b.c.d>
`target_net_ip`	Type: ipaddr IP address <a.b.c.d>
`target_ip_mask`	Type: ipaddr IP mask <a.b.c.d>
mac	MAC configuration commands
`sender1_mac_any`	Any any value: 1 Any MAC address
`sender1_mac_host`	Host host value: 1 host MAC address
`sender1_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`sender1_net_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`sender1_mac_mask`	Type: ethernet MAC mask EEEE.EEEE.EEEE
`sender2_mac_any`	Any any value: 1 Any MAC address
`sender2_mac_host`	Host host value: 1 host MAC address
`sender2_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`sender2_net_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`sender2_mac_mask`	Type: ethernet MAC mask EEEE.EEEE.EEEE
`target_mac_any`	Any any value: 1 Any MAC address
`target_mac_host`	Host host value: 1 host MAC address
`target_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`target_net_mac`	Type: ethernet MAC address EEEE.EEEE.EEEE
`target_mac_mask`	Type: ethernet MAC mask EEEE.EEEE.EEEE
`arp_log`	Log log value: 1 Log on match
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/arpacl

ip_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_tcp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } [ src_port_op { src_port0 | src_port0_str } | src_port_range { src_port1 | src_port1_str } { src_port2 | src_port2_str } | src_portgroup src_port_group ] { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dst_port_op { dst_port0 | dst_port0_str } | dst_port_range { dst_port1 | dst_port1_str } { dst_port2 | dst_port2_str } | dst_portgroup dst_port_group ] { [ urg | ack | psh | rst | syn | fin | established | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ urg | ack | psh | rst | syn | fin | established | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } } [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_tcp`	Protocol tcp value: 6 Transmission Control Protocol
`src_any`	Any
`src_addr`	Type: ipaddr Source network address
`src_wild`	Type: ipaddr Source wildcard bits
`src_prefix`	Type: ipprefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipaddr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`src_port_op`	Port operator
`src_port_range`	Port range
`src_port0`	Type: integer min: 0 max: 65535 Port number
`src_port0_str`	TCP port
`src_port1`	Type: integer min: 0 max: 65535 Port number
`src_port1_str`	TCP port
`src_port2`	Type: integer min: 0 max: 65535 Port number
`src_port2_str`	TCP port
src_portgroup	src port group Not available in this release.
`src_port_group`	Type: string Port group name
`dst_any`	Any
`dst_addr`	Type: ipaddr Destination network address
`dst_wild`	Type: ipaddr Destination wildcard bits
`dst_prefix`	Type: ipprefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipaddr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
`dst_port_op`	Port operator
`dst_port_range`	Port range
`dst_port0`	Type: integer min: 0 max: 65535 Port number
`dst_port0_str`	TCP port
`dst_port1`	Type: integer min: 0 max: 65535 Port number
`dst_port1_str`	TCP port
`dst_port2`	Type: integer min: 0 max: 65535 Port number
`dst_port2_str`	TCP port
dst_portgroup	dst port group Not available in this release.
`dst_port_group`	Type: string Port group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
tos	Match packets with given TOS value
`tos_num`	Type: integer min: 0 max: 15 Type of service value
`tos_str`	Type of service label
precedence	Match packets with given precedence value
`prec_num`	Type: integer min: 0 max: 7 Precedence value
`prec_str`	Precedence label routine value: 0 Match packets with routine precedence (0) priority value: 1 Match packets with priority precedence (1) immediate value: 2 Match packets with immediate precedence (2) flash value: 3 Match packets with flash precedence (3) flash-override value: 4 Match packets with flash override precedence (4) critical value: 5 Match packets with critical precedence (5) internet value: 6 Match packets with internetwork control precedence (6) network value: 7 Match packets with network control precedence (7)
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
urg	Match on the URG bit
ack	Match on the ACK bit
psh	Match on the PSH bit
rst	Match on the RST bit
syn	Match on the SYN bit
fin	Match on the FIN bit
established	Match established connections
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipacl

