OcNOS SP : System Management Guide : Security Management Command Reference : Access Control List Commands
Access Control List Commands
This chapter is a reference for the Access Control List (ACL) commands:
arp access-group
Use this command to attach an ARP access list to an interface to filter incoming ARP packets.
When you attach an ARP access list to a LAG interface as well as to a physical interface that is a member of that LAG interface, the priority order is:
1. LAG interface
2. Physical interface
Use the no form of this command to detach an ARP access group.
Note: An ARP access-list is supported only on switch ports.
Note: To attach an ARP access-group to an interface, the ingress-arp TCAM group should be enabled. See the hardware-profile filter (Qumran1) command for details.
Command Syntax
arp access-group NAME in
no arp access-group NAME in
Parameters
NAME
ARP access list name
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)#permit ip any mac any
(config-arp-acl)#exit
 
(config)#interface xe1
(config-if)#arp access-group arp1 in
(config-if)#exit
 
(config)#interface xe1
(config-if)#no arp access-group arp1 in
(config-if)#exit
 
arp access-list
Use this command to define a named access control list (ACL) that determines whether to accept or drop the ARP packets, based on the ARP request or response option configured.
An ACL is made up of one or more ACL specifications. You can repeat this command and add multiple specifications. Each time you give this command, the specification is added to the end of the list.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. A single-entry ACL with only one deny specification is the same as denying all traffic. You must have at least one permit specification in an ACL or all traffic is blocked.
Use the no form of this command to remove an ACL specification.
Note: An ARP access list is supported only on switch ports.
Command Syntax
arp access-list NAME
no arp access-list NAME
Parameters
NAME
ARP access list name
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#arp access-list arp1
arp access-list default
Use this command to modify the default rule action of an access list.
The default rule is applicable only when an access list is attached to an interface. The default rule will have the lowest priority and only ARP packets not matching any of the user defined rules match the default rule.
Command Syntax
default (deny-all|permit-all)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
Default
The default rule is deny-all when an access list is attached to an interface.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 3.0.
Examples
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)#default permit-all
arp access-list remark
Use this command to add a description to a named ARP access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)# remark Permit arp request packets
 
arp access-list request
Use this command to configure ARP access control entry in an ARP access control list (ACL).
This command determines whether to accept or drop a packet based on the configured match criteria.
Use the no form of this command to remove an ACL specification.
Note: Configuring the same filter again with a change of sequence number or change of action will result in updating the sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit)(request |) ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))) (vlan <1-4094>|) (inner-vlan <1-4094>|)
no (<1-268435453>|)(deny|permit)(request |) ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))) (vlan <1-4094>|) (inner-vlan <1-4094>|)
Parameters
<1-268435453>
ARP ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
request
ARP request.
ip
Internet Protocol (IP).
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
 
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
mac
MAC address configuration.
any
Match any source mac address.
XX-XX-XX-XX-XX-XX
 
Source MAC address (Option 1).
XX:XX:XX:XX:XX:XX
 
Source MAC address (Option 2).
XXXX.XXXX.XXXX
Source MAC address (Option 3).
XX-XX-XX-XX-XX-XX
 
Source wildcard (Option 1).
XX:XX:XX:XX:XX:XX
 
Source wildcard (Option 2).
XXXX.XXXX.XXXX
 
Source wildcard (Option 3).
host (XX-XX-XX-XX-XX-XX)
 
A single source host MAC address.
vlan <1-4094>
VLAN identifier.
inner-vlan <1-4094>
 
Inner VLAN identifier.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 3.0.
Examples
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)#10 permit request ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0
(config-arp-acl)#no 10
arp access-list resequence
Use this command to modify the sequence numbers of an ARP access list.
Note: IP Infusion Inc. recommends to use a non-overlapping sequence space for a new sequence number set to avoid unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)#resequence 15 15
 
arp access-list response
Use this command to configure an ARP access control entry in an ARP access control list (ACL).
This command determines whether to accept or drop an ARP response packet based on the configured match criteria.
Use the no form of this command to remove an ACL specification.
Note: Configuring the same filter again with a change of sequence number or change of action will result in updating the sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) response ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) -XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))) (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)))(vlan <1-4094>|) (inner-vlan <1-4094>|)
no (<1-268435453>|)(deny|permit) response ip (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) mac (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) -XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))) (any | ((XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) | (host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)))(vlan <1-4094>|) (inner-vlan <1-4094>|)
Parameters
<1-268435453>
ARP ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
response
ARP response
A.B.C.D/M
Source/destination IP prefix and length.
A.B.C.D A.B.C.D
 
Source/destination IP address and mask.
host A.B.C.D
A single source/destination host IP address.
any
Match any source/destination IP address.
mac
MAC address configuration.
any
Match any source/destination MAC address.
XX-XX-XX-XX-XX-XX
 
