Access Control List Commands (XGS)
This chapter is a reference for the Access Control List (ACL) commands for XGS devices (Trident II, Trident II+, and Tomahawk):
access-list logging cache-size
Use this command to set the ACL logging table size.
Use the no form of this command to set the table size to its default (1000).
Command Syntax
access-list logging cache-size <1000-10000>
no access-list logging cache-size
Parameters
<1000-10000>
Maximum number of cache entries
Default
By default, the logging table size is 1000.
Command Mode
Configuration mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#access-list logging cache-size 2000
(config)#end
access-list logging rate-limit
Use this command to set the rate limit for logging ACL denied packets.
Use the no form of this command to reset the rate to its default (200).
Command Syntax
access-list logging rate-limit <0-1000>
no access-list logging rate-limit
Parameters
<0-1000>
Packets per second
Default
By default, the rate is 200 packets per second.
Command Mode
Configuration mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#access-list logging rate-limit 500
(config)#end
arp access-group
Use this command to attach ARP access list to an interface to filter incoming ARP packets.
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Use the no form of this command to detach an ARP access group.
Note: To attach an ARP access-group to an interface, the ingress-arp TCAM group should be enabled. See the
hardware-profile filter (XGS) command for more details.
Command Syntax
arp access-group NAME in
no arp access-group NAME in
Parameters
NAME
ARP Access list name
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#arp access-list ARP_ACL1
(config-arp-acl)#exit
(config)#interface xe1
(config-if)#arp access-group ARP_ACL1 in
(config-if)#no arp access-group ARP_ACL1 in
arp access-list
Use this command to define a named ARP access control list (ACL) that determines whether to accept or drop an incoming ARP packet based on the sender or target IP address, sender or target MAC address, ARP type.
An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are sequenced. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. The implied specification can be updated to permit if the use-case is to deny a certain set of ARP traffic.
Use the no form of this command to remove an ACL specification
Command Syntax
arp access-list NAME
no arp access-list NAME
Parameters
NAME
ARP Access list name
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#arp access-list ARP_ACL1
(config-arp-acl)#exit
(config)#no arp access-list ARP_ACL1
arp access-list filter
Use this command to configure access control entry in ARP access control list (ACL).
This determines whether to accept or drop an ARP packet based on the configured match criteria. Use the no form of this command to remove an ACL specification.
Note: Configuring the same filter again with a change of sequence number or change of action results in an update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (request |) ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|)(deny|permit) (request |) ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
Parameters
deny
Drop the packet.
permit
Accept the packet.
<1-268435453>
ARP ACL sequence number.
request
RP request type
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
Source IP address and mask.
host A.B.C.D
Single source host IP address.
any
Match any source IP address.
any
Any source/destination.
XX-XX-XX-XX-XX-XX
Source MAC address (Option 1).
XX:XX:XX:XX:XX:XX
Source MAC address (Option 2).
XXXX.XXXX.XXXX
Source MAC address (Option 3).
XX-XX-XX-XX-XX-XX
Source wildcard (Option 1).
XX:XX:XX:XX:XX:XX
Source wildcard (Option 2).
XXXX.XXXX.XXXX
Source wildcard (Option 3).
vlan <1-4094>
VLAN identifier.
inner-vlan<1-4094>
Inner VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#arp access-list ARP_ACL1
(config-arp-acl)#15 permit ip host 2.2.2.1 mac any inner-vlan 3
(config-arp-acl)#no 15
arp access-list remark
Use this command to add a description to a named ARP access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#arp access-list arplist
(config-arp-acl)#remark permit the selected arp entries
(config-arp-acl)#exit
(config)#arp access-list arplist
(config-arp-acl)#no remark
(config-arp-acl)#exit
arp access-list resequence
Use this command to modify the sequence numbers of an ARP access list.
Note: IP Infusion Inc. recommends to use a non-overlapping sequence space for a new sequence number set to avoid unexpected rule matches during transition.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#ip access-list arplist
(config-arp-acl)#resequence 5 5
(config-arp-acl)#end
arp access-list response
Use this command to configure an ARP access control entry in an ARP access control list (ACL). This determines whether to accept or drop an ARP response packet based on the configured match criteria.
Use the no form of this command to remove an ACL specification.
Command Syntax
(<1-268435453>|)(deny|permit) response ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|)(deny|permit) response ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XXXX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
Parameters
deny
Drop the packet.
permit
Accept the packet.
<1-268435453>
ARP ACL sequence number.
response
ARP reply type
A.B.C.D/M
Source/Destination IP prefix and length.
A.B.C.D A.B.C.D
Source/Destination IP address and mask.
host A.B.C.D
A single source/destination host IP address.
any
Match any source/destination IP address.
any
Source/Destination any.
XX-XX-XX-XX-XX-XX
Source/Destination MAC address (Option 1).
XX:XX:XX:XX:XX:XX
Source/Destination MAC address (Option 2).
XXXX.XXXX.XXXX
Source/Destination MAC address (Option 3).
XX-XX-XX-XX-XX-XX
Source/Destination wildcard (Option 1).
XX:XX:XX:XX:XX:XX
Source/Destination wildcard (Option 2).
