ACL

C H A P T E R 21

ACL

ACLs filter network traffic by controlling routed packets from being forwarded or blocked at the router’s interfaces. The router examines each packet to determine whether to forward or drop the packet, based on the criteria specified within the access lists.

Access list criteria can be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information.

There are several reasons to configure access lists. Access lists can be used to restrict contents of routing updates or to provide traffic flow control. But one of the most important reasons to configure access lists is to provide security for the network.

Access lists must be used to provide a basic level of security for accessing the network. If access lists are not configured on the router, all packets passing through the router will be allowed in all nodes of the network.

For example, access lists can allow one host to access a part of the network and prevent another host from accessing the same area.

Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The priority flag has no effect.

21.1 ACL Commands

The list of CLI commands for the configuration of ACL is as follows:

ip access-list

mac access-list extended

ipv6 access-list extended

permit - standard mode

deny - standard mode

permit - IPv4

deny - IPv4

permit tcp - IPv4

deny tcp - IPv4

permit udp - IPv4

deny udp - IPv4

permit icmp - IPv4

deny icmp - IPv4

ip access-group

mac access-group

ipv6 access-group

permit - MAC ACL

deny - MAC ACL

permit - IPv6

deny - IPv6

permit tcp - IPv6

deny tcp - IPv6

permit udp - IPv6

deny udp - IPv6

permit icmp - IPv6

deny icmp - IPv6

show access-lists

21.1.1 `ip access-list`

Creates IP ACLs and enters the IP access list configuration mode. Standard access lists create filters based on IP address and netip access-list.

This command creates IP ACLs and enters the IP access-list configuration mode. Standard access lists create filters based on IP address and network mask only (L3 filters). Extended access lists enables specification of filters based on the type of protocol, range of TCP or UDP ports as well as the IP address, and network mask (Layer 4 filters).

Depending on the standard or extended option chosen by the user, this command returns a corresponding IP access list configuration mode.

The no form of the command deletes the IP access-list.

ip access-list {standard access-list-number_1-10 | extended access-list-number_11-512}

no ip access-list {standard access-list-number_1-10 | extended access-list-number_11-512}

Syntax Description	standard - Standard access list number. extended - Extended access list number.
Mode	Global Configuration
Example	SEFOS(config)# ip access-list standard 1
Notes	ACLs on the system perform both access control and layer 3 field classification. To define layer 3 field’s access lists, the `ip access-list` command must be used.

Related Commands

permit - standard mode - Specifies the packets to be forwarded depending upon the associated parameters

deny - standard mode - Denies traffic if the conditions defined in the deny statement are matched

permit - IPv4 - Allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched

deny - IPv4 - Denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched

permit tcp - IPv4 - Specifies the TCP packets to be forwarded based on the associated parameters

deny tcp - IPv4 - Specifies the TCP packets to be rejected based on the associated parameters

permit udp - IPv4 - Specifies the UDP packets to be forwarded based on the associated parameters

deny udp - IPv4 - Specifies the UDP packets to be rejected based on the associated parameters

permit icmp - IPv4 - Specifies the ICMP packets to be forwarded based on the IP address and the associated parameters

deny icmp - IPv4 - Specifies the ICMP packets to be rejected based on the IP address and associated parameters

ip access-group - Enables access control for the packets on the interface

show access-lists - Displays the access list configuration

21.1.2 `mac access-list extended`

Creates Layer 2 MAC ACLs, that is, this command creates a MAC access-list and returns the MAC-Access list configuration mode to the user. The no form of the command deletes the MAC access-list.

mac access-list extended access-list-number_1-512

no mac access-list extended short_1-512

Mode	Global Configuration
Example	SEFOS(config)# mac access-list extended 5
Notes	ACLs on the system perform both access control and layer 2 field classifications. To define Layer 2 access lists, the `mac access-list` command must be used.

Related Commands

show access-lists - Displays the access list configuration

permit - MAC ACL - Specifies the packets to be forwarded based on the MAC address and the associated parameters

deny - MAC ACL - Specifies the packets to be rejected based on the MAC address and the associated parameters

21.1.3 `ipv6 access-list extended`

Command creates an IPv6 extended access list, and the no form of the command deletes an IPv6 extended access list.

ACLs on the system perform both access control and layer 3 field classification. This command must be used to define layer 3 field’s access-lists.

ipv6 access-list extended access-list-number(11-512)

no ipv6 access-list extended access-list-number(11-512)

Mode	Global Configuration
Example	SEFOS(config)# ipv6 access-list extended 15

Related Commands

ipv6 access-group - Enables access control for the inbound IPv6 packets on the interface.

permit - IPv6 - Allows IPv6 packets to be forwarded based on protocol and associated parameters.

deny - IPv6 - Blocks IPv6 packets based on protocol and associated parameters.

permit tcp - IPv6 - Allows IPv6 TCP packets based on associated parameters.

deny tcp - IPv6 - Blocks IPv6 TCP packets based on associated parameters.

permit udp - IPv6 - Allows IPv6 UDP packets based on associated parameters.

deny udp - IPv6 - Blocks IPv6 UDP packets based on associated parameters.

permit icmp - IPv6 - Allows the ICMPv6 packets based on the associated parameters.

deny icmp - IPv6 - Blocks the ICMPv6 packets based on the associated parameters.

show access-lists - Displays the access list configuration.

21.1.4 `permit - standard mode`

Specifies the packets to be forwarded depending upon the associated parameters. Standard IP access lists use source addresses for matching operations.

permit {any | host src-ip-addr | src-ip-addr mask} {any | host dest-ip-addr | dest-ip-addr mask}

Syntax Description

any | host

src-ip-addr | src-ip-addr mask - Source IP address can be any or the word host and the dotted decimal address or the host that the packet is from and the network mask to use with the source IP address.

any | host

dest-ip-addr | dest-ip-addr mask - Destination IP address can be any or the word host and the dotted decimal address or the host that the packet is destined for and the network mask to use with the destination IP address.

Mode

IP ACL Standard Configuration

Example

SEFOS(config-std-nacl)# permit host 100.0.0.10 host 10.0.0.1

Related Commands

ip access-list - Creates IP ACLs and enters the IP Access-list configuration mode

deny - standard mode - Denies traffic if the conditions defined in the deny statement are matched

show access-lists - Displays the access list configuration

21.1.5 `deny - standard mode`

Denies traffic if the conditions defined in the deny statement are matched.

deny {any | host src-ip-addr | src-ip-addr mask} {any | host dest-ip-addr | dest-ip-addr mask}

Syntax Description

any | host

src-ip-add | src-ip-addr mask - Source IP address can be

any or the word host and the dotted decimal address or number of the network or the host that the packet is from and the network mask to use with the source IP address.

any | host

dest-ip-addr | dest-ip-add mask - Destination IP address can be

any or the word host and the dotted decimal address or number of the network or the host that the packet is destined for and the network mask to use with the destination IP address.