Source/destination MAC address (Option 1).
XX:XX:XX:XX:XX:XX
 
Source/destination MAC address (Option 2).
XXXX.XXXX.XXXX
Source/destination MAC address (Option 3).
XX-XX-XX-XX-XX-XX
 
Source/destination wildcard (Option 1).
XX:XX:XX:XX:XX:XX
 
Source/destination wildcard (Option 2).
XXXX.XXXX.XXXX
Source/destination wildcard (Option 3).
vlan <1-4094>
VLAN identifier.
inner-vlan <1-4094>
 
Inner VLAN identifier.
Command Mode
ARP access-list mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#arp access-list arp1
(config-arp-acl)#10 permit response ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0
(config-arp-acl)#no 10
 
clear access-list
Use this command to clear the access-list counters.
Command Syntax
clear access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode and Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear access-list counters
clear arp access-list
Use this command to clear the ARP access-list counters.
Command Syntax
clear arp access-list (NAME|) counters
Parameters
NAME
ARP access list name
Command Mode
Exec mode and privileged exec mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#clear arp access-list counters
 
clear ip access-list
Use this command to clear the IP access-list counters.
Command Syntax
clear ip access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode and Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ip access-list counters
clear ipv6 access-list
Use this command to clear the IPv6 access-list counters.
Command Syntax
clear ipv6 access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear ipv6 access-list counters
clear mac access-list
Use this command to clear the MAC access-list counters.
Command Syntax
clear mac access-list (NAME|) counters
Parameters
NAME
Access-list name.
Command Mode
Exec mode Privilege exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#clear mac access-list counters
ip access-group
Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.
Command Syntax
ip access-group NAME (in|out) (time-range TR_NAME|)
no ip access-group NAME (in|out) (time-range TR_NAME|)
Parameters
NAME
Access list name.
in
Filter incoming packets
out
Filter outgoing packets.
TR_NAME
Time range name set with the time-range command.
Command Mode
Line mode
Interface mode
Applicability
This command was introduced before OcNOS version 3.0. The time-range parameter was added in OcNOS version 5.0.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#permit ip any any
(config-ip-acl)#exit
 
(config)#hardware-profile filter ingress-ipv4-ext enable
 
(config)#interface xe3
(config-if)#ip access-group mylist in
(config-if)#exit
 
(config)#interface xe3
(config-if)#no ip access-group mylist in time-range TIMER1
(config-if)#exit
 
(config)#line vty
(config-all-line)#no ip access-group mylist in
Usage: VLANs and LAGs
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
Usage: TCAM Groups
An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.
To attach an IP ACL in the ingress direction the ingress-ipv4 or ingress-ipv4-ext TCAM group needs to be enabled and to attach an IP ACL in the egress direction the egress-ipv4 TCAM group needs to be enabled. See the hardware-profile filter (Qumran1) commands for details.
Usage: VTY Interfaces
You can create ACLs for VTY interfaces to filter packets from management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. TCP, UDP, and ICMP are supported.
For an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode.
VTY ACLs do not support the following:
The default rule deny all. You must explicitly set up a deny all rule based on your requirements.
VLAN-specific rules.
Rules with TCP flags.
Rules with dscp, fragments, log, precedence, and sample parameters.
Rules with ICMP code and message types.
Usage: Timed ACL on interfaces
You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.
ip access-list
Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming IP packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Use the no form of this command to remove an ACL.
Command Syntax
ip access-list NAME
no ip access-list NAME
Parameters
NAME
Access-list name.
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
 
ip access-list default
Use this command to modify the default rule action of access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the IP packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
Default
No default value is specified
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
(config-ip-acl)#default permit-all
 
ip access-list filter
Use this command to configure access control entry in an access control list (ACL).
This determines whether to accept or drop an IP packet based on the configured match criteria.
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring the same filter again with change of sequence number or change of action results in update of sequence number or filter action.
Command Syntax
(<1-268435453>|) (deny|permit) (<0-255>|ahp|any|eigrp|esp|gre|ipip|ipcomp|ipv6ip |ospf|pim|rsvp|vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)
no (<1-268435453>|)(deny|permit)(<0-255> |ahp | any | eigrp | esp | gre | ipip | ipcomp | ipv6ip | ospf | pim | rsvp| vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D | host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63> |af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)
no (<1-268435453>)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
<0-255>
IANA assigned protocol number.
any
Any protocol packet.
ahp
Authentication Header packet.
eigrp
Enhanced Interior Gateway Routing Protocol packet.
esp
Encapsulating Security Payload packet.
gre
Generic Routing Encapsulation packet.
ipip
IPv4 over IPv4 encapsulation packet.
ipcomp
IP Payload Compression Protocol packet.
ipv6ip
IPv6 over IPv4 encapsulation packet.
ospf
Open Shortest Path First packet.
pim
Protocol Independent Multicast packet
rsvp
Resource Reservation Protocol packet.
vrrp
Virtual Router Redundancy Protocol packet.
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
 