XXXX.XXXX.XXXX
Source/Destination wildcard (Option 3).
vlan <1-4094>
VLAN identifier.
inner-vlan <1-4094>
Inner VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#configure terminal
(config)#arp access-list ARP_ACL1
(config-arp-acl)#50 permit response ip host 2.2.2.1 any mac any any vlan 2
(config-arp-acl)#no 50 permit response ip host 2.2.2.1 any mac any any vlan 2
clear access-list
Use this command to clear the access-list counters.
Command Syntax
clear access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode and Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear access-list counters
clear access-list log-cache
Use this command to clear the access-list logging table.
Command Syntax
clear access-list log-cache
Parameters
None
Command Mode
Exec mode and Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear access-list log-cache
clear arp access-list
Use this command to clear the ARP access-list counters.
Command Syntax
clear arp access-list (NAME|) counters
Parameters
NAME
ARP access list name
Command Mode
Exec mode and privileged exec mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#clear arp access-list counters
clear ip access-list
Use this command to clear the IP access-list counters.
Command Syntax
clear ip access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode and Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ip access-list counters
clear ipv6 access-list
Use this command to clear the IPv6 access-list counters.
Command Syntax
clear ipv6 access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ipv6 access-list counters
clear mac access-list
Use this command to clear the MAC access-list counters.
Command Syntax
clear mac access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear mac access-list counters
ip access-group
Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.
Egress TCAMs do not auto-expand beyond 256 entries if any entry includes a policer action. Therefore, the total number of configurable entries in the egress direction is limited to 256.
"
Command Syntax
ip access-group NAME (in|out) (time-range TR_NAME|)
no ip access-group NAME (in|out) (time-range TR_NAME|)
Parameters
NAME
Access list name.
in
Filter incoming packets
out
Filter outgoing packets.
TR_NAME
Command Mode
Line mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS-SP version 5.0.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#permit ip any any
(config-ip-acl)#exit
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#interface xe3
(config-if)#ip access-group mylist in
(config-if)#exit
(config)#interface xe3
(config-if)#no ip access-group mylist in time-range TIMER1
(config-if)#exit
(config)#line vty
(config-all-line)#no ip access-group mylist in
Usage: VLANs and LAGs
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Usage: TCAM Groups
An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.
To attach an IP ACL in the ingress direction, ensure the
ingress-ipv4 TCAM group is enabled. See the
hardware-profile filter (XGS) commands for details.
Usage: Loopback and VTY Interfaces
You can create ACLs for loopback (inband) and VTY interfaces to protect management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. Filtering TCP, UDP, and ICMP are supported.
Note: Loopback and VTY ACLs are mutually exclusive. If you set up one, you cannot set up the other.
For an ACL for a loopback interface, you create the ACL, configure it with rules, and associate the ACL with a loopback interface:
...
(config)#interface lo
(config-if)#ip access-group loopback in
For an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode:
...
(config)#line vty
(config-all-line)#ip access-group vty in
Loopback and VTY ACLs do not support the following:
• The default rule deny all. You must explicitly set up a deny all rule based on your requirements.
• VLAN-specific rules.
• Rules with TCP flags.
• Rules with dscp, fragments, log, precedence, and sample parameters.
Usage: Timed ACL on interfaces
You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.
ip access-list
Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming IP packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Use the no form of this command to remove an ACL
Command Syntax
ip access-list NAME
no ip access-list NAME
Parameters
NAME
Access-list name.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
ip access-list default
Use this command to modify the default rule action of access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the IP packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all) (log|) (sample|)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
(config-ip-acl)#default permit-all sample
ip access-list filter
Use this command to configure access control entry in an access control list (ACL).
This determines whether to accept or drop an IP packet based on the configured match criteria.
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) (deny|permit) (<0-255>|ahp|any|eigrp|esp|gre|ipip|ipcomp|ipv6ip |ospf|pim|rsvp|vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (fragments|) (vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit)(<0-255> |ahp | any | eigrp | esp | gre | ipip | ipcomp | ipv6ip | ospf | pim | rsvp| vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D | host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63> |af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (fragments|) (vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)|)((redirect-to-port IFNAME)|)
no (<1-268435453>)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
<0-255>
IANA assigned protocol number.
any
Any protocol packet.
ahp
Authentication Header packet.
eigrp
Enhanced Interior Gateway Routing Protocol packet.
esp
Encapsulating Security Payload packet.
gre
Generic Routing Encapsulation packet.
ipip
IPv4 over IPv4 encapsulation packet.
ipcomp
IP Payload Compression Protocol packet.
ipv6ip
IPv6 over IPv4 encapsulation packet.
ospf
Open Shortest Path First packet.
pim
Protocol Independent Multicast packet
rsvp
Resource Reservation Protocol packet.
vrrp
Virtual Router Redundancy Protocol packet.
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
A.B.C.D/M
Destination IP prefix and length.
A.B.C.D A.B.C.D
Destination IP address and mask.
host A.B.C.D
A single destination host IP address.
any
Any destination address
any
Match any destination IP address.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected (switchport only)
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
(config-ip-acl)#11 permit any 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
(config-ip-acl)#no 11
ip access-list fragments
Use this command to configure access list to deny or permit all the IP fragmented packets.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) fragments (deny-all|permit-all) (log|) (sample|)
no (<1-268435453>|) fragments (deny-all|permit-all) (log|) (sample|)
Parameters
deny-all
Drop the packet.
permit-all
Accept the packet.