Mode

IP ACL Standard Configuration

Example

SEFOS(config-std-nacl)# deny host 100.0.0.10 any

Related Commands

ip access-list - Creates IP ACLs and enters the IP Access-list configuration mode

permit - standard mode - Specifies the packets to be forwarded depending upon the associated parameters

show access-lists - Displays the access list configuration

21.1.6 `permit - IPv4`

Allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched.

Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The priority flag has no effect.

permit {ip | ospf | pim | protocol-type_1-255} {any | host src-ip-addr | src-ip-addr mask} {any | host dest-ip-addr | dest-ip-address mask} [{tos {max-reliability | max-throughput | min-delay | normal | 0-7} | dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef}} ] [priority 1-7] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	ip \| ospf \| pim \| protocol-type_1-255 - Type of protocol for the packet. It can also be a protocol number. any \| host src-ip-address \| src-ip-address mask - Source IP address can be the following: any host followed by the dotted decimal address. Number of the network or host that the packet is from followed by the network mask to use with the source address. any \| host dest-ip-addr \| dest-ip-addr mask - Destination IP address can be the following: any host followed by the dotted decimal address. Number of the network or host that the packet is destined for followed by the network mask to use with the destination address. tos - Type of service can be the following: max-reliability max throughput min-delay normal or a range of values from 0 to 7.
	dscp - Differentiated services code point provides the quality of service control. The various options available are as follows: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). af13 - Matches packets with AF13 DSCP (001110). af21 - Matches packets with AF21 DSCP (010010). af22 - Matches packets with AF22 DSCP (010100). af23 - Matches packets with AF23 DSCP (010110). af31 - Matches packets with AF31 DSCP (011010). af32 - Matches packets with AF32 DSCP (011100). af33 - Matches packets with AF33 DSCP (011110). af41 - Matches packets with AF41 DSCP (100010). af42 - Matches packets with AF42 DSCP (100100). af43 - Matches packets with AF43 DSCP (100110). cs1 - Matches packets with CS1 (precedence 1) DSCP (001000). cs2 - Matches packets with CS2 (precedence 2) DSCP (010000). cs3 - Matches packets with CS3 (precedence 3) DSCP (011000). cs4 - Matches packets with CS4 (precedence 4) DSCP (100000). cs5 - Matches packets with CS5 (precedence 5) DSCP (101000). cs6 - Matches packets with CS6 (precedence 6) DSCP (110000). cs7 - Matches packets with CS7 (precedence 7) DSCP (111000). default - Default DSCP (000000). ef - Matches packets with EF DSCP (101110).
	priority - Priority of the L3 filter used to decide which filter rule is applicable when the packet matches with more than one filter rule. A higher value of filter priority implies a higher priority. This value ranges from 1 to 7.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IP ACL Extended Configuration
Default	protocol-type - 255 priority - 1 dscp - 1
Example	SEFOS(config-ext-nacl)# permit 200 host 100.0.0.10 any tos 6
Notes	Protocol type with the value 255 indicates that protocol can be anything and it will not be checked against the action to be performed.

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

deny - IPv4 - Denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched

21.1.7 `deny - IPv4`

Denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched.

deny {ip | ospf | pim | protocol-type_1-255} {any | host src-ip-addr | src-ip-address mask} {any | host dest-ip-addr | dest-ip-addr mask}[ {tos {max-reliability | max-throughput | min-delay | normal | 0-7} | dscp 0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef}} ] [priority 1-7]

Syntax Description	ip \| ospf \| pim \| protocol-type_1-255 - Type of protocol for the packet. You can also enter the protocol number. any \| host src-ip-address \| src-ip-addr mask - Source IP address can be the following: any host and the dotted decimal address. number of the network or the host that the packet is from followed by the network mask to use with the source address. any \| host dest-ip-add \| dest-ip-add mask - Destination IP address can be the following: any host followed by the dotted decimal address. number of the network or host that the packet is destined for and the network mask to use with the destination address. tos - Type of service. Can be max-reliability, max throughput, min-delay, normal or a range of values from 0 to 7. dscp - Differentiated services code point provides the quality of service control. The various options available are: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). af13 - Matches packets with AF13 DSCP (001110). af21 - Matches packets with AF21 DSCP (010010). af22 - Matches packets with AF22 DSCP (010100). af23 - Matches packets with AF23 DSCP (010110). af31 - Matches packets with AF31 DSCP (011010). af32 - Matches packets with AF32 DSCP (011100).
	af33 - Matches packets with AF33 DSCP (011110). af41 - Matches packets with AF41 DSCP (100010). af42 - Matches packets with AF42 DSCP (100100). af43 - Matches packets with AF43 DSCP (100110). cs1 - Matches packets with CS1 (precedence 1) DSCP (001000). cs2 - Matches packets with CS2 (precedence 2) DSCP (010000). cs3 - Matches packets with CS3 (precedence 3) DSCP (011000). cs4 - Matches packets with CS4 (precedence 4) DSCP (100000). cs5 - Matches packets with CS5 (precedence 5) DSCP (101000). cs6 - Matches packets with CS6 (precedence 6) DSCP (110000). cs7 - Matches packets with CS7 (precedence 7) DSCP (111000). default - Default DSCP (000000). ef - Matches packets with EF DSCP (101110).
	priority - Priority of the L3 filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between one and seven. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The priority flag has no effect.
Mode	IP ACL Extended Configuration
Default	protocol type - 255 priority - 1 dscp - 1
Example	SEFOS(config-ext-nacl)# deny ospf any host 10.0.0.1 tos max-throughput
Notes	Protocol type with the value 255 indicates that protocol can be anything and it will not be checked against the action to be performed. The priority of ACL filters applied to the interface is based on the ACL numbers. The priority flag has no effect.