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
A.B.C.D/M
Destination IP prefix and length.
A.B.C.D A.B.C.D
 
Destination IP address and mask.
host A.B.C.D
A single destination host IP address.
any
Match any destination IP address.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
vlan
Match packets with given vlan value.
<1 - 4094>
VLAN identifier.
inner-vlan
Match packets with given inner vlan value.
<1 - 4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-01
(config-ip-acl)#11 permit any 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
(config-ip-acl)#no 11
ip access-list icmp
Use this command to permit or deny ICMP packets based on the given source and destination IP address. Even DSCP, precedence, vlan ID and inner vlan ID can be configured to permit or deny with the given values.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)
no (<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
icmp
Internet Control Message Protocol packet.
A.B.C.D/M
Source IP prefix and length.
A.B.C.D A.B.C.D
 
Source IP address and mask.
host A.B.C.D
A single source host IP address.
any
Match any source IP address.
A.B.C.D/M
Destination IP prefix and length.
A.B.C.D A.B.C.D
 
Destination IP address and mask.
host A.B.C.D
A single destination host IP address.
any
Match any destination IP address.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Enter precedence value 0-7.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
vlan
 
Match packets with given vlan value.
<1-4094>
VLAN identifier.
inner-vlan
 
Match packets with given inner-vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-icmp
(config-ip-acl)#200 permit icmp any any
ip access-list remark
Use this command to add a description to a named IPv4 access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Default
No default value is specified
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#remark permit the inside admin address
(config-ip-acl)#exit
 
(config)#ip access-list mylist
(config-ip-acl)#no remark
(config-ip-acl)#exit
ip access-list resequence
Use this command to modify sequence numbers of the IP access list specifications.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Default
None
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list mylist
(config-ip-acl)#resequence 5 5
(config-ip-acl)#end
ip access-list tcp|udp
Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming TCP or UDP IP packet based on the specified match criteria. This form of command filters packets based on source and destination IP address along with protocol (TCP or UDP) and port.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: TCP flags options and range options like neq, gt, lt and range are not supported by hardware in egress direction.
Note: Both ACK and established flag in TCP have same functionality in hardware.
Note: neq option from IPv4 access list configuration should removed for Qumran2 Series Platform.
Command Syntax
(<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip|echo |exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time| uucp|whois|www)| range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) vlan <1-4094>|)(inner-vlan <1-4094>|)
(<1-268435453>|) (deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain| echo|isakmp|mobile-ip |nameserver | netbios-dgm | netbios-ns| netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp |time|who|xdmcp) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt |lt|neq)(<0-65535> |biff |bootpc |bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp |ntp|pim-auto- rp| rip| snmp| snmptrap| sunrpc| syslog| tacacs| talk| tftp| time| who| xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|)(inner-vlan <1-4094>|)
no (<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535>| bgp| chargen| cmd| daytime| discard| domain| drip| echo|exec|finger|ftp |ftp-data |gopher |hostname| ident| irc| klogin| kshell|login|lpd|nntp|pim-auto-rp |pop2 |pop3 |smtp| ssh| sunrpc| tacacs |talk|telnet|time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535> |bgp |chargen |cmd |daytime|discard|domain|drip|echo|exec|finger|ftp|ftp-data| gopher| hostname| ident| irc| klogin| kshell| login| lpd| nntp| pim-auto-rp | pop2| pop3| smtp |ssh |sunrpc|tacacs|talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|)(vlan <1-4094>|)(inner-vlan <1-4094>|)
no (<1-268435453>|)(deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk| tftp|time|who|xdmcp) | range <0-65535> <0-65535>|)(A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D| any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo| isakmp|mobile- ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog| tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |)(vlan <1-4094>|)(inner-vlan <1-4094>|)
Parameters
<1-268435453>
IPv4 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
tcp
Transmission Control Protocol.
udp
User Datagram Protocol.
A.B.C.D/M
Source or destination IP prefix and length.
A.B.C.D A.B.C.D
 