ip_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_udp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } [ src_port_op { src_port0 | src_port0_str } | src_port_range { src_port1 | src_port1_str } { src_port2 | src_port2_str } | src_portgroup src_port_group ] { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dst_port_op { dst_port0 | dst_port0_str } | dst_port_range { dst_port1 | dst_port1_str } { dst_port2 | dst_port2_str } | dst_portgroup dst_port_group ] { [ [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } } [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_udp`	Protocol udp value: 17 User Datagram Protocol
`src_any`	Any
`src_addr`	Type: ipaddr Source network address
`src_wild`	Type: ipaddr Source wildcard bits
`src_prefix`	Type: ipprefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipaddr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`src_port_op`	Port operator
`src_port_range`	Port range
`src_port0`	Type: integer min: 0 max: 65535 Port number
`src_port0_str`	UDP port
`src_port1`	Type: integer min: 0 max: 65535 Port number
`src_port1_str`	UDP port
`src_port2`	Type: integer min: 0 max: 65535 Port number
`src_port2_str`	UDP port
src_portgroup	src port group Not available in this release.
`src_port_group`	Type: string Port group name
`dst_any`	Any
`dst_addr`	Type: ipaddr Destination network address
`dst_wild`	Type: ipaddr Destination wildcard bits
`dst_prefix`	Type: ipprefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipaddr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
`dst_port_op`	Port operator
`dst_port_range`	Port range
`dst_port0`	Type: integer min: 0 max: 65535 Port number
`dst_port0_str`	UDP port
`dst_port1`	Type: integer min: 0 max: 65535 Port number
`dst_port1_str`	UDP port
`dst_port2`	Type: integer min: 0 max: 65535 Port number
`dst_port2_str`	UDP port
dst_portgroup	dst port group Not available in this release.
`dst_port_group`	Type: string Port group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
tos	Match packets with given TOS value
`tos_num`	Type: integer min: 0 max: 15 Type of service value
`tos_str`	Type of service label
precedence	Match packets with given precedence value
`prec_num`	Type: integer min: 0 max: 7 Precedence value
`prec_str`	Precedence label routine value: 0 Match packets with routine precedence (0) priority value: 1 Match packets with priority precedence (1) immediate value: 2 Match packets with immediate precedence (2) flash value: 3 Match packets with flash precedence (3) flash-override value: 4 Match packets with flash override precedence (4) critical value: 5 Match packets with critical precedence (5) internet value: 6 Match packets with internetwork control precedence (6) network value: 7 Match packets with network control precedence (7)
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipacl

ip_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_igmp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_igmp`	Protocol igmp value: 2 Internet Group Management Protocol
`src_any`	Any
`src_addr`	Type: ipaddr Source network address
`src_wild`	Type: ipaddr Source wildcard bits
`src_prefix`	Type: ipprefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipaddr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`dst_any`	Any
`dst_addr`	Type: ipaddr Destination network address
`dst_wild`	Type: ipaddr Destination wildcard bits
`dst_prefix`	Type: ipprefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipaddr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
tos	Match packets with given TOS value
`tos_num`	Type: integer min: 0 max: 15 Type of service value
`tos_str`	Type of service label
precedence	Match packets with given precedence value
`prec_num`	Type: integer min: 0 max: 7 Precedence value
`prec_str`	Precedence label routine value: 0 Match packets with routine precedence (0) priority value: 1 Match packets with priority precedence (1) immediate value: 2 Match packets with immediate precedence (2) flash value: 3 Match packets with flash precedence (3) flash-override value: 4 Match packets with flash override precedence (4) critical value: 5 Match packets with critical precedence (5) internet value: 6 Match packets with internetwork control precedence (6) network value: 7 Match packets with network control precedence (7)
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipacl

ip_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_icmp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [log] [ time-range time_range_name ] | icmp_type [icmp_code] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [log] [ time-range time_range_name ] | icmp_str | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [log] [ time-range time_range_name ] | icmp_type [icmp_code] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + | [ [log] [ time-range time_range_name ] | icmp_str | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_icmp`	Protocol icmp value: 1 Internet Control Message Protocol
`src_any`	Any
`src_addr`	Type: ipaddr Source network address
`src_wild`	Type: ipaddr Source wildcard bits
`src_prefix`	Type: ipprefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipaddr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`dst_any`	Any
`dst_addr`	Type: ipaddr Destination network address
`dst_wild`	Type: ipaddr Destination wildcard bits
`dst_prefix`	Type: ipprefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipaddr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
tos	Match packets with given TOS value
`tos_num`	Type: integer min: 0 max: 15 Type of service value
`tos_str`	Type of service label
precedence	Match packets with given precedence value
`prec_num`	Type: integer min: 0 max: 7 Precedence value
`prec_str`	Precedence label routine value: 0 Match packets with routine precedence (0) priority value: 1 Match packets with priority precedence (1) immediate value: 2 Match packets with immediate precedence (2) flash value: 3 Match packets with flash precedence (3) flash-override value: 4 Match packets with flash override precedence (4) critical value: 5 Match packets with critical precedence (5) internet value: 6 Match packets with internetwork control precedence (6) network value: 7 Match packets with network control precedence (7)
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
`icmp_type`	Type: integer min: 0 max: 255 ICMP message type
`icmp_code`	Type: integer min: 0 max: 255 ICMP message code
`icmp_str`	ICMP label echo-reply value: 0 Echo reply unreachable value: 1 All unreachables net-unreachable value: 2 Net unreachable host-unreachable value: 3 Host unreachable dod-host-prohibited value: 4 Host prohibited net-tos-unreachable value: 5 Network unreachable for TOS host-tos-unreachable value: 6 Host unreachable for TOS administratively-prohibited value: 7 Administratively prohibited host-precedence-unreachable value: 8 Host unreachable for precedence precedence-unreachable value: 9 Precedence cutoff protocol-unreachable value: 10 Protocol unreachable port-unreachable value: 11 Port unreachable packet-too-big value: 12 Fragmentation needed and DF set source-route-failed value: 13 Source route failed network-unknown value: 14 Network unknown host-unknown value: 15 Host unknown host-isolated value: 16 Host isolated dod-net-prohibited value: 17 Net prohibited source-quench value: 18 Source quenches redirect value: 19 All redirects net-redirect value: 20 Network redirect host-redirect value: 21 Host redirect net-tos-redirect value: 22 Net redirect for TOS host-tos-redirect value: 23 Host redirect for TOS alternate-address value: 24 Alternate address echo value: 25 Echo (ping) router-advertisement value: 26 Router discovery advertisements router-solicitation value: 27 Router discovery solicitations time-exceeded value: 28 All time exceededs ttl-exceeded value: 29 TTL exceeded reassembly-timeout value: 30 Reassembly timeout parameter-problem value: 31 All parameter problems general-parameter-problem value: 32 Parameter problem option-missing value: 33 Parameter required but not present no-room-for-option value: 34 Parameter required but no room timestamp-request value: 35 Timestamp requests timestamp-reply value: 36 Timestamp replies information-request value: 37 Information requests information-reply value: 38 Information replies mask-request value: 39 Mask requests mask-reply value: 40 Mask replies traceroute value: 41 Traceroute conversion-error value: 42 Datagram conversion mobile-redirect value: 43 Mobile host redirect
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipacl

ip_acl_rule (aclmgr)

{ [seqno] | no } permitdeny { ip | proto | ip_other_proto } { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | dscp { dscp_num | dscp_str } ] | + | [ [fragments] | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } | tos { tos_num | tos_str } | precedence { prec_num | prec_str } ] | + } [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
ip	Any IP protocol
`proto`	Type: uinteger min: 0 max: 255 A protocol number
`ip_other_proto`	ip_other_proto ahp value: 51 Authentication header protocol eigrp value: 88 Cisco's EIGRP routing protocol esp value: 50 Encapsulation security payload gre value: 47 Cisco's GRE tunneling ospf value: 89 OSPF routing protocol nos value: 94 KA9Q NOS compatible IP over IP tunneling pim value: 103 Protocol independent multicast pcp value: 108 Payload compression protocol
`src_any`	Any
`src_addr`	Type: ipaddr Source network address
`src_wild`	Type: ipaddr Source wildcard bits
`src_prefix`	Type: ipprefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipaddr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`dst_any`	Any
`dst_addr`	Type: ipaddr Destination network address
`dst_wild`	Type: ipaddr Destination wildcard bits
`dst_prefix`	Type: ipprefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipaddr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
tos	Match packets with given TOS value
`tos_num`	Type: integer min: 0 max: 15 Type of service value
`tos_str`	Type of service label
precedence	Match packets with given precedence value
`prec_num`	Type: integer min: 0 max: 7 Precedence value
`prec_str`	Precedence label routine value: 0 Match packets with routine precedence (0) priority value: 1 Match packets with priority precedence (1) immediate value: 2 Match packets with immediate precedence (2) flash value: 3 Match packets with flash precedence (3) flash-override value: 4 Match packets with flash override precedence (4) critical value: 5 Match packets with critical precedence (5) internet value: 6 Match packets with internetwork control precedence (6) network value: 7 Match packets with network control precedence (7)
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipacl

ipv6_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_tcp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } [ src_port_op { src_port0 | src_port0_str } | src_port_range { src_port1 | src_port1_str } { src_port2 | src_port2_str } | src_portgroup src_port_group ] { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dst_port_op { dst_port0 | dst_port0_str } | dst_port_range { dst_port1 | dst_port1_str } { dst_port2 | dst_port2_str } | dst_portgroup dst_port_group ] { [ dscp { dscp_num | dscp_str } ] | [ flow-label flow_num ] | [log] [ time-range time_range_name ] | [ urg | ack | psh | rst | syn | fin | established ] | [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] } + | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [fragments] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_tcp`	Protocol tcp value: 6 Transmission Control Protocol
`src_any`	Any
`src_addr`	Type: ipv6addr Source network address
`src_wild`	Type: ipv6addr Source wildcard bits
`src_prefix`	Type: ipv6prefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipv6addr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`src_port_op`	Port operator
`src_port_range`	Port range
`src_port0`	Type: integer min: 0 max: 65535 Port number
`src_port0_str`	TCP port
`src_port1`	Type: integer min: 0 max: 65535 Port number
`src_port1_str`	TCP port
`src_port2`	Type: integer min: 0 max: 65535 Port number
`src_port2_str`	TCP port
src_portgroup	src port group Not available in this release.
`src_port_group`	Type: string Port group name
`dst_any`	Any
`dst_addr`	Type: ipv6addr Destination network address
`dst_wild`	Type: ipv6addr Destination wildcard bits
`dst_prefix`	Type: ipv6prefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipv6addr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
`dst_port_op`	Port operator
`dst_port_range`	Port range
`dst_port0`	Type: integer min: 0 max: 65535 Port number
`dst_port0_str`	TCP port
`dst_port1`	Type: integer min: 0 max: 65535 Port number
`dst_port1_str`	TCP port
`dst_port2`	Type: integer min: 0 max: 65535 Port number
`dst_port2_str`	TCP port
dst_portgroup	dst port group Not available in this release.
`dst_port_group`	Type: string Port group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
flow-label	Flow label Not available in this release.
`flow_num`	Type: integer min: 0 max: 1048575 Flow label value
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
urg	Match on the URG bit
ack	Match on the ACK bit
psh	Match on the PSH bit
rst	Match on the RST bit
syn	Match on the SYN bit
fin	Match on the FIN bit
established	Match established connections
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipv6acl

ipv6_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_udp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } [ src_port_op { src_port0 | src_port0_str } | src_port_range { src_port1 | src_port1_str } { src_port2 | src_port2_str } | src_portgroup src_port_group ] { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dst_port_op { dst_port0 | dst_port0_str } | dst_port_range { dst_port1 | dst_port1_str } { dst_port2 | dst_port2_str } | dst_portgroup dst_port_group ] [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [fragments] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_udp`	Protocol udp value: 17 User Datagram Protocol
`proto_sctp`	Protocol sctp value: 132 Streams Control Transmission Protocol
`src_any`	Any
`src_addr`	Type: ipv6addr Source network address
`src_wild`	Type: ipv6addr Source wildcard bits
`src_prefix`	Type: ipv6prefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipv6addr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`src_port_op`	Port operator
`src_port_range`	Port range
`src_port0`	Type: integer min: 0 max: 65535 Port number
`src_port0_str`	UDP port
`src_port1`	Type: integer min: 0 max: 65535 Port number
`src_port1_str`	UDP port
`src_port2`	Type: integer min: 0 max: 65535 Port number
`src_port2_str`	UDP port
src_portgroup	src port group Not available in this release.
`src_port_group`	Type: string Port group name
`dst_any`	Any
`dst_addr`	Type: ipv6addr Destination network address
`dst_wild`	Type: ipv6addr Destination wildcard bits
`dst_prefix`	Type: ipv6prefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipv6addr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
`dst_port_op`	Port operator
`dst_port_range`	Port range
`dst_port0`	Type: integer min: 0 max: 65535 Port number
`dst_port0_str`	UDP port
`dst_port1`	Type: integer min: 0 max: 65535 Port number
`dst_port1_str`	UDP port
`dst_port2`	Type: integer min: 0 max: 65535 Port number
`dst_port2_str`	UDP port
dst_portgroup	dst port group Not available in this release.
`dst_port_group`	Type: string Port group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
flow-label	Flow label Not available in this release.
`flow_num`	Type: integer min: 0 max: 1048575 Flow label value
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipv6acl