Related Commands

ip access-list - Creates IP ACLs and enters the IP Access-list configuration mode

permit - IPv4 - Allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched

show access-lists - Displays the access list configuration

21.1.8 `permit tcp - IPv4`

Specifies the IPv4 TCP packets to be forwarded based on the associated parameters.

permit tcp {any | host src-ip-address | src-ip-address src-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] {any | host dest-ip-address | dest-ip-address dest-mask} {gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] [{ack | rst}] [{tos {max-reliability | max-throughput | min-delay | normal | tos-value_0-7} | dscp 0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef}}] [priority 1-7] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	tcp - Transport control protocol. any \| host src-ip-address \| src-ip-address src-mask - Source IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is from followed by the network mask to use with the source address. port-number_1-65535 - Port Number. The input for the source and the destination port-number is prefixed with one of the following operators: eq=equal. lt=less than. gt=greater than. range=a range of ports; two different port numbers must be specified any \| host dest-ip-address \| dest-ip-address dest-mask - Destination IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is destined for followed by the network mask to use with the destination address. ack - TCP ACK bit to be checked against the packet. It can be `establish (1)`, `non-establish (2)` or `any (3)`. rst - TCP RST bit to be checked against the packet. It can be `set (1)`, `notset (2)` or `any (3)`.
	tos - Type of service. Can be the following: max-reliability max-throughput min-delay normal range of values from 0 to 7.
	dscp - Differentiated services code point provides the quality of service control. The various options available are: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). af13 - Matches packets with AF13 DSCP (001110). af21 - Matches packets with AF21 DSCP (010010). af22 - Matches packets with AF22 DSCP (010100). af23 - Matches packets with AF23 DSCP (010110). af31 - Matches packets with AF31 DSCP (011010). af32 - Matches packets with AF32 DSCP (011100). af33 - Matches packets with AF33 DSCP (011110). af41 - Matches packets with AF41 DSCP (100010). af42 - Matches packets with AF42 DSCP (100100). af43 - Matches packets with AF43 DSCP (100110). cs1 - Matches packets with CS1 (precedence 1) DSCP (001000). cs2 - Matches packets with CS2 (precedence 2) DSCP (010000). cs3 - Matches packets with CS3 (precedence 3) DSCP (011000). cs4 - Matches packets with CS4 (precedence 4) DSCP (100000). cs5 - Matches packets with CS5 (precedence 5) DSCP (101000). cs6 - Matches packets with CS6 (precedence 6) DSCP (110000). cs7 - Matches packets with CS7 (precedence 7) DSCP (111000). default - Default DSCP (000000). ef - Matches packets with EF DSCP (101110). priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IP ACL Extended Configuration
Default	tos-value - 0 ack - `any (3)` Indicates that the TCP ACK bit will not be checked to decide the action. rst - `any (3)` Indicates that the TCP RST bit will not be checked to decide the action. dscp - 1
Example	SEFOS(config-ext-nacl)# permit tcp any 10.0.0.1 255.255.255.255

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

deny tcp - IPv4 - Specifies the TCP packets to be rejected based on the associated parameters

21.1.9 `deny tcp - IPv4`

Specifies the IPv4 TCP packets to be rejected based on the associated parameters.

deny tcp {any | host src-ip-address | src-ip-address src-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] {any | host dest-ip-address | dest-ip-address dest-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] [{ack | rst}] [{tos {max-reliability | max-throughput | min-delay | normal | tos-value_0-7} | dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef}}] [priority 1-7]

Syntax Description	tcp - Transmission control protocol. any \| host src-ip-address \| src-ip-address src-mask - Source IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is from and the network mask to use with the source address. port-number_1-65535 - Port Number. The input for the source and the destination port-number is prefixed with one of the following operators: eq=equal. lt=less than. gt=greater than. range=a range of ports; two different port numbers must be specified. any \| host dest-ip-address \| dest-ip-address dest-mask - Destination IP address can be the following: any host followed by the dotted decimal address. Number of the network or the host that the packet is destined for and the network mask to use with the destination address. ack - TCP ACK bit to be checked against the packet. It can be `establish (1)`, `non-establish (2)`, or `any (3)`. rst - TCP RST bit to be checked against the packet. It can be `set (1)`, `notset (2)` or `any (3)`.
	tos - Type of service. Options are as follows: max-reliability max-throughput min-delay normal range of values from 0 to 7.
	dscp - Differentiated services code point provides the quality of service control. The various options available are: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). af13 - Matches packets with AF13 DSCP (001110). af21 - Matches packets with AF21 DSCP (010010). af22 - Matches packets with AF22 DSCP (010100). af23 - Matches packets with AF23 DSCP (010110). af31 - Matches packets with AF31 DSCP (011010). af32 - Matches packets with AF32 DSCP (011100). af33 - Matches packets with AF33 DSCP (011110). af41 - Matches packets with AF41 DSCP (100010). af42 - Matches packets with AF42 DSCP (100100). af43 - Matches packets with AF43 DSCP (100110). cs1 - Matches packets with CS1 (precedence 1) DSCP (001000). cs2 - Matches packets with CS2 (precedence 2) DSCP (010000). cs3 - Matches packets with CS3 (precedence 3) DSCP (011000). cs4 - Matches packets with CS4 (precedence 4) DSCP (100000). cs5 - Matches packets with CS5 (precedence 5) DSCP (101000). cs6 - Matches packets with CS6 (precedence 6) DSCP (110000). cs7 - Matches packets with CS7 (precedence 7) DSCP (111000). default - Default DSCP (000000). ef - Matches packets with EF DSCP (101110).
	priority - Priority of the filter. This option is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The priority flag has no effect.
Mode	IP ACL Extended Configuration
Default	tos-value_0-7 - 0 ack - `any` (3) Indicates that TCP ACK bit will not be checked to decide the action. rst - `any` (3) Indicates that TCP RST bit will not be checked to decide the action. dscp - 1
Example	SEFOS(config-ext-nacl)# deny tcp 100.0.0.10 255.255.255.0 eq 20 any

Related Commands

ip access-list - Creates IP ACLs and enters the IP Access-list configuration mode

show access-lists - Displays the access list configuration

permit tcp - IPv4 - Specifies the TCP packets to be forwarded based on the associated parameters

21.1.10 `permit udp - IPv4`

Specifies the IPv4 UDP packets to be forwarded based on the associated parameters.