Source or destination IP address and mask.
host A.B.C.D
Source or destination host IP address.
any
Any source or destination IP address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
drip
Dynamic Routing Information Protocol.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections.
gopher
Gopher.
hostname
NIC hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login.
lpd
Printer service.
nntp
Network News Transport Protocol.
pim-auto-rp
PIM Auto-RP.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
smtp
Simple Mail Transport Protocol.
ssh
Secure Shell.
sunrpc
Sun Remote Procedure Call.
tacacs
TAC Access Control System.
talk
Talk.
telnet
Telnet.
time
Time.
uucp
UNIX-to-UNIX Copy Program.
whois
WHOIS/NICNAME
www
World Wide Web.
netconf-ssh
Secure Shell Network Configuration
 
netconf-tls
Transport Layer Security Network Configuration
nntp
Range of source or destination port numbers:
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34.
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
precedence
Match packets with given precedence value.
<0-7>
Precedence.
critical
Match packets with critical precedence (5).
flash
Match packets with flash precedence (3).
flashoverride
Match packets with flash override precedence (4).
immediate
Match packets with immediate precedence (2).
internet
Match packets with internetwork control precedence (6).
network
Match packets with network control precedence (7).
priority
Match packets with priority precedence (1).
routine
Match packets with routine precedence (0).
ack
Match on the Acknowledgment (ack) bit.
established
Matches only packets that belong to an established TCP connection.
fin
Match on the Finish (fin) bit.
psh
Match on the Push (psh) bit.
rst
Match on the Reset (rst) bit.
syn
Match on the Synchronize (syn) bit.
urg
Match on the Urgent (urg) bit.
biff
Biff.
bootpc
Bootstrap Protocol (BOOTP) client.
bootps
Bootstrap Protocol (BOOTP) server.
discard
Discard.
dnsix
DNSIX security protocol auditing.
domain
Domain Name Service.
echo
Echo.
isakmp
Internet Security Association and Key Management Protocol.
mobile-ip
Mobile IP registration.
nameserver
IEN116 name service.
netbios-dgm
Net BIOS datagram service.
netbios-ns
Net BIOS name service.
netbios-ss
Net BIOS session service.
non500-isakmp
Non500-Internet Security Association and Key Management Protocol.
ntp
Network Time Protocol.
pim-auto-rp
PIM Auto-RP.
rip
Routing Information Protocol.
snmp
Simple Network Management Protocol.
snmptrap
SNMP Traps.
sunrpc
Sun Remote Procedure Call.
syslogS
ystem Logger.
tacacs
TAC Access Control System.
talk
Talk.
tftp
Trivial File Transfer Protocol.
time
Time.
who
Who service.
xdmcp
X Display Manager Control Protocol.
vlan
Match packets with given vlan value.
<1-4094>
VLAN identifier.
inner-vlan
Match packets with given inner vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IP access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ip-acl-02
(config-ip-acl)#deny udp any any eq tftp
(config-ip-acl)#deny tcp any any eq ssh
(config-ip-acl)#end
ipv6 access-group in
Use this command to attach an IPv6 access list to an interface to filter incoming IPv6 packets.
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: To attach IPv6 ACL in the ingress direction ingress-ipv6 TCAM group needs to be enabled. See the hardware-profile filter (Qumran1) command for details.
Command Syntax
ipv6 access-group NAME in (time-range TR_NAME|)
no ipv6 access-group NAME in (time-range TR_NAME|)
Parameters
NAME
Access list name.
TR_NAME
Time range name set with the time-range command.
Default
No default value is specified
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#permit ipv6 any any
(config-ipv6-acl)#exit
(config)#hardware-profile filter ingress-ipv6 enable
 
(config)#interface xe3
(config-if)#ipv6 access-group mylist in
 
(config)#interface xe3
(config-if)#no ipv6 access-group mylist in
 
(config)#interface xe3
(config-if)#ipv6 access-group mylist in time-range TIMER1
 
(config)#interface xe3
(config-if)#no ipv6 access-group mylist in time-range TIMER1
 
ipv6 access-list
Use this command to define a IPv6 access control list (ACL) that determines whether to accept or drop an incoming IPv6 packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Note: IPv6 routing protocols need neighbor discovery to establish sessions. Applying IPv6 ACLs implicitly drops all the ICMPv6 packets, thereby affecting the protocol sessions. To overcome this problem, an implicit ICMPv6 permit rule is added to the IPv6 ACLs.
If required behavior is to deny the icmpv6, the implicit rule can be deleted. For example, create an IPv6 ACL:
(config)#ipv6 access-list ipv6-acl
 
#show ipv6 access-lists
IPv6 access list ip1
268435453 permit icmpv6 any any
 
To delete this rule:
(config)#ipv6 access-list ipv6-acl
 
(config-ipv6-acl)#no 268435453 permit icmpv6 any any
 
#show ipv6 access-lists
IPv6 access list ip1
 
Use the no form of this command to remove the ACL.
Command Syntax
ipv6 access-list NAME
no ipv6 access-list NAME
Parameters
NAME
Access-list name.
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list ipv6-acl-01
(config-ipv6-acl)#exit
ipv6 access-list default
Use this command to modify the default rule action of IPv6 access-list. Default rule is applicable only when IPv6 access-list is attached to interface. Default rule will have the lowest priority and only the IPv6 packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all)
Parameters
deny-all
 