<1-268435453>
IPv4 ACL sequence number.
fragments
Check non-initial.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#fragments deny-all
(config-ip-acl)#end
ip access-list icmp
Use this command to permit or deny ICMP packets based on the given source and destination IP address. Even DSCP, precedence, VLAN identifier, inner VLAN identifier, and fragment number can be configured to permit or deny with the given values.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (administratively-prohibited| alternate-address| conversion-error|dod-host-prohibited| dod-net-prohibited| echo| echo-reply|general-parameter-problem| host-isolated| host-precedence- unreachable|host-redirect| host-tos-redirect| host-tos-unreachable| host- unknown|host-unreachable| information-reply| information-request| mask- reply|mask-request| mobile-redirect| net-redirect| net-tos-redirect|net-tos- unreachable| net-unreachable| network-unknown| no-room-for-option|option-missing| packet-too-big| parameter-problem| port-unreachable|precedence-unreachable| protocol-unreachable| reassembly-timeout| redirect|router-advertisement| router- solicitation| source-quench|source-route-failed|time-exceeded| timestamp-reply| timestamp-request| traceroute|ttl-exceeded|unreachable|(<0-255> (<0-255>|))|) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (administratively- prohibited| alternate-address| conversion-error|dod-host-prohibited| dod-net- prohibited| echo| echo-reply|general-parameter-problem| host-isolated| host- precedence-unreachable|host-redirect| host-tos-redirect| host-tos-unreachable| host-unknown|host-unreachable| information-reply| information-request| mask- reply|mask-request| mobile-redirect| net-redirect| net-tos-redirect|net-tos- unreachable| net-unreachable| network-unknown| no-room-for-option|option-missing| packet-too-big| parameter-problem| port-unreachable|precedence-unreachable| protocol-unreachable| reassembly-timeout| redirect|router-advertisement| router- solicitation| source-quench|source-route-failed|time-exceeded| timestamp-reply| timestamp-request| traceroute|ttl-exceeded|unreachable|(<0-255> (<0-255>|))|) ("dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|)(sample|) ((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
icmp
Internet Control Message Protocol packet.
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
A.B.C.D/M
Destination IP prefix and length.
A.B.C.D A.B.C.D
Destination IP address and mask.
host A.B.C.D
A single destination host IP address.
any
Match any destination IP address.
administratively-prohibited
Administratively prohibited.
alternate-address
Alternate address.
conversion-error
Datagram conversion.
dod-host-prohibited
Host prohibited.
dod-net-prohibited
Net prohibited.
echo
Echo (ping).
echo-reply
Echo reply.
general-parameter-problem
Parameter problem.
host-isolated
Host isolated.
host-precedence-unreachable
Host unreachable for precedence.
host-redirect
Host redirect.
host-tos-redirect
Host redirect for ToS.
host-tos-unreachable
Host unreachable for ToS.
host-unknown
Host unknown.
host-unreachable
Host unreachable.
information-reply
Information replies.
information-request
Information requests.
mask-reply
Mask replies.
mask-request
Mask requests.
mobile-redirect
Mobile host redirect.
net-redirect
Network redirect.
net-tos-redirect
Net redirect for ToS.
net-tos-unreachable
Network unreachable for ToS.
net-unreachable
Net unreachable.
network-unknown
Network unknown.
no-room-for-option
Parameter required but no room.
option-missing
Parameter required but not present.
packet-too-big
Fragmentation needed and DF set.
parameter-problem
All parameter problems.
port-unreachable
Port unreachable.
precedence-unreachable
Precedence cutoff.
protocol-unreachable
Protocol unreachable.
reassembly-timeout
Reassembly timeout.
redirect
All redirects.
router-advertisement
Router discovery advertisements.
router-solicitation
Router discovery solicitations.
source-quench
Source quenches.
source-route-failed
Source route failed.
time-exceeded
All time-exceeded messages.
timestamp-reply
Time-stamp replies.
timestamp-request
Time-stamp requests.
traceroute
Traceroute.
ttl-exceeded
TTL exceeded.
unreachable
All unreachables.
<0-255>
ICMP type.
<0-255>
ICMP code.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected (switchport only)
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-icmp
(config-ip-acl)#200 permit icmp any any
ip access-list remark
Use this command to add a description to a named IPv4 access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#remark permit the inside admin address
(config-ip-acl)#exit
(config)#ip access-list mylist
(config-ip-acl)#no remark
(config-ip-acl)#exit
ip access-list resequence
Use this command to modify the sequence numbers of an IP access list specification.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#resequence 5 5
(config-ip-acl)#end
ip access-list tcp|udp
Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming packet based on the criteria specified match criteria.
This form of this command filters packets based on source and destination IP address along with protocol (TCP or UDP) and port.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: TCP flags options and range options like neq, gt, lt and range are not supported by hardware in egress direction.
Note: Both Ack and established flag in tcp have same functionality in hardware.