ipv6_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_sctp { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } [ src_port_op { src_port0 | src_port0_str } | src_port_range { src_port1 | src_port1_str } { src_port2 | src_port2_str } | src_portgroup src_port_group ] { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dst_port_op { dst_port0 | dst_port0_str } | dst_port_range { dst_port1 | dst_port1_str } { dst_port2 | dst_port2_str } | dst_portgroup dst_port_group ] [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [fragments] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_sctp`	Protocol sctp value: 132 Streams Control Transmission Protocol
`src_any`	Any
`src_addr`	Type: ipv6addr Source network address
`src_wild`	Type: ipv6addr Source wildcard bits
`src_prefix`	Type: ipv6prefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipv6addr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`src_port_op`	Port operator
`src_port_range`	Port range
`src_port0`	Type: integer min: 0 max: 65535 Port number
`src_port0_str`	SCTP port
`src_port1`	Type: integer min: 0 max: 65535 Port number
`src_port1_str`	SCTP port
`src_port2`	Type: integer min: 0 max: 65535 Port number
`src_port2_str`	SCTP port
src_portgroup	src port group Not available in this release.
`src_port_group`	Type: string Port group name
`dst_any`	Any
`dst_addr`	Type: ipv6addr Destination network address
`dst_wild`	Type: ipv6addr Destination wildcard bits
`dst_prefix`	Type: ipv6prefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipv6addr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
`dst_port_op`	Port operator
`dst_port_range`	Port range
`dst_port0`	Type: integer min: 0 max: 65535 Port number
`dst_port0_str`	SCTP port
`dst_port1`	Type: integer min: 0 max: 65535 Port number
`dst_port1_str`	SCTP port
`dst_port2`	Type: integer min: 0 max: 65535 Port number
`dst_port2_str`	SCTP port
dst_portgroup	dst port group Not available in this release.
`dst_port_group`	Type: string Port group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
flow-label	Flow label Not available in this release.
`flow_num`	Type: integer min: 0 max: 1048575 Flow label value
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipv6acl

ipv6_acl_rule (aclmgr)

{ [seqno] | no } permitdeny proto_icmpv6 { { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } { [ icmpv6_type [icmpv6_code] | dscp { dscp_num | dscp_str } | flow-label flow_num | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } ] | + | [ icmpv6_str | dscp { dscp_num | dscp_str } | flow-label flow_num | [log] [ time-range time_range_name ] | packet-length { plen_op plen0 | plen_range plen1 plen2 } ] | + } | { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [fragments] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + [ capture session session-id ] }