Drop all packets.
permit-all
Accept all packets.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip access-list ipv6-acl-01
(config-ipv6-acl)#default permit-all
 
ipv6 access-list filter
Use this command to define an access-control entry in an access control list (ACL) that determines whether to accept or drop an IPv6 packet based on the criteria specified. This form of this command filters packets based on:
Protocol
Source IP address
Destination IP address
DSCP value
VLAN identifier
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: For IPv6 source and destination address filters, only the network part from the address (upper 64 bits) is supported due to hardware restriction. If the address length is more than 64 bits, it cannot be applied on the interfaces but it can be used with distributed lists in control plane protocols.
Command Syntax
(<1-268435453>|) (deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)
no (<1-268435453>|)(deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)
no (<1-268435453>)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
<0-255>
IANA assigned protocol number.
any
Any protocol packet.
ahp
Authentication Header packet.
eigrp
Enhanced Interior Gateway Routing Protocol packet.
esp
Encapsulating Security Payload packet.
gre
Generic Routing Encapsulation packet.
ipipv6
IPv4 over IPv6 Encapsulation packet.
ipcomp
IP Payload Compression Protocol packet.
ipv6ipv6
IPv6 over IPv6 Encapsulation packet.
ospf
Open Shortest Path First packet.
pim
Protocol Independent Multicast packet
rsvp
Resource Reservation Protocol packet.
vrrp
Virtual Router Redundancy Protocol packet.
X:X::X:X/M
Source Address with network mask length.
X:X::X:X X:X::X:X
 
Source Address with wild card mask.
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X X:X::X:X
 
Destination address with wild card mask.
any
Any destination address
any
Match any destination IP address.
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
vlan
Match packets with given vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list ipv6-acl-01
(config-ipv6-acl)#permit ipipv6 any any
(config-ipv6-acl)#end
ipv6 access-list icmpv6
Use this command to permit or deny IPv6 ICMP packets with the given source and destination IPv6 address, DSCP value and VLAN ID.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Command Syntax
(<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef)|) (vlan <1-4094>|)
no (<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
icmpv6
Internet Control Message Protocol packet.
X:X::X:X/M
Source Address with network mask length.
X:X::X:X X:X::X:X
 
Source Address with wild card mask.
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X X:X::X:X
 
Destination address with wild card mask.
any
Any destination address
dscp
Match packets with given DSCP value.
<0-63>
Enter DSCP value between 0-63.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
vlan
Match packets with given vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#200 permit icmpv6 any any
ipv6 access-list remark
Use this command to add a description to an IPv6 access control list (ACL).
Use the no form of this command to remove an access control list description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)# remark Permit the inside admin address
ipv6 access-list resequence
Use this command to modify sequence numbers of the IPv6 access list specifications.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting Sequence number.
INCREMENT
Sequence number increment steps.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#resequence 15 15
ipv6 access-list sctp
Use this command to allow ACL to permit or deny SCTP packets based on the given source and destination IPV6 address. Even DSCP and vlan ID can be configured to permit or deny with the given values.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: Range options like neq, gt, lt and range are not supported by hardware in egress direction.
Note: neq option from IPv6 access list configuration should removed for Qumran2 Series Platform.
Command Syntax
(<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) (vlan <1-4094>|)
no (<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) (vlan <1-4094>|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
sctp
Stream Control Transmission Protocol packet.
X:X::X:X/M
Source address with network mask length.
X:X::X:X
Source address with wild card mask.
X:X::X:X
Source address's wild card mask (ignored bits).
any
Any source address.
X:X::X:X/M
Destination address with network mask length.
X:X::X:X
Destination address with wild card mask.
X:X::X:X
Destination address's wild card mask (ignored bits).
any
Any destination address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
dscp
Match packets with given DSCP value.
<0-63>
DSCP value.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
 