Command Syntax
(<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip|echo |exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time| uucp|whois|www)| range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|) (sample|)((redirect-to-port IFNAME)|)
(<1-268435453>|) (deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain| echo|isakmp|mobile-ip |nameserver | netbios-dgm | netbios-ns| netbios-ss|non500-isakmp |ntp |pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp |time|who|xdmcp) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt |lt|neq)(<0-65535> |biff |bootpc |bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp |ntp|pim-auto- rp| snmp| snmptrap| sunrpc| syslog| tacacs| talk| tftp| time| who| xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535>| bgp| chargen| cmd| daytime| discard| domain| drip| echo|exec|finger|ftp |ftp- data |gopher |hostname| ident| irc| klogin| kshell|login|lpd|nntp|pim-auto- rp |pop2 |pop3 |smtp| ssh| sunrpc| tacacs |talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535> |bgp |chargen |cmd |daytime|discard|domain|drip|echo|exec|finger|ftp|ftp-data| gopher| hostname| ident| irc| klogin| kshell| login| lpd| nntp| pim-auto-rp | pop2| pop3| smtp |ssh |sunrpc|tacacs|talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|)(A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D| any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo| isakmp|mobile- ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto- rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
tcp
Transmission Control Protocol.
udp
User Datagram Protocol.
A.B.C.D/M
Source or destination IP prefix and length.
A.B.C.D A.B.C.D
Source or destination IP address and mask.
host A.B.C.D
Source or destination host IP address.
any
Any source or destination IP address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
drip Dynamic Routing Information Protocol.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections.
gopher
Gopher.
hostname
NIC hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login.
lpd
Printer service.
nntp
Network News Transport Protocol.
pim-auto-rp
PIM Auto-RP.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
smtp
Simple Mail Transport Protocol.
ssh
Secure Shell.
sunrpc
Sun Remote Procedure Call.
tacacs
TAC Access Control System.
talk
Talk.
telnet
Telnet.
time
Time.
uucp
UNIX-to-UNIX Copy Program.
whois
WHOIS/NICNAME
www
World Wide Web.
nntp
Range of source or destination port numbers:
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
ack
Match on the Acknowledgment (ack) bit.
established
Matches only packets that belong to an established TCP connection.
fin
Match on the Finish (fin) bit.
psh
Match on the Push (psh) bit.
rst
Match on the Reset (rst) bit.
syn
Match on the Synchronize (syn) bit.
urg
Match on the Urgent (urg) bit.
biff
Biff.
bootpc
Bootstrap Protocol (BOOTP) client.
bootps
Bootstrap Protocol (BOOTP) server.
discard
Discard.
dnsix
DNSIX security protocol auditing.
domain
Domain Name Service.
echo
Echo.
isakmp
Internet Security Association and Key Management Protocol.
mobile-ip
Mobile IP registration.
nameserver
IEN116 name service.
netbios-dgm
Net BIOS datagram service.
netbios-ns
Net BIOS name service.
netbios-ss
Net BIOS session service.
non500-isakmp
Non500-Internet Security Association and Key Management Protocol.
ntp
Network Time Protocol.
pim-auto-rp
PIM Auto-RP.
snmp
Simple Network Management Protocol.
snmptrap
SNMP Traps.
sunrpc
Sun Remote Procedure Call.
syslog
System Logger.
tacacs
TAC Access Control System.
talk
Talk.
tftp
Trivial File Transfer Protocol.
time
Time.
who
Who service.
xdmcp
X Display Manager Control Protocol.
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
IFNAME
Interface name to which packet to be redirected (switchport only)
redirect-to-port
Redirect the packet (in-direction only)
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-02
(config-ip-acl)#deny udp any any eq tftp
(config-ip-acl)#deny tcp any any eq ssh
(config-ip-acl)#end
ipv6 access-group
Use this command to attach an IPv6 access list to an interface to filter incoming or outgoing packets.
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Note: To attach an IPv6 access-group on interface, the IPv6 TCAM group should be enabled. To enable ingress-IPv6 /egress-IPv6, see the
hardware-profile filter (XGS) command.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: To attach IPv6 ACL in the ingress direction ingress-ipv6 TCAM group needs to be enabled.
Egress TCAMs do not auto-expand beyond 256 entries if any entry includes a policer action. Therefore, the total number of configurable entries in the egress direction is limited to 256.
Command Syntax
ipv6 access-group NAME in (time-range TR_NAME|)
no ipv6 access-group NAME in (time-range TR_NAME|)
Parameters
NAME
Access list name.
TR_NAME
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS-SP version 5.0.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#permit ipv6 any any
(config-ipv6-acl)#exit
(config)#hardware-profile filter ingress-ipv6 enable
(config)#interface xe3
(config-if)#ipv6 access-group mylist in
(config)#interface xe3
(config-if)#no ipv6 access-group mylist in
(config)#interface xe3
(config-if)#ipv6 access-group mylist in time-range TIMER1
(config)#interface xe3
(config-if)#no ipv6 access-group mylist in time-range TIMER1
ipv6 access-list
Use this command to define a IPv6 access control list (ACL) that determines whether to accept or drop an incoming IPv6 packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Use the no form of this command to remove an ACL.
Note: For IPv6 routing protocols need neighbor discovery for the session to establish. Applying Ipv6 acls implicitly drops all the icmpv6 packets, thereby affecting the protocol sessions. To overcome this problem, implicit icmpv6 permit rule is added in the IPv6 acls.
If required behavior is to deny the icmpv6, implicit rule can be deleted.
For example,
To create an ipv6 acl, execute the following:
(config)#ipv6 access-list ipv6-acl
#show ipv6 access-lists
IPv6 access list ip1
268435453 permit icmpv6 any any
To delete this rule, execute the following:
(config)#ipv6 access-list ipv6-acl
(config-ipv6-acl)# no 268435453 permit icmpv6 any any
#show ipv6 access-lists
IPv6 access list ip1
Command Syntax
ipv6 access-list NAME
no ipv6 access-list NAME
Parameters
NAME
Access-list name.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Implicit rule is introduced in OcNOS version 2.0.