permit udp {any | host src-ip-address | src-ip-address src-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] {any | host dest-ip-address | dest-ip-address dest-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] [{tos {max-reliability | max-throughput | min-delay | normal | tos-value_0-7} | dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef} }] [priority_1-7] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	udp - User datagram protocol. `any \| host src-ip-address \| src-ip-address src-mask` - Source IP address can be the following: any host and the dotted decimal address. Number of the network or the host that the packet is from and the network mask to use with the source address. port-number_1-65535 - Port Number. The input for the source and the destination port-number is prefixed with one of the following operators. eq=equal. lt=less than. gt=greater than. range=a range of ports; two different port numbers must be specified. any \| host dest-ip-address \| dest-ip-address dest-mask - Destination IP address. Options are as follows: any host followed by the dotted decimal address. Number of the network or the host that the packet is destined for and the network mask to use with the destination address. tos - Type of service. Options are as follows: max-reliability max-throughput min-delay normal range of values from 0 to 7.
	dscp - Differentiated services code point provides the quality of service control. The various options available are: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). af13 - Matches packets with AF13 DSCP (001110). af21 - Matches packets with AF21 DSCP (010010). af22 - Matches packets with AF22 DSCP (010100). af23 - Matches packets with AF23 DSCP (010110). af31 - Matches packets with AF31 DSCP (011010). af32 - Matches packets with AF32 DSCP (011100). af33 - Matches packets with AF33 DSCP (011110). af41 - Matches packets with AF41 DSCP (100010). af42 - Matches packets with AF42 DSCP (100100). af43 - Matches packets with AF43 DSCP (100110). cs1 - Matches packets with CS1 (precedence 1) DSCP (001000). cs2 - Matches packets with CS2 (precedence 2) DSCP (010000). cs3 - Matches packets with CS3 (precedence 3) DSCP (011000).
	cs4 - Matches packets with CS4 (precedence 4) DSCP (100000). cs5 - Matches packets with CS5 (precedence 5) DSCP (101000). cs6 - Matches packets with CS6 (precedence 6) DSCP (110000). cs7 - Matches packets with CS7 (precedence 7) DSCP (111000). default - Default DSCP (000000). ef - Matches packets with EF DSCP (101110).
	priority - Priority of the filter. Decides which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between one and seven. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The `priority` flag has no effect.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IP ACL Extended Configuration
Default	dscp - 1
Example	SEFOS(config-ext-nacl)# permit udp any gt 65000 any dcsp 1

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

deny udp - IPv4 - Specifies the UDP packets to be rejected based on the associated parameters

21.1.11 `deny udp - IPv4`

Specifies the IPv4 UDP packets to be rejected based on the associated parameters.

deny udp {any | host src-ip-address | src-ip-address src-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] {any | host dest-ip-address | dest-ip-address dest-mask} [{gt port-number_1-65535 | lt port-number_1-65535 | eq port-number_1-65535 | range port-number_1-65535 port-number_1-65535}] [{tos {max-reliability | max-throughput | min-delay | normal|tos-value_0-7} | dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef}] [priority_1-7]

Syntax Description	udp - User datagram protocol any \| host src-ip-address \| src-ip-address src-mask - Source IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is from and the network mask to use with the source address.
	port-number_1-65535 - Port number. The input for the source and the destination port-number is prefixed with one of the following operators. eq=equal. lt=less than. gt=greater than. range=a range of ports; two different port numbers must be specified.
	any \| host dest-ip-address \| dest-ip-address dest-mask - Destination IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is destined for and the network mask to use with the destination address.
	tos - Type of service. Can be as follows: max-reliability max throughput min-delay normal range of values from 0 to 7.
	dscp - Differentiated services code point provides the quality of service control. The various options available are as follows: 0-63 - Differentiated services code point value. af11 - Matches packets with AF11 DSCP (001010). af12 - Matches packets with AF12 DSCP (001100). `af13` - Matches packets with AF13 DSCP (001110). `af21` - Matches packets with AF21 DSCP (010010). `af22` - Matches packets with AF22 DSCP (010100). `af23` - Matches packets with AF23 DSCP (010110). `af31` - Matches packets with AF31 DSCP (011010). `af32` - Matches packets with AF32 DSCP (011100). `af33` - Matches packets with AF33 DSCP (011110). `af41` - Matches packets with AF41 DSCP (100010). `af42` - Matches packets with AF42 DSCP (100100). `af43` - Matches packets with AF43 DSCP (100110). `cs1` - Matches packets with CS1 (precedence 1) DSCP (001000). `cs2` - Matches packets with CS2 (precedence 2) DSCP (010000). `cs3` - Matches packets with CS3 (precedence 3) DSCP (011000). `cs4` - Matches packets with CS4 (precedence 4) DSCP (100000). `cs5` - Matches packets with CS5 (precedence 5) DSCP (101000). `cs6` - Matches packets with CS6 (precedence 6) DSCP (110000). `cs7` - Matches packets with CS7 (precedence 7) DSCP (111000). `default` - Default DSCP (000000). `ef` - Matches packets with EF DSCP (101110).
	`priority` - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The `priority` flag has no effect.
Mode	IP ACL Extended Configuration
Default	dscp - 1
Example	SEFOS(config-ext-nacl)# deny udp host 10.0.0.1 any eq 20

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

permit udp - IPv4 - Specifies the UDP packets to be forwarded based on the associated parameters

21.1.12 `permit icmp - IPv4`

Specifies the ICMPv4 packets to be forwarded based on the IP address and the associated parameters.

permit icmp {any | host src-ip-address | src-ip-address mask}{any | host dest-ip-address | dest-ip-address mask} [message-type_0-255] [message-code_0-255] [priority_1-7]

Syntax Description	icmp - Internet control message protocol any \| host src-ip-address \| src-ip-address mask - Source IP address can be the following: any host followed by the dotted decimal address. number of the network or the host that the packet is from and the network mask to use with the source address. any \| host dest-ip-address \| dest-ip-address mask - Destination IP address can be the following: any host followed by the the dotted decimal address. Number of the network or the host that the packet is destined for and the network mask to use with the destination address.
	message-type - Message type. The ICMP message type can be one of the following: Value ICMP type 0 Echo reply. 3 Destination unreachable. 4 Source quench. 5 Redirect. 8 Echo request. 11 Time exceeded. 12 Parameter problem. 13 Timestamp request. 14 Timestamp reply. 15 Information request. 16 Information reply. 17 Address mask request. 18 Address mask reply. 155 No ICMP type. The keyword `message-type` is not supported.
Mode	IP ACL Extended Configuration
Default	message-type - 255 message code - 255
Example	SEFOS(config-ext-nacl)# permit icmp any any

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

deny icmp - IPv4 - Specifies the ICMP packets to be rejected based on the IP address and associated parameters

21.1.13 `deny icmp - IPv4`

Specifies the ICMP v4 packets to be rejected based on the IP address and associated parameters.

deny icmp {any | host src-ip-address | src-ip-address mask} {any | host dest-ip-address | dest-ip-address mask} [message-type_0-255] [message-code_0-255] [priority_1-7]