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`proto_icmpv6`	Protocol icmp value: 58 Internet Control Message Protocol
`src_any`	Any
`src_addr`	Type: ipv6addr Source network address
`src_wild`	Type: ipv6addr Source wildcard bits
`src_prefix`	Type: ipv6prefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipv6addr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`dst_any`	Any
`dst_addr`	Type: ipv6addr Destination network address
`dst_wild`	Type: ipv6addr Destination wildcard bits
`dst_prefix`	Type: ipv6prefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipv6addr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
flow-label	Flow label Not available in this release.
`flow_num`	Type: integer min: 0 max: 1048575 Flow label value
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
`icmpv6_type`	Type: integer min: 0 max: 255 ICMPv6 message type
`icmpv6_code`	Type: integer min: 0 max: 255 ICMPv6 message code
`icmpv6_str`	ICMPv6 label unreachable value: 0 All unreachable no-route value: 1 No route to destination no-admin value: 2 Administration prohibited destination beyond-scope value: 3 Destination beyond scope destination-unreachable value: 4 Destination address is unreachable port-unreachable value: 5 Port unreachable packet-too-big value: 6 Packet too big time-exceeded value: 7 All time exceeded hop-limit value: 8 Hop limit exceeded in transit reassembly-timeout value: 9 Reassembly timeout parameter-problem value: 10 All parameter problems header value: 11 Parameter header problems next-header value: 12 Parameter next header problems parameter-option value: 13 Parameter option problems echo-request value: 14 Echo request (ping) echo-reply value: 15 Echo reply mld-query value: 16 Multicast Listener Discovery Query mld-report value: 17 Multicast Listener Discovery Report mld-reduction value: 18 Multicast Listener Discovery Reduction router-solicitation value: 19 Neighbor discovery router solicitations router-advertisement value: 20 Neighbor discovery router advertisements nd-ns value: 21 Neighbor discovery neighbor solicitations nd-na value: 22 Neighbor discovery neighbor advertisements redirect value: 23 Neighbor redirect router-renumbering value: 24 All router renumbering renum-command value: 25 Router renumbering command renum-result value: 26 Router renumbering result renum-seq-number value: 27 Router renumbering sequence number reset mldv2 value: 28 Multicast Listener Discovery Protocol
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipv6acl

ipv6_acl_rule (aclmgr)

{ [seqno] | no } permitdeny { ipv6 | proto | ipv6_other_proto } { src_any | src_addr src_wild | src_prefix | src_key_host src_host | src_key_addrgrp src_addrgrp_name } { dst_any | dst_addr dst_wild | dst_prefix | dst_key_host dst_host | dst_key_addrgrp dst_addrgrp_name } [ dscp { dscp_num | dscp_str } ] [ flow-label flow_num ] [fragments] [log] [ time-range time_range_name ] [ packet-length { plen_op plen0 | plen_range plen1 plen2 } ] + [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
ipv6	Any IPV6 protocol
`proto`	Type: uinteger min: 0 max: 255 A protocol number
`ipv6_other_proto`	ipv6_other_proto ahp value: 51 Authentication header protocol esp value: 50 Encapsulation security protocol sctp value: 132 Streams Control Transmission Protocol pcp value: 108 Payload compression protocol eigrp value: 88 Cisco's EIGRP routing protocol pim value: 103 Protocol independent multicast
`src_any`	Any
`src_addr`	Type: ipv6addr Source network address
`src_wild`	Type: ipv6addr Source wildcard bits
`src_prefix`	Type: ipv6prefix Source network prefix
src_key_host	A single source host
`src_host`	Type: ipv6addr Source address
src_key_addrgrp	Source address group Not available in this release.
`src_addrgrp_name`	Type: string Address group name
`dst_any`	Any
`dst_addr`	Type: ipv6addr Destination network address
`dst_wild`	Type: ipv6addr Destination wildcard bits
`dst_prefix`	Type: ipv6prefix Destination network prefix
dst_key_host	A single destination host
`dst_host`	Type: ipv6addr Destination address
dst_key_addrgrp	Destination address group Not available in this release.
`dst_addrgrp_name`	Type: string Address group name
dscp	Match packets with given dscp value
`dscp_num`	Type: integer min: 0 max: 63 Differentiated services codepoint value
`dscp_str`	Differentiated services codepoint label default value: 0 Match packets with default dscp (000000) cs1 value: 8 Match packets with CS1(precedence 1) dscp (001000) af11 value: 10 Match packets with AF11 dscp (001010) af12 value: 12 Match packets with AF12 dscp (001100) af13 value: 14 Match packets with AF13 dscp (001110) cs2 value: 16 Match packets with CS2(precedence 2) dscp (010000) af21 value: 18 Match packets with AF21 dscp (010010) af22 value: 20 Match packets with AF22 dscp (010100) af23 value: 22 Match packets with AF23 dscp (010110) cs3 value: 24 Match packets with CS3(precedence 3) dscp (011000) af31 value: 26 Match packets with AF31 dscp (011010) af32 value: 28 Match packets with AF32 dscp (011100) af33 value: 30 Match packets with AF33 dscp (011110) cs4 value: 32 Match packets with CS4(precedence 4) dscp (100000) af41 value: 34 Match packets with AF41 dscp (100010) af42 value: 36 Match packets with AF42 dscp (100100) af43 value: 38 Match packets with AF43 dscp (100110) cs5 value: 40 Match packets with CS5(precedence 5) dscp (101000) ef value: 46 Match packets with EF dscp (101110) cs6 value: 48 Match packets with CS6(precedence 6) dscp (110000) cs7 value: 56 Match packets with CS7(precedence 7) dscp (111000)
flow-label	Flow label Not available in this release.
`flow_num`	Type: integer min: 0 max: 1048575 Flow label value
fragments	Check non-initial fragments
log	Log matches against this entry
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
packet-length	Match packets based on layer 3 packet length
`plen_op`	Packet-length operator
`plen_range`	Packet-length range
`plen0`	Type: integer min: 20 max: 9210 Packet length
`plen1`	Type: integer min: 20 max: 9210 Lower packet length
`plen2`	Type: integer min: 20 max: 9210 Higher packet length
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/ipv6acl