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
vlan
Match packets with given vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#200 permit sctp any any
ipv6 access-list tcp|udp
Use this command to define a IPv6 access control list (ACL) specification that determines whether to accept or drop an incoming IPv6 packet based on the criteria that you specify. This form of this command filters packets based on source and destination IPv6 address along with protocol (TCP or UDP) and port.
Use the no form of this command to remove an ACL specification.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: Range options such as neq, gt, lt and range are not supported by the hardware in the egress direction.
Note: neq option from IPv6 access list configuration should removed for Qumran2 Series Platform.
Command Syntax
(<1-268435453>|) (deny|permit) tcp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535> |bgp|chargen|cmd|daytime|discard|domain|drip |echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>|)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any)((eq|gt|lt|neq) <0-65535>|bgp|chargen|cmd|daytime|discard|domain |drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk| telnet|time |uucp|whois|www) | (range <0-65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) (vlan <1-4094>|)
(<1-268435453>|) (deny|permit) udp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|biff|bootpc|bootps|discard|dnsix|domain |echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk |tftp|time|who|xdmcp) | (range <0-65535> <0-65535>)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|biff|bootpc|bootps|discard|dnsix |domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk |tftp|time|who|xdmcp) | (range <0-65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef) (vlan <1-4094>|)
no (<1-268435453>|) (deny|permit) tcp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535> |bgp|chargen|cmd|daytime|discard|domain|drip |echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin |kshell|login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0- 65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef) | (vlan <1-4094>|)
no (<1-268435453>|) (deny|permit) udp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|biff|bootpc|bootps|discard|dnsix|domain|echo |isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time |who|xdmcp) | (range <0-65535> <0-65535>)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|biff|bootpc|bootps|discard|dnsix|domain|echo |isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp|time |who|xdmcp) | (range <0-65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef) | (vlan <1-4094>|)
Parameters
<1-268435453>
IPv6 ACL sequence number.
deny
Drop the packet.
permit
Accept the packet.
tcp
Transmission Control Protocol.
udp
User Datagram Protocol.
X:X::X:X/M
Source or destination IPv6 prefix and length.
X:X::X:X X:X::X:X
 
Source or destination IPv6 address and mask.
any
Any source or destination IPv6 address.
eq
Source or destination port equal to.
gt
Source or destination port greater than.
lt
Source or destination port less than.
neq
Source or destination port not equal to.
<0-65535>
Source or destination port number.
range
Range of source or destination port numbers:
<0-65535>
Lowest value in the range.
<0-65535>
Highest value in the range.
ftp
File Transfer Protocol (21).
ssh
Secure Shell (22).
telnet
Telnet (23).
www
World Wide Web (HTTP 80).
tftp
Trivial File Transfer Protocol (69).
bootp
Bootstrap Protocol (BOOTP) client (67).
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
drip
Dynamic Routing Information Protocol.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections.
gopher
Gopher.
hostname
NIC hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login.
lpd
Printer service.
nnt
Network News Transport Protocol.
pim-auto-rp
PIM Auto-RP.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
smtp
Simple Mail Transport Protocol.
ssh
Secure Shell.
sunrpc
Sun Remote Procedure Call.
tacacs
TAC Access Control System.
talk
Talk.
telnet
Telnet.
time
Time.
uucp
UNIX-to-UNIX Copy Program.
whois
WHOIS/NICNAME
www
World Wide Web.
nntp
Range of source or destination port numbers:
dscp
Match packets with given DSCP value.
<0-63>
DSCP value.
af11
AF11 DSCP (001010) decimal value 10.
af12
AF12 DSCP (001100) decimal value 12.
af13
AF13 DSCP (001110) decimal value 14.
af21
AF21 DSCP (010010) decimal value 18.
af22
AF22 DSCP (010100) decimal value 20.
af23
AF23 DSCP (010110) decimal value 22.
af31
AF31 DSCP (011010) decimal value 26.
af32
AF32 DSCP (011100) decimal value 28.
af33
AF33 DSCP (011110) decimal value 30.
af41
AF41 DSCP (100010) decimal value 34
af42
AF42 DSCP (100100) decimal value 36.
af43
AF43 DSCP (100110) decimal value 38.
cs1
CS1 (precedence 1) DSCP (001000) decimal value 8.
cs2
CS2 (precedence 2) DSCP (010000) decimal value 16.
cs3
CS3 (precedence 3) DSCP (011000) decimal value 24.
cs4
CS4 (precedence 4) DSCP (100000) decimal value 32.
cs5
CS5 (precedence 5) DSCP (101000) decimal value 40.
cs6
CS6 (precedence 6) DSCP (110000) decimal value 48.
cs7
CS7 (precedence 7) DSCP (111000) decimal value 56.
default
Default DSCP (000000) decimal value 0.
ef
EF DSCP (101110) decimal value 46.
biff
Biff.
bootpc
Bootstrap Protocol (BOOTP) client.
bootps
Bootstrap Protocol (BOOTP) server.
discard
Discard.
dnsix
DNSIX security protocol auditing.
domain
Domain Name Service.
echo
Echo.
isakmp
Internet Security Association and Key Management Protocol.
mobile-ip
Mobile IP registration.
nameserver
IEN116 name service.
netbios-dgm
Net BIOS datagram service.
netbios-ns
Net BIOS name service.
netbios-ss
Net BIOS session service.
non500-isakmp
Non500-Internet Security Association and Key Management Protocol.
ntp
Network Time Protocol.
pim-auto-rp
PIM Auto-RP.
rip
Routing Information Protocol.
snmp
Simple Network Management Protocol.
snmptrap
SNMP Traps.
sunrpc
Sun Remote Procedure Call.
syslog
System Logger.
tacacs
TAC Access Control System.
talk
Talk.
tftp
Trivial File Transfer Protocol.
time
Time.
who
Who service.
xdmcp
X Display Manager Control Protocol.
vlan
Match packets with given vlan value.
<1-4094>
VLAN identifier.
Default
No default value is specified
Command Mode
IPv6 access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ipv6 access-list mylist
(config-ipv6-acl)#deny udp any eq tftp any
(config-ipv6-acl)#deny tcp fd22:bf66:78a4:10a2::/64 fdf2:860a:746a:e49c::/64 eq ssh
mac access-group
Use this command to attach a MAC access list to an interface to filter incoming packets.
When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:
1. VLAN interface
2. LAG interface
3. Physical interface
For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.
The time-range parameter is optional. If used, the access-group is tied to the timer specified.
After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.
To delete the access-group, use the no form of this command without a time-range.
Note: To attach a MAC ACL in the ingress direction ingress-l2 or ingress-l2-ext TCAM group needs to be enabled and to attach a MAC ACL in the egress direction egress-l2 TCAM group needs to be enabled. See the hardware-profile filter (Qumran1) command for details.
Note: An egress ACL is supported on physical and lag interfaces only. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.
Command Syntax
mac access-group NAME (in|out) (in|out) (time-range TR_NAME|)
no mac access-group NAME (in|out) (time-range TR_NAME|)
Parameters
NAME
Access list name.
in
Filter incoming packets.
out
Filter outgoing packets.
TR_NAME
Time range name set with the time-range command.
Default
No default value is specified
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)#permit any any
(config-mac-acl)#exit
 