Syntax Description	icmp - Internet control message protocol. any \| host src-ip-address \| src-ip-address mask - Source IP address can be the following: any host followed by the dotted decimal address. Number of the network or the host that the packet is from and the network mask to use with the source address. any \| host dest-ip-address \| dest-ip-address mask - Destination IP address can be the following: any host followed by the dotted decimal address. Number of the network or the host that the packet is destined for and the network mask to use with the destination address.
	message-type - Message type. The ICMP message type can be one of the following: Value ICMP type. 0 Echo reply. 3 Destination unreachable. 4 Source quench. 5 Redirect. 8 Echo request. 11 Time exceeded. 12 Parameter problem. 13 Timestamp request. 14 Timestamp reply. 15 Information request. 16 Information reply. 17 Address mask request. 18 Address mask reply. 155 No ICMP type. The keyword `message-type` is not supported.
	message-code_0-255 - ICMP message code. The ICMP code can be any of the following: Value ICMP code 0 Network unreachable. 1 Host unreachable. 2 Protocol unreachable. 3 Port unreachable. 4 Fragment need. 5 Source route fail. 6 Destination network unknown. 7 Destination host unknown. 8 Source host isolated. 9 Destination network administratively prohibited. 10 Destination host administratively prohibited. 11 Network unreachable TOS. 12 Host unreachable TOS. 255 No ICMP code. The keyword `message-code` is not supported.
	priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between one and seven. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The `priority` flag has no effect.
Mode	IP ACL Extended Configuration
Default	message-type - 255 message code - 255
Example	SEFOS(config-ext-nacl)# deny icmp host 100.0.0.10 10.0.0.1 255.255.255.255

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

permit icmp - IPv4 - Specifies the ICMP packets to be forwarded based on the IP address and the associated parameters

21.1.14 `ip access-group`

Enables access control for the packets on the interface. It controls access to a Layer 2 or Layer 3 interface. The no form of the command removes all access groups or the specified access group from the interface.

ip access-group access-list-number_1-512 [in | out]

no ip access-group [access-list-number_1-512] [in | out]

Syntax Description	access-list-number_1-512 - IP access control list number. in - Inbound packets. out - Outbound packets. Note - The keyword out can be used only with the Sun Network 10GbE Switch 72p.
Mode	Interface Configuration
Example	SEFOS(config-if)# ip access-group 1 in
Notes	IP access list must have been created. An IP ACL applied to a Layer 2 interface filters only the IP packets. MAC access-group interface configuration command with MAC extended ACLs must be used to filter non-IP packets.

Related Commands

ip access-list - Creates IP ACLs and enters the IP access-list configuration mode

show access-lists - Displays the access list configuration

21.1.15 `mac access-group`

Applies a MAC ACL to a Layer 2 interface. The no form of this command can be used to remove the MAC ACLs from the interface.

mac access-group access-list-number_1-512 in

no mac access-group access-list-number_1-512 in

Syntax Description	access-list-number_1-512 - IP access control list number. in - Inbound packets.
Mode	Interface Configuration
Example	SEFOS(config-if)# mac access-group 5 in
Notes	MAC access list must have been created.

Related Commands

mac access-list extended - Creates Layer 2 MAC ACLs, and returns the MAC-Access list configuration mode to the user

show access-lists - Displays the access list statistics

21.1.16 `ipv6 access-group`

Enables access control for the inbound IPv6 packets on the interface. The no form of the command disables access control for the inbound IPv6 packets on the interface.

ipv6 access-group [access-list-number(11-512)] (in | out)

no ipv6 access-group [access-list-number(11-512)] (in | out)

Syntax Description	access-list-number - IPv6 access list number. This value ranges between 11 and 512. in - Inbound packets. out - Outbound packets.
Mode	Interface Configuration
Example	SEFOS(config-if)# ipv6 access-group 15 in
Notes	IPv6 access list must have been created before enabling the access list for the inbound IPv6 packets. Following is the limitation for this command to be applicable to Layer 2 interfaces: An IP ACL applied to a Layer 2 interface filters only the IPv6 packets. MAC access-group interface configuration command with MAC extended ACLs must be used to filter non-IP packets.

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

show access-lists - Displays the access list statistics

21.1.17 `permit - MAC ACL`

Specifies the packets to be forwarded based on the MAC address and the associated parameters. That is, this command allows non-IP traffic to be forwarded if the conditions are matched.

permit {any | host src-mac-address} {any | host dest-mac-address} [aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-id | protocol_0-65535] [Vlan vlan-id_1-4094] [user-priority 0-7] [priority 1-7] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	any \| host src-mac-address - Source MAC address to be matched with the packet. any \| host dest-mac-address - Destination MAC address to be matched with the packet. aarp - Ethertype AppleTalk address resolution protocol that maps a data-link address to a network address. amber - EtherType DEC-amber. dec-spanning - Etheryype digital equipment corporation spanning tree. decent-iv - Ethertype DECnet phase IV protocol. diagnostic - Ethertype DEC-diagnostic. dsm - Ethertype DEC-DSM or DDP. etype-6000 - Ethertype 0x6000. etype-8042 - Ethertype 0x8042. lat - Ethertype DEC-LAT. lavc-sca - Ethertype DEC-LAVC-SCA. mop-console - Ethertype DEC-MOP remote console. mop-dump - Ethertype DEC-MOP dump. msdos - Ethertype DEC-MSDOS.
	mumps - Ethertype DEC-MUMPS. netbios - Ethertype DEC - system NETBIOS. vines-echo - Ethertype VINES echo from Banyan Systems. vines-ip - EtherType VINES IP. xns-id - EtherType Xerox Network Systems protocol suite. vlan - VLAN ID to be filtered. This value ranges between 1 and 4094.
	user-priority - User priority or P-bit value to be matched with the packet. This value ranges between zero and seven. priority - Priority of the L2 filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The `priority` flag has no effect.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	MAC ACL Configuration
Default	vlan-id - 0 priority - 1 user-priority - 0
Example	SEFOS(config-ext-macl)# permit host 00:11:22:33:44:55 any aarp priority 10
Notes	MAC access list must have been created.

Related Commands

mac access-list extended - Creates Layer 2 MAC ACLs, and returns the MAC-Access list configuration mode to the user

mac access-group - Applies a MAC ACL to a Layer 2 interface

deny - MAC ACL - Specifies the packets to be rejected based on the MAC address and the associated parameters

show access-lists - Displays the access list statistics

21.1.18 `deny - MAC ACL`

Specifies the packets to be rejected based on the MAC address and the associated parameters.

deny {any | host src-mac-address}{any | host dest-mac-address} [aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-id | protocol_0-65535] [Vlan vlan-id_1-4094] [user-priority 0-7] [priority 1-7]