mac_acl_rule (aclmgr)

{ [seqno] | no } permitdeny { src_any | src_addr src_wild } { dst_any | dst_addr dst_wild } [ mac_proto | mac_proto_str ] [ vlan vlan | cos cos ] + [ time-range time_range_name ] [ capture session session-id ]

Syntax Description


`seqno`	Type: uinteger min: 1 max: 4294967295 Sequence number
no	Negate a command or set its defaults
`permitdeny`	Permit/deny permit value: 2 Specify packets to forward deny value: 3 Specify packets to reject
`src_any`	Any any value: 1 Any source address
`src_addr`	Type: ethernet Source MAC address
`src_wild`	Type: ethernet Source wildcard bits
`dst_any`	Any any value: 1 Any destination address
`dst_addr`	Type: ethernet Destination MAC address
`dst_wild`	Type: ethernet Destination wildcard bits
`mac_proto`	Type: hex MAC protocol number
`mac_proto_str`	MAC protocol name ip value: 0x0800 IP (Internet Protocol V4) vines-echo value: 0x0BAF VINES Echo etype-6000 value: 0x6000 Ethertype 0x6000 etype-8042 value: 0x8042 Ethertype 0x8042 mop-dump value: 0x6001 DEC MOP dump mop-console value: 0x6002 DEC MOP Remote console decnet-iv value: 0x6003 DECnet Phase IV lat value: 0x6004 DEC LAT diagnostic value: 0x6005 DEC Diagnostic Protocol lavc-sca value: 0x6007 DEC LAVC,SCA appletalk value: 0x809B Appletalk aarp value: 0x80F3 Appletalk AARP
vlan	VLAN number
cos	CoS value
`vlan`	Type: vlan VLAN number
`cos`	Type: integer min: 0 max: 7 CoS value
time-range	Specify a time range
`time_range_name`	Type: string length: 64 Time range name
capture	Enable packet capture on this filter for session Not available in this release.
session	Session ID <1-48> for this session
`session-id`	Type: uinteger min: 1 max: 48 Session ID <1-48> for this session

Command Modes

/exec/configure/macacl

Cisco Nexus 9000 Series NX-OS Command Reference (Configuration Commands), Release 6.1(2)I2(2)

Bias-Free Language

Results

Chapter: SPECIAL-ACL Commands

SPECIAL-ACL Commands

arp_acl_rule (aclmgr)

Syntax Description

Command Modes

ip_acl_rule (aclmgr)

Syntax Description

Command Modes

ip_acl_rule (aclmgr)

Syntax Description

Command Modes

ip_acl_rule (aclmgr)

Syntax Description

Command Modes

ip_acl_rule (aclmgr)

Syntax Description

Command Modes

ip_acl_rule (aclmgr)

Syntax Description

Command Modes

ipv6_acl_rule (aclmgr)

Syntax Description

Command Modes

ipv6_acl_rule (aclmgr)

Syntax Description

Command Modes

ipv6_acl_rule (aclmgr)

Syntax Description

Command Modes

ipv6_acl_rule (aclmgr)

Syntax Description

Command Modes

ipv6_acl_rule (aclmgr)

Syntax Description

Command Modes

mac_acl_rule (aclmgr)

Syntax Description

Command Modes

Was this Document Helpful?

Contact Cisco