Examples
#configure terminal
(config)#ipv6 access-list ipv6-acl-01
(config-ipv6-acl)#exit
ipv6 access-list default
Use this command to modify the default rule action of access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the IPv6 packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all) (log|) (sample|)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ipv6-acl-01
(config-ipv6-acl)#default permit-all sample
ipv6 access-list filter
Use this command to define an access-control entry in an access control list (ACL) that determines whether to accept or drop an IPv6 packet based on the criteria specified. This form of this command filters packets based on:
• Protocol
• Source IP address
• Destination IP address
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: For IPv6 source and destination address filters, only the network part from the address (upper 64 bits) is supported due to hardware restriction. If the address length is more than 64 bits, it cannot be applied on the interfaces but it can be used with distributed list in control plane protocols.
Command Syntax
(<1-268435453>|) (deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|host X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (flow-label<0-1048575>|) (fragments|) (vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|host X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (flow-label<0-1048575>|) (fragments|) (vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
no (<1-268435453>)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
<0-255>
IANA assigned protocol number.
any
Any protocol packet.
ahp
Authentication Header packet.
eigrp
Enhanced Interior Gateway Routing Protocol packet.
esp
Encapsulating Security Payload packet.
gre
Generic Routing Encapsulation packet.
ipipv6
IPv4 over IPv6 Encapsulation packet.
ipcomp
IP Payload Compression Protocol packet.
ipv6ipv6
IPv6 over IPv6 Encapsulation packet.
ospf
Open Shortest Path First packet.
pim
Protocol Independent Multicast packet
rsvp
Resource Reservation Protocol packet. v
rrp
Virtual Router Redundancy Protocol packet.
X:X::X:X/M
Source Address with network mask length.
X:X::X:X X:X::X:X
Source Address with wild card mask.
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X X:X::X:X
Destination address with wild card mask.
any
Match any destination IP address.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
vlan
Match packets with given VLAN identifier.
<1-4094>
VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Inner-VLAN identifier.
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list ipv6-acl-01
(config-ip-acl)#permit ipipv6 any any
(config-ip-acl)#end
ipv6 access-list fragments
Use this command to permit or deny all the IPv6 fragments.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) fragments (deny-all|permit-all) (log|) (sample|)
no (<1-268435453>|) fragments (deny-all|permit-all) (log|) (sample|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
fragments
Check non-initial fragments.
deny-all
Specify packets to reject.
permit-all
Specify packets to forward.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#fragments deny-all
ipv6 access-list icmpv6
Use this command to permit or deny IPv6 ICMP packets with the given source and destination IPv6 address, DSCP value, VLAN identifier, inner VLAN identifier, fragments, and flow label.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) (beyond-scope| destination-unreachable| echo-reply| echo-request| header| hop-limit| mld-query| mld-reduction| mld-report| nd-na| nd-ns| next-header| no-admin| no-route| packet-too-big| parameter-option| parameter-problem| port-unreachable| reassembly-timeout| redirect| renum-command| renum-result| renum-seq-number| router-advertisement| router-renumbering| router-solicitation| time-exceeded| unreachable | (<0-255> (<0-255>|)|)) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef)|) (flow-label <0-1048575>|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (beyond-scope| destination-unreachable| echo-reply| echo-request| header| hop-limit| mld-query| mld-reduction| mld-report| nd-na| nd-ns| next-header| no-admin| no-route| packet-too-big| parameter-option| parameter-problem| port-unreachable| reassembly-timeout| redirect| renum-command| renum-result| renum-seq-number| router-advertisement| router-renumbering| router-solicitation| time-exceeded| unreachable | (<0-255> (<0-255>|)|)) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (flow-label <0-1048575>|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|) (sample|)((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
icmpv6
Internet Control Message Protocol packet.
X:X::X:X/M
Source Address with network mask length.
X:X::X:X X:X::X:X
Source Address with wild card mask.
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X X:X::X:X
Destination address with wild card mask.
any
Any destination address
beyond-scope
Destination beyond scope
destination-unreachable
Destination address is unreachable
echo-reply
Echo reply
echo-request
Echo request (ping)
header
Parameter header problems
hop-limit
Hop limit exceeded in transit
mld-query
Multicast Listener Discovery Query
mld-reduction
Multicast Listener Discovery Reduction
mld-report
Multicast Listener Discovery Report
nd-na
Neighbor discovery neighbor advertisements
nd-ns
Neighbor discovery neighbor solicitations
next-header
Parameter next header problems
no-admin
Administration prohibited destination
no-route
No route to destination
packet-too-big
Packet too big
parameter-option
Parameter option problems
parameter-problem
All parameter problems
port-unreachable
Port unreachable
reassembly-timeout
Reassembly timeout
redirect
Neighbor redirect
renum-command
Router renumbering command
renum-result
Router renumbering result
renum-seq-number
Router renumbering sequence number reset
router-advertisement
Neighbor discovery router advertisements
router-renumbering
All router renumbering
router-solicitation
Neighbor discovery router solicitations
time-exceeded
All time exceeded messages
unreachable
All unreachable
<0-255>
ICMPv6 message type
<0-255>
ICMPv6 message code
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
flow-label
IPv6 Flow-label.