Syntax Description	any \| host src-mac-address - Source MAC address to be matched with the packet. any \| host dest-mac-address - Destination MAC address to be matched with the packet. aarp - Ethertype AppleTalk Address Resolution Protocol that maps a data-link address to a network address. amber - EtherType DEC-Amber. dec-spanning - EtherType Digital Equipment Corporation (DEC) spanning tree. decent-iv - EtherType DECnet Phase IV protocol. diagnostic - EtherType DEC-Diagnostic. dsm - EtherType DEC-DSM/DDP. etype-6000 - EtherType 0x6000. etype-8042 - EtherType 0x8042. lat - EtherType DEC-LAT. lavc-sca - EtherType DEC-LAVC-SCA. mop-console - EtherType DEC-MOP Remote Console. mop-dump - EtherType DEC-MOP Dump. msdos - EtherType DEC-MSDOS. mumps - EtherType DEC-MUMPS. netbios - EtherType DEC- Network Basic Input/Output System (NETBIOS). vines-echo - EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems. vines-ip - EtherType VINES IP. xns-id - EtherType Xerox Network Systems (XNS) protocol suite. vlan - VLAN ID to be filtered. This value ranges between 1 and 4094. user-priority - User priority or P-bit value to be matched with the packet. This value ranges between 0 and 7.
	priority - Priority of the L2 filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7. Note - The priority of ACL filters applied to the interface is based on the ACL numbers. The `priority` flag has no effect.
Mode	MAC ACL Configuration
Default	vlan-id - 0 priority - 1 user-priority - 0
Example	SEFOS(config-ext-macl)# deny any host 00:11:22:33:44:55 priority 200
Notes	MAC access list must have been created.

Related Commands

mac access-list extended - Creates Layer 2 MAC ACLs, and returns the MAC-Access list configuration mode to the user

mac access-group - Applies a MAC access control list (ACL) to a Layer 2 interface

permit - MAC ACL - Specifies the packets to be forwarded based on the MAC address and the associated parameters

show access-lists - Displays the access list statistics

21.1.19 `permit - IPv6`

Allows IPv6 packets to be forwarded based on protocol and associated parameters.

permit [{ospf | pim | protocol-type(0-255)}] {any | host src-ipv6-addr} [src-prefix-len(0-128)] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	ospf \| pim \| protocol-type(0-255) - Type of protocol for the IPv6 packet. The value can also be a protocol number. The protocol number ranges between 0 and 255. any - Permits packets sent from or to all network or host. host src-ipv6-addr - Permits only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Permits only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. host dst-ipv6-addr - Permits only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Permits only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the L3 filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between one and seven.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IPv6 ACL Extended Configuration
Default	protocol-type - 255 dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# permit host 1111::2222 host FE80:0000:0000:0000:0202:B3FF:FE1E:8329

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

deny - IPv6 - Blocks IPv6 packets based on protocol and associated parameters

show access-lists - Displays the access list statistics

21.1.20 `deny - IPv6`

Blocks IPv6 packets based on protocol and associated parameters.

deny [{ospf | pim | protocol-type(0-255)}] {any | host src-ipv6-addr} [src-prefix-len(0-128)] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)]

Syntax Description	ospf \| pim \| protocol-type(0-255) - Type of protocol for the IPv6 packet. It can also be a protocol number. The protocol number ranges between 0 and 255. any - Blocks packets sent from or to all network or host. host src-ipv6-addr - Blocks only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Blocks only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. host dst-ipv6-addr - Blocks only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Blocks only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128.
	dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the L3 filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
Mode	IPv6 ACL Extended Configuration
Default	protocol-type - 255 dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# deny host 1111::2222 host FE80:0000:0000:0000:0202:B3FF:FE1E:8329

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

permit - IPv6 - Allows IPv6 packets to be forwarded based on protocol and associated parameters

show access-lists - Displays the access list statistics

21.1.21 `permit tcp - IPv6`

Allows IPv6 TCP packets based on associated parameters.

permit tcp {any | host src-ipv6-addr} [src-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] [{ack | rst}] [{tos {max-reliability | max-throughput | min-delay | normal |value(0-7)} | dscp value(0-63)}] [flow-label value(0-1048575)] [priority value(1-7)] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	any - Permits packets sent from or to all network or host. host src-ipv6-addr - Permits only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Permits only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. gt port-number(1-65535) - Matches the source or destination ports that are greater than the specified port. This value ranges between 1 and 65535. lt port-number(1-65535) - Matches the source or destination ports that are lesser than the specified port. This value ranges between 1 and 65535. eq port-number(1-65535) - Matches the specified source or destination port. This value ranges between 1 and 65535. range start-port-range(1-65535) end-port-range(1-65535) - Matches the source or destination ports in the specified range. That is, inclusive of start and end ports). This value ranges between 1 and 65535.
	host dst-ipv6-addr - Permits only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Permits only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. ack - TCP ACK bit to be checked against the packet. It can be `establish (1)`, `non-establish (2)` or `any (3)`. rst - TCP RST bit to be checked against the packet. It can be `set (1)`, `notset (2)` or `any (3)`. tos - Type of service. Can be max-reliability, max throughput, min-delay, normal or a range of values from 0 to 7. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# permit tcp host 1111::2222 any range 400 500

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

permit tcp - IPv6 - Allows IPv6 TCP packets based on associated

show access-lists - Displays the access list statistics

21.1.22 `deny tcp - IPv6`

Blocks IPv6 TCP packets based on associated parameters.

deny tcp {any | host src-ipv6-addr} [src-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] [{ ack | rst}] [{tos {max-reliability | max-throughput | min-delay | normal | value(0-7)} | dscp value(0-63)} ] [flow-label value(0-1048575)] [priority value(1-7)]

Syntax Description	any - Blocks packets sent from or to all network or host. host src-ipv6-addr - Blocks only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Blocks only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. gt port-number(1-65535) - Matches the source or destination ports that are greater than the specified port. This value ranges between 1 and 65535. lt port-number(1-65535) - Matches the source or destination ports that are lesser than the specified port. This value ranges between 1 and 65535. eq port-number(1-65535) - Matches the specified source or destination port. This value ranges between 1 and 65535. range start-port-range(1-65535) end-port-range(1-65535) - Matches the source or destination ports in the specified range. That is, inclusive of start and end ports). This value ranges between 1 and 65535.
	host dst-ipv6-addr - Blocks only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Blocks only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. ack - TCP ACK bit to be checked against the packet. It can be `establish (1)`, `non-establish (2)` or `any (3)`. rst - TCP RST bit to be checked against the packet. It can be `set (1)`, `notset (2)` or `any (3)`. tos - Type of service. Can be max-reliability, max throughput, min-delay, normal or a range of values from 0 to 7. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between one and seven. This value ranges between 1 and 7.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# deny tcp host 1111::2222 any range 400 500

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

permit tcp - IPv6 - Allows IPv6 TCP packets based on associated

show access-lists - Displays the access list statistics

21.1.23 `permit udp - IPv6`

Allows IPv6 UDP packets based on associated parameters.