(config)#hardware-profile filter ingress-l2-ext enable
 
(config)#interface xe3
(config-if)#mac access-group mylist in
(config-if)#exit
 
(config)#interface xe3
(config-if)#mac access-group mylist in time-range TIMER1
(config-if)#exit
 
(config)#interface xe3
(config-if)#no mac access-group mylist in time-range TIMER1
(config-if)#exit
 
(config)#interface xe3
(config-if)#no mac access-group mylist in
(config-if)#exit
mac access-list
Use this command to define a MAC access control list (ACL) that determines whether to accept or drop an incoming packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.
Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.
The device stops checking the specifications after a match occurs.
There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.
Use the no form of this command to remove an ACL.
Command Syntax
mac access-list NAME
no mac access-list NAME
Parameters
NAME
Access-list name.
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#exit
mac access-list default
Use this command to modify the default rule action of mac access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the packets not matching any of the user defined rules match default rule.
Command Syntax
default (deny-all|permit-all)
Parameters
deny-all
Drop all packets.
permit-all
Accept all packets.
Default
No default value is specified
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#default permit-all
 
mac access-list filter
Use this command to define an access control entry (ACE) in a mac access control list (ACL) that determines whether to permit or deny packets with the given source and destination MAC, ether type, cos and VLAN values.
Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.
Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
Note: Ether type option is not supported by hardware in egress direction
Command Syntax
(<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))(aarp|appletalk|decnet-iv|diagnostic|etype-6000|etype-8042|ipv4|ipv6|mpls|lat|lavc-sca|mop-console|mop-dump|vines-echo|<0x600-0xFFF>))(cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|<0x600-0xFFF>)
no (<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX- XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))(aarp|appletalk|decnet-iv|diagnostic|etype-6000|etype-8042|ipv4|ipv6|mpls|lat|lavc-sca|mop-console|mop-dump|vines-echo|<0x600-0xFFF>|))(cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|<0x600-0xFFF>)
no (<1-268435453>)
Parameters
 
Default
No default value is specified
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any
mac access-list remark
Use this command to add a description to a MAC access control list (ACL).
Use the no form of this command to remove an ACL description.
Command Syntax
remark LINE
no remark
Parameters
LINE
ACL description up to 100 characters.
Default
No default value is specified
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)# remark Permit the inside admin address
mac access-list resequence
Use this command to modify sequence numbers of mac access list specifications.
Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.
Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.
Command Syntax
resequence <1-268435453> INCREMENT
Parameters
<1-268435453>
Starting sequence number.
INCREMENT
Sequence number increment steps.
Default
No default value is specified
Command Mode
MAC access-list mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)#resequence 15 15
show access-lists
Use this command to display a list of access list
Command Syntax
show access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Default
None
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show access-lists expanded
IP access list Iprule1
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
default deny-all
MAC access list Macrule1
10 permit host 0000.1234.1234 any
default deny-all
IPv6 access list ipv6-acl-01
10 deny ahp 3ffe::/64 4ffe::/64
default deny-all
 