<0-1048575>
IPv6 Flow-label value.
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected (switchport only)
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#200 permit icmpv6 any any fragments
ipv6 access-list remark
Use this command to add a description to an IPv6 access control list (ACL).
Use the no form of this command to remove an access control list description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)# remark Permit the inside admin address
ipv6 access-list resequence
Use this command to modify the sequence numbers of an IPv6 access list specification.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting Sequence number.
INCREMENT
Sequence number increment steps.
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#resequence 15 15
ipv6 access-list sctp
Use this command to allow ACL to permit or deny SCTP packets based on the given source and destination IPV6 address. Even DSCP, VLAN identifier, inner VLAN identifier, flow label, and fragment can be configured to permit or deny with the given values.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| (fragments)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) ((flow-label <0-1048575>)|)(fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|) (log|) (sample|)((redirect-to-port IFNAME)|)
no (<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| (fragments)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) ((flow-label <0-1048575>)|) (fragments|)(vlan <1-4094>|)(inner-vlan <1-4094>|)(log|) (sample|)((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
sctp
Stream Control Transmission Protocol packet.
X:X::X:X/M
Source address with network mask length.
X:X::X:X
Source address with wild card mask.
X:X::X:X
Source address's wild card mask (ignored bits).
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X
Destination address with wild card mask.
X:X::X:X
Destination address's wild card mask (ignored bits).
any
Any destination address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
flow-label
IPv6 Flow-label.
<0-1048575>
IPv6 Flow-label value.
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected (switchport only)
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#200 permit sctp any any fragments
ipv6 access-list tcp|udp
Use this command to define a IPv6 access control list (ACL) specification that determines whether to accept or drop an incoming IPv6 packet based on the criteria that you specify. This form of this command filters packets based on source and destination IPv6 address along with protocol (TCP or UDP) and port.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (tcp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime| discard|domain|drip|echo|exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell|login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time|uucp|whois|www)| (range <0-65535> <0-65535>)| (fragments) |} (((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) ({ack|established|fin|psh|rst|syn|urg}|)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
(<1-268435453>|)(deny|permit) (tcp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip| echo|exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>)} (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell| login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs| talk|telnet|time|uucp|whois|www) | (range <0-65535> <0-65535>)|} (((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) ({ack|established|fin|psh|rst|syn|urg}|)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
(<1-268435453>|)(deny|permit) (udp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard |dnsix|domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc|syslog| tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) | (fragments) |} ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
(<1-268435453>|)(deny|permit) (udp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix |domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc|syslog| tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) } (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard| dnsix|domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc| syslog|tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) } ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) (tcp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd| daytime|discard|domain|drip|echo|exec|finger|ftp |ftp-data|gopher|hostname |ident|irc|klogin|kshell|login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc |tacacs|talk|telnet|time|uucp|whois|www)| (range <0-65535> <0-65535>)| (fragments) |} (((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) ({ack|established|fin|psh|rst|syn|urg}|)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|)(deny|permit) (tcp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip |echo|exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>)} (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard| domain|drip|echo|exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin| kshell|login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk |telnet|time|uucp|whois|www) | (range <0-65535> <0-65535>)|} (((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) ({ack|established|fin|psh|rst|syn|urg}|)) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|
no (<1-268435453>|)(deny|permit) (udp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) | (fragments) |} ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
no (<1-268435453>|)(deny|permit) (udp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) } (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time|who|xdmcp) | (range <0-65535> <0-65535>) } ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef ))|) (flow-label <0-1048575>|) (vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|) ((redirect-to-port IFNAME)|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
tcp
Transmission Control Protocol.
udp
User Datagram Protocol.
X:X::X:X/M
Source or destination IPv6 prefix and length.
X:X::X:X X:X::X:X
Source or destination IPv6 address and mask.
host X:X::X:X
A single source or destination host IPv6 address.
any
Any source or destination IPv6 address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
ftp
File Transfer Protocol (21).
ssh
Secure Shell (22).
telnet
Telnet (23).
www
World Wide Web (HTTP 80).
tftp
Trivial File Transfer Protocol (69).
bootp
Bootstrap Protocol (BOOTP) client (67).
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
drip
Dynamic Routing Information Protocol.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections.
gopher
Gopher.
hostname
NIC hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login.
lpd
Printer service.
nnt
Network News Transport Protocol.
pim-auto-rp
PIM Auto-RP.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
smtp
Simple Mail Transport Protocol.
ssh
Secure Shell.
sunrpc
Sun Remote Procedure Call.
tacacs
TAC Access Control System.
talk
Talk.
telnet
Telnet.
time
Time.
uucp
UNIX-to-UNIX Copy Program.
whois
WHOIS/NICNAME
www
World Wide Web.
nntp
Range of source or destination port numbers:
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
ack
Match on the Acknowledgment (ack) bit.
established
Matches only packets that belong to an established TCP connection.
fin
Match on the Finish (fin) bit.
psh
Match on the Push (psh) bit.
rst
Match on the Reset (rst) bit.
syn
Match on the Synchronize (syn) bit.
urg
Match on the Urgent (urg) bit.
biff
Biff.
bootpc
Bootstrap Protocol (BOOTP) client.
bootps
Bootstrap Protocol (BOOTP) server.
discard
Discard.
dnsix
DNSIX security protocol auditing.
domain
Domain Name Service.