permit udp {any | host src-ipv6-addr} [src-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)] {[loadbalance lbg-id(1-16)] [redirectport interface-type interface-id] | [redirectslb slb_group_id]}

Syntax Description	any - Permits packets sent from or to all network or host. host src-ipv6-addr - Permits only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Permits only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. gt port-number(1-65535) - Matches the source or destination ports that are greater than the specified port. This value ranges between 1 and 65535. lt port-number(1-65535) - Matches the source or destination ports that are lesser than the specified port. This value ranges between 1 and 65535. eq port-number(1-65535) - Matches the specified source or destination port. This value ranges between 1 and 65535. range start-port-range(1-65535) end-port-range(1-65535) - Matches the source or destination ports in the specified range(that is, inclusive of start and end ports). This value ranges between 1 and 65535. host dst-ipv6-addr - Permits only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Permits only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
	loadbalance - If permitted, the next action is to forward packets to an LBG specified by the LBG group number. LBG number has a range of values from 1 to 16.
	redirectport - If permitted, the next action is to forward packets to a switch port specified by the interface-type and the interface-id.
	redirectslb - If permitted, the next action is to route packets to an SLB group specified by the SLB group number. SLB group number has a range of values from 1 to 16.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# permit udp host 1111::2222 any range 400 500

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

deny udp - IPv6 - Blocks IPv6 UDP packets based on associated parameters.

show access-lists - Displays the access list statistics

21.1.24 `deny udp - IPv6`

Blocks IPv6 UDP packets based on associated parameters.

deny udp {any | host src-ipv6-addr} [src-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [{gt port-number(1-65535) | lt port-number(1-65535) | eq port-number(1-65535) | range start-port-range(1-65535) end-port-range(1-65535)}] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)]

Syntax Description	any - Blocks packets sent from or to all network or host. host src-ipv6-addr - Blocks only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Blocks only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. gt port-number(1-65535) - Matches the source or destination ports that are greater than the specified port. This value ranges between 1 and 65535. lt port-number(1-65535) - Matches the source or destination ports that are lesser than the specified port. This value ranges between 1 and 65535. eq port-number(1-65535) - Matches the specified source or destination port. This value ranges between 1 and 65535. range start-port-range(1-65535) end-port-range(1-65535) - Matches the source or destination ports in the specified range. That is, inclusive of start and end ports). This value ranges between 1 and 65535. host dst-ipv6-addr - Blocks only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Blocks only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# deny udp host 1111::2222 any range 400 500

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

permit udp - IPv6 - Allows IPv6 UDP packets based on associated parameters.

show access-lists - Displays the access list configuration.

21.1.25 `permit icmp - IPv6`

Allows the ICMPv6 packets based on the associated parameters.

permit icmp {any | host src-ipv6-addr} [src-prefix-len(0-128)] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [message-type(0-255)] [message-code(0-255)] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)]

Syntax Description	any - Permits packets sent from or to all network or host. host src-ipv6-addr - Permits only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Permits only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. host dst-ipv6-addr - Permits only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Permits only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. message-type - Message type. The ICMP message type can be one of the following: Value ICMP type 0 Echo reply 3 Destination unreachable 4 Source quench 5 Redirect 8 Echo request 11 Time exceeded 12 Parameter problem 13 Timestamp request 14 Timestamp reply 15 Information request 16 Information reply 17 Address mask request 18 Address mask reply 155 No ICMP type
	message-code - ICMP Message code. The ICMP code can be any of the following: Value ICMP code 0 Network unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 Fragment need 5 Source route fail 6 Destination network unknown 7 Destination host unknown 8 Source host isolated 9 Destination network administratively prohibited 10 Destination host administratively prohibited 11 Network unreachable TOS 12 Host unreachable TOS 255 No ICMP code dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# permit icmp host 1111::2222 host FE80:0000:0000:0000:0202:B3FF:FE1E:8329

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

deny icmp - IPv6 - Blocks the ICMPv6 packets based on the associated parameters.

show access-lists - Displays the access list statistics

21.1.26 `deny icmp - IPv6`

Blocks the ICMPv6 packets based on the associated parameters.

deny icmp {any | host src-ipv6-addr} [src-prefix-len(0-128)] {any | host dst-ipv6-addr} [dst-prefix-len(0-128)] [message-type(0-255)] [message-code(0-255)] [dscp value(0-63)] [flow-label value(0-1048575)] [priority value(1-7)]

Syntax Description	any - Blocks packets sent from or to all network or host. host src-ipv6-addr - Blocks only the packets sent from the network or host having the specified IPv6 address. src-prefix-len - Prefix length to be combined with the IPv6 source address. Blocks only the packets sent from the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. host dst-ipv6-addr - Blocks only the packets sent to the network or host having the specified IPv6 address. dst-prefix-len - Prefix length to be combined with the IPv6 destination address. Blocks only the packets sent to the network or host having the specified IPv6 address and prefix length. This value ranges between 0 and 128. message-type - Message type. The ICMP message type can be one of the following: Value ICMP type 0 Echo reply. 3 Destination unreachable. 4 Source quench. 5 Redirect. 8 Echo request. 11 Time exceeded. 12 Parameter problem. 13 Timestamp request. 14 Timestamp reply. 15 Information request. 16 Information reply. 17 Address mask request. 18 Address mask reply. 155 No ICMP type.
	message-code - ICMP Message code. The ICMP code can be any of the following: Value ICMP code 0 Network unreachable. 1 Host unreachable. 2 Protocol unreachable. 3 Port unreachable. 4 Fragment need. 5 Source route fail. 6 Destination network unknown. 7 Destination host unknown. 8 Source host isolated. 9 Destination network administratively prohibited. 10 Destination host administratively prohibited. 11 Network unreachable TOS. 12 Host unreachable TOS. 255 No ICMP code. dscp - Differentiated services code point value that provides the quality of service control. This value ranges between 0 and 63. flow-label - Flow label value to be matched with the packet. This value ranges between 0 and 1048575. priority - Priority of the filter. This is used to decide which filter rule is applicable, when the packet matches with more than one filter rules. Higher value of filter priority implies a higher priority. This value ranges between 1 and 7.
Mode	IPv6 ACL Extended Configuration
Default	dscp - 1 flow-label - 0 priority - 1
Example	SEFOS(config-ipv6-acl)# deny icmp host 1111::2222 host FE80:0000:0000:0000:0202:B3FF:FE1E:8329

Related Commands

ipv6 access-list extended - Creates an IPv6 extended access list

permit icmp - IPv6 - Allows the ICMPv6 - packets based on the associated parameters.

show access-lists - Displays the access list configuration.

21.1.27 `show access-lists`

Displays the access lists configuration.

show access-lists [[{ip | mac}] access-list-number(1-512)]

Syntax Description	ip - IP access list mac - MAC access list
Mode	Privileged/User EXEC
Example	SEFOS# show access-lists EIP ACCESS LISTS ----------------- Standard IP Access List 34 ---------------------------- IP address Type : IPV4 Source IP address : 172.30.3.134 Source IP address mask : 255.255.255.255 Source IP Prefix Length : 32 Destination IP address : 0.0.0.0 Destination IP address mask : 0.0.0.0 Destination IP Prefix Length : 0 Flow Identifier : 0 In Port List : NIL Out Port List : NIL Filter Action : Deny Status : InActive
	Extended IP Access List 1002 ----------------------------- Filter Priority : 1 Filter Protocol Type : ANY IP address Type : IPV4 Source IP address : 0.0.0.0 Source IP address mask : 0.0.0.0 Source IP Prefix Length : 0 Destination IP address : 0.0.0.0 Destination IP address mask : 0.0.0.0 Destination IP Prefix Length : 0 Flow Identifier : 0 In Port List : NIL Out Port List : NIL Filter TOS : NIL Filter DSCP : NIL Filter Action : Permit Status : InActive
	Extended IP Access List 10022 ----------------------------- Filter Priority : 1 Filter Protocol Type : ANY IP address Type : IPV4 Source IP address : 0.0.0.0 Source IP address mask : 0.0.0.0 Source IP Prefix Length : 0 Destination IP address : 0.0.0.0 Destination IP address mask : 0.0.0.0 Destination IP Prefix Length : 0 Flow Identifier : 0 In Port List : NIL Out Port List : NIL Filter TOS : NIL Filter DSCP : NIL Filter Action : Permit Status : InActive
	MAC ACCESS LISTS ----------------- No MAC Access Lists have been configured

Related Commands

ip access-list - Creates IP ACLs and enters the IP Access-list configuration mode

mac access-list extended - Creates Layer 2 MAC ACLs, and returns the MAC-Access list configuration mode to the user

permit - standard mode - Specifies the packets to be forwarded depending upon the associated parameters

deny - standard mode - Denies traffic if the conditions defined in the deny statement are matched

permit - IPv4 - Allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched

deny - IPv4 - Denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched

permit tcp - IPv4 - Specifies the TCP packets to be forwarded based on the associated parameters

deny tcp - IPv4 - Specifies the TCP packets to be rejected based on the associated parameters

permit udp - IPv4 - Specifies the UDP packets to be forwarded based on the associated parameters

deny udp - IPv4 - Specifies the UDP packets to be rejected based on the associated parameters

permit icmp - IPv4 - Specifies the ICMP packets to be forwarded based on the IP address and the associated parameters

deny icmp - IPv4 - Specifies the ICMP packets to be rejected based on the IP address and associated parameters

ip access-group - Enables access control for the packets on the interface

mac access-group - Applies a MAC access control list (ACL) to a Layer 2 interface

ipv6 access-group - Enables access control for the inbound IPv6 (Internet Protocol version6) packets on the interface

permit - MAC ACL - Specifies the packets to be forwarded based on the MAC address and the associated parameters

deny - MAC ACL - specifies the packets to be rejected based on the MAC address and the associated parameters

ipv6 access-list extended - Creates an IPv6 extended access list

permit - IPv6 - Allows IPv6 packets to be forwarded based on protocol and associated parameters.

deny - IPv6 - Blocks IPv6 packets based on protocol and associated parameters.

permit tcp - IPv6 - Allows IPv6 TCP packets based on associated parameters.

deny tcp - IPv6 - Blocks IPv6 TCP packets based on associated parameters.

permit udp - IPv6 - Allows IPv6 UDP packets based on associated parameters.

deny udp - IPv6 - Blocks IPv6 UDP packets based on associated parameters.

permit icmp - IPv6 - Allows the ICMPv6 - packets based on the associated parameters.

deny icmp - IPv6 - Blocks the ICMPv6 - packets based on the associated parameters.

21.1 ACL Commands

21.1.1 ip access-list

Related Commands

21.1.2 mac access-list extended

Related Commands

21.1.3 ipv6 access-list extended

Related Commands

21.1.4 permit - standard mode

Related Commands

21.1.5 deny - standard mode

Related Commands

21.1.6 permit - IPv4

Related Commands

21.1.7 deny - IPv4

Related Commands

21.1.8 permit tcp - IPv4

Related Commands

21.1.9 deny tcp - IPv4

Related Commands

21.1.10 permit udp - IPv4

Related Commands

21.1.11 deny udp - IPv4

Related Commands

21.1.12 permit icmp - IPv4

Related Commands

21.1.13 deny icmp - IPv4

Related Commands

21.1.14 ip access-group

Related Commands

21.1.15 mac access-group

Related Commands

21.1.16 ipv6 access-group

Related Commands

21.1.17 permit - MAC ACL

Related Commands

21.1.18 deny - MAC ACL

Related Commands

21.1.19 permit - IPv6

Related Commands

21.1.20 deny - IPv6

Related Commands

21.1.21 permit tcp - IPv6

Related Commands

21.1.22 deny tcp - IPv6

Related Commands

21.1.23 permit udp - IPv6

Related Commands

21.1.24 deny udp - IPv6

Related Commands

21.1.25 permit icmp - IPv6

Related Commands

21.1.26 deny icmp - IPv6

Related Commands

21.1.27 show access-lists

Related Commands

21.1.1 `ip access-list`

21.1.2 `mac access-list extended`

21.1.3 `ipv6 access-list extended`

21.1.4 `permit - standard mode`

21.1.5 `deny - standard mode`

21.1.6 `permit - IPv4`

21.1.7 `deny - IPv4`

21.1.8 `permit tcp - IPv4`

21.1.9 `deny tcp - IPv4`

21.1.10 `permit udp - IPv4`

21.1.11 `deny udp - IPv4`

21.1.12 `permit icmp - IPv4`

21.1.13 `deny icmp - IPv4`

21.1.14 `ip access-group`

21.1.15 `mac access-group`

21.1.16 `ipv6 access-group`

21.1.17 `permit - MAC ACL`

21.1.18 `deny - MAC ACL`

21.1.19 `permit - IPv6`

21.1.20 `deny - IPv6`

21.1.21 `permit tcp - IPv6`

21.1.22 `deny tcp - IPv6`

21.1.23 `permit udp - IPv6`

21.1.24 `deny udp - IPv6`

21.1.25 `permit icmp - IPv6`

21.1.26 `deny icmp - IPv6`

21.1.27 `show access-lists`