echo
Echo.
isakmp
Internet Security Association and Key Management Protocol.
mobile-ip
Mobile IP registration.
nameserver
IEN116 name service.
netbios-dgm
Net BIOS datagram service.
netbios-ns
Net BIOS name service.
netbios-ss
Net BIOS session service.
non500-isakmp
Non500-Internet Security Association and Key Management Protocol.
ntp
Network Time Protocol.
pim-auto-rp
PIM Auto-RP.
snmp
Simple Network Management Protocol.
snmptrap
SNMP Traps.
sunrpc
Sun Remote Procedure Call.
syslog
System Logger.
tacacs
TAC Access Control System.
talk
Talk.
tftp
Trivial File Transfer Protocol.
time
Time.
who
Who service.
xdmcp
X Display Manager Control Protocol.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
flow-label
IPv6 Flow-label.
<0-1048575>
IPv6 Flow-label value.
fragments
Check non-initial fragments.
vlan
Match packets with given VLAN identifier.
<1-4094>
Enter VLAN identifier.
inner-vlan
Match packets with given inner VLAN identifier.
<1-4094>
Enter inner-VLAN identifier.
redirect-to-port
Redirect the packet (in-direction only)
IFNAME
Interface name to which packet to be redirected (switchport only)
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#deny udp any eq tftp
(config-ipv6-acl)#deny tcp fd22:bf66:78a4:10a2::/64 fdf2:860a:746a:e49c::/64 eq ssh
line vty
Use this command to move or change to ALL LINE VTY mode.
Command Syntax
line vty
Parameters
NA
Command Mode
Configure mode
Applicability
This command was introduced from OcNOS version 1.3.8
Examples
The following example shows entering all line mode (note the change in the prompt).
#configure terminal
(config)#line vty
(config-all-line)#exit
mac access-group
Use this command to attach a MAC access list to an interface to filter incoming packets.
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: An access-group on egress access-group on egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends avoiding such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.
Egress TCAMs do not auto-expand beyond 256 entries if any entry includes a policer action. Therefore, the total number of configurable entries in the egress direction is limited to 256.
Command Syntax
mac access-group NAME (in|out) (in|out) (time-range TR_NAME|)
no mac access-group NAME (in|out) (time-range TR_NAME|)
Parameters
NAME
Access list name.
in
Filter incoming packets.
out
Filter outgoing packets
TR_NAME
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS-SP version 5.0.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)#permit any any
(config-mac-acl)#exit
(config)#hardware-profile filter ingress-l2-ext enable
(config)#interface xe3
(config-if)#mac access-group mylist in
(config-if)#exit
(config)#interface xe3
(config-if)#mac access-group mylist in time-range TIMER1
(config-if)#exit
(config)#interface xe3
(config-if)#no mac access-group mylist in time-range TIMER1
(config-if)#exit
(config)#interface xe3
(config-if)#no mac access-group mylist in
(config-if)#exit
mac access-list
Use this command to define a MAC access control list (ACL) that determines whether to accept or drop an incoming packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Use the no form of this command to remove the ACL.
Command Syntax
mac access-list NAME
no mac access-list NAME
Parameters
NAME
Access-list name.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#exit
mac access-list default
Use this command to modify the default rule action of access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all) (log|) (sample|)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#default permit-all sample
mac access-list filter
Use this command to define an access control entry (ACE) in a MAC access control list (ACL) that determines whether to permit or deny packets with the given source and destination MAC, ethertype, CoS, and VLAN identifiers.
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (aarp|appletalk|decnet- iv|diagnostic|etype-6000|etype-8042 |ip4|ip6|mpls|lat|lavc-sca|mop-console|mop- dump|vines-echo|WORD|) (cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (aarp|appletalk|decnet- iv|diagnostic|etype-6000|etype-8042 |ip4|ip6|mpls|lat|lavc-sca|mop-console|mop- dump|vines-echo|WORD|) (cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|) (log|) (sample|)
no (<1-268435453>)
Parameters
deny
Drop the packet.
permit
Accept the packet.
<1-268435453>
IPv4 ACL sequence number.
any
Source/Destination any.
XX-XX-XX-XX-XX-XX
Source/Destination MAC address (Option 1).
XX:XX:XX:XX:XX:XX
Source/Destination MAC address (Option 2).
XXXX.XXXX.XXXX
Source/Destination MAC address (Option 3).
XX-XX-XX-XX-XX-XX
Source/Destination wildcard (Option1).
XX:XX:XX:XX:XX:XX
Source/Destination wildcard (Option2).
XXXX.XXXX.XXXX
Source/Destination wildcard (Option3).
host
A single source/destination host.
aarp
Ethertype - 0x80f3.
appletalk
Ethertype - 0x809b.
decnet-iv
Ethertype - 0x6003.
diagnostic
Ethertype - 0x6005.
etype-6000
Ethertype - 0x6000.
etype-8042
Ethertype - 0x8042.
ip4
Ethertype - 0x0800.
ip6
Ethertype - 0x86dd.
mpls
Ethertype - 0x8847.
lat
Ethertype - 0x6004.
lavc-sca
Ethertype - 0x6007.
mop-console
Ethertype - 0x6002.
mop-dump
Ethertype - 0x6001.
vines-echo
Ethertype - 0x0baf.
WORD
Any Ethertype value.
cos <0-7>
Cos value.
vlan <1-4094>
VLAN identifier.
inner-vlan <1-4094>
Inner-VLAN identifier.
log
Log the packets matching the filter (in-direction only).
sample
Sample the packets matching the filter (in-direction only).
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any sample
mac access-list remark
Use this command to add a description to an MAC access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)# remark Permit the inside admin address
mac access-list resequence
Use this command to modify the sequence numbers of MAC access list specifications.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)#resequence 15 15
show access-lists
Use this command to display access lists.
Command Syntax
show access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show access-lists expanded
IP access list Iprule1
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
default deny-all
MAC access list Macrule1
10 permit host 0000.1234.1234 any
default deny-all
IPv6 access list ipv6-acl-01
10 deny ahp 3ffe::/64 4ffe::/64
default deny-all
#show access-lists summary
IPV4 ACL Iprule1
statistics enabled
Total ACEs Configured: 1
Configured on interfaces:
xe3/1 - egress (Router ACL)
Active on interfaces:
xe1/3 - ingress (Router ACL)
MAC ACL Macrule1
statistics enabled
Total ACEs Configured: 0
Configured on interfaces:
Active on interfaces:
IPV6 ACL ipv6-acl-01
statistics enabled
Total ACEs Configured: 2
Configured on interfaces:
xe7/1 - ingress (Router ACL)
Active on interfaces:
show access-list log-cache
Use this command to show the ACL logging table entries
Command Syntax
show access-lists log-cache
Parameters
None
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show access-lists log-cache
2016 Oct 26 12:08:37:xe1/1: 0000.0100.0a00 -> 0000.0100.0b00, ethertype IP (0x800), proto tcp, vlan 2, 0.0.0.0:0 -> 0.0.0.0:0 ...suppressed 11 times
2016 Oct 26 12:07:51:xe1/1: 0000.0100.0a00 -> 0000.0100.0b00, ethertype IP (0x800), proto 255, vlan 2, 0.0.0.0 -> 0.0.0.0 ...suppressed 10 times
show arp access-lists
Use this command to display ARP access lists.
Command Syntax
show arp access-lists (NAME|) (expanded|summary|)
Parameters
NAME
ARP access-list name.
expanded
Expanded access-list.
summary
Access-list summary.
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Example
#show arp access-lists
ARP access list arp1
remark "arp access-list created"
10 permit ip any mac any
show ip access-lists
Use this command to display IP access list
Command Syntax
show ip access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ip access-lists
IP access list Iprule2
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24
default deny-all
#show ip access-lists summary
IPV4 ACL Iprule3
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa1 - ingress (Port ACL)
sa3 - ingress (Router ACL)
sa8 - ingress (Port ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
xe3/1 - egress (Router ACL)
Active on interfaces:
sa1 - ingress (Port ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show ipv6 access-lists
Use this command to display IPv6 access lists.
Command Syntax
show ipv6 access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ipv6 access-lists
IPv6 access list ipv6-acl-01
10 deny ahp 3ffe::/64 4ffe::/64
20 permit ahp 78fe::1/48 68fe::1/48
30 permit ahp 3333::1/64 4444::1/48 fragments
40 permit ahp 5555::1/64 4444::1/48 dscp af23
default deny-all
#show ipv6 access-lists summary
IPV6 ACL ipv6-acl-01
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa3 - ingress (Router ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
Active on interfaces:
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show mac access-lists
Use this command to display MAC access lists.
Command Syntax
show mac access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Command Mode
Privileged exec mode and exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show mac access-lists
MAC access list Macrule2
default deny-all
MAC access list Macrule3
10 permit host 0000.1234.1234 any
20 deny host 1111.1111.AAAA any 65535
30 permit host 2222.2222.AAAA any 65535
40 permit 0000.3333.3333 0000.0000.FFFF 4444.4444.4444 0000.0000.FFFF
default deny-all [match=1126931077]
# show mac access-lists summary
MAC ACL Macrule3
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa3 - ingress (Router ACL)
sa8 - ingress (Port ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
Active on interfaces:
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show running-config aclmgr
Use this command to display the entire access list configurations along with the attachment to interfaces.
Command Syntax
show running-config aclmgr (all|)
Parameters
all
Show running configuration with defaults.
Command Mode
Exec mode and privileged exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show running-config aclmgr
ip access-list ip-acl-01
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24
mac access-list mac-acl-01
10 permit host 0000.1234.1234 any
20 permit host 0000.1111.AAAA any ipv4 cos 3 vlan 3
!
ipv6 access-list ipv6-acl-01
10 deny ipv6 3ffe::/64 4ffe::/64 dscp af43
20 permit ipv6 78fe::/64 68fe::/64 dscp cs3
!
interface xe1/1
ip access-group ip-acl-01 in
!
show running-config access-list
Use this command to show the running system status and configuration details for MAC and IP access lists.
Command Syntax
show running-config access-list
Parameters
None
Command Mode
Privileged exec mode, configure mode, and route-map mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show running-config access-list
ip access-list abd
10 deny any any any
!
mac access-list abc
remark test
10 deny any any
!
show running-config ipv6 access-list
Use this command to show the running system status and configuration details for IPv6 access lists.
Command Syntax
show running-config ipv6 access-list
Parameters
None
Command Mode
Privileged exec mode, configure mode, and route-map mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show running-config ipv6 access-list
ipv6 access-list test
10 permit any any any
!