#show access-lists summary
IPV4 ACL Iprule1
statistics enabled
Total ACEs Configured: 1
Configured on interfaces:
xe3/1 - egress (Router ACL)
Active on interfaces:
xe1/3 - ingress (Router ACL)
MAC ACL Macrule1
statistics enabled
Total ACEs Configured: 0
Configured on interfaces:
Active on interfaces:
IPV6 ACL ipv6-acl-01
statistics enabled
Total ACEs Configured: 2
Configured on interfaces:
xe7/1 - ingress (Router ACL)
Active on interfaces:
show arp access-lists
Use this command to display ARP access lists.
Note: Broadcast ARP request packets are counted twice.
Command Syntax
show arp access-lists (NAME|) (expanded|summary|)
Parameters
NAME
ARP access-list name.
expanded
Expanded access-list.
summary
Access-list summary.
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#show arp access-lists
ARP access list arp1
10 permit ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0
20 deny ip 2.2.2.0/24 mac any
default deny-all
 
#show arp access-lists summary
ARP ACL arp1
statistics enabled
Total ACEs Configured: 2
Configured on interfaces:
xe1 - ingress (Port ACL)
Active on interfaces:
xe1 - ingress (Port ACL)
 
show ip access-lists
Use this command to display IP access lists.
Note: In Qumran devices, when both ip access-list and mac access-list configured on the same interface with rules from both access-lists matching the packet, the match packet statistics is incremented only for the access-list whose hardware-profile filter is configured at the last. Also, when qos is configured on the same interface, along with ingress-acl statistics profile, ingress-qos statistics profile need to be enabled in order to get statistics for both qos entries and acl entries.
Command Syntax
show ip access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Access-list summary.
Default
None
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ip access-lists
IP access list Iprule2
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24
default deny-all
 
#show ip access-lists summary
IPV4 ACL Iprule3
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa1 - ingress (Port ACL)
sa3 - ingress (Router ACL)
sa8 - ingress (Port ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
xe3/1 - egress (Router ACL)
Active on interfaces:
sa1 - ingress (Port ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show ipv6 access-lists
Use this command to display IPv6 access lists.
Command Syntax
show ipv6 access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Default
None
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ipv6 access-lists
IPv6 access list ipv6-acl-01
10 deny ahp 3ffe::/64 4ffe::/64
20 permit ahp 78fe::1/48 68fe::1/48
30 permit ahp 3333::1/64 4444::1/48 fragments
40 permit ahp 5555::1/64 4444::1/48 dscp af23
default deny-all
 
#show ipv6 access-lists summary
IPV6 ACL ipv6-acl-01
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa3 - ingress (Router ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
Active on interfaces:
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show mac access-lists
Use this command to display MAC access lists.
Note: In Qumran devices, when both ip access-list and mac access-list configured on the same interface with rules from both access-lists matching the packet, match packet statistics is incremented only for the access-list whose hardware-profile filter is configured at the last. Also, when qos is configured on the same interface, along with ingress-acl statistics profile, ingress-qos statistics profile need to be enabled in order to get statistics for both qos entries and acl entries.
Command Syntax
show mac access-lists (NAME|) (expanded|summary|)
Parameters
NAME
Access-list name.
expanded
Expanded access-list.
summary
Summary of access-list.
Default
None
Command Mode
Privileged Exec mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show mac access-lists
MAC access list Macrule2
default deny-all
MAC access list Macrule3
10 permit host 0000.1234.1234 any
20 deny host 1111.1111.AAAA any 65535
30 permit host 2222.2222.AAAA any 65535
40 permit 0000.3333.3333 0000.0000.FFFF 4444.4444.4444 0000.0000.FFFF
default deny-all [match=1126931077]
 
# show mac access-lists summary
MAC ACL Macrule3
statistics enabled
Total ACEs Configured: 4
Configured on interfaces:
sa3 - ingress (Router ACL)
sa8 - ingress (Port ACL)
vlan1.3 - ingress (Router ACL)
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
Active on interfaces:
xe1/1 - ingress (Port ACL)
xe1/2 - ingress (Router ACL)
xe1/3 - ingress (Router ACL)
show running-config access-list
Use this command to show the running system status and configuration details for MAC and IP access lists.
Command Syntax
show running-config access-list
Parameters
None
Default
None
Command Mode
Privileged Exec mode, configure mode, and route-map mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show running-config access-list
ip access-list abd
10 deny any any any
!
mac access-list abc
remark test
10 deny any any
!
show running-config aclmgr
Use this command to display the entire access list configurations along with the attachment to interfaces.
Command Syntax
show running-config aclmgr (all|)
Parameters
all
Show running config with defaults
Default
None
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
>enable
#show running-config aclmgr
ip access-list ip-acl-01
11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255
12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24
mac access-list mac-acl-01
10 permit host 0000.1234.1234 any
20 permit host 0000.1111.AAAA any ipv4 cos 3 vlan 3
!
ipv6 access-list ipv6-acl-01
10 deny ipv6 3ffe::/64 4ffe::/64 dscp af43
20 permit ipv6 78fe::/64 68fe::/64 dscp cs3
!
interface xe1/1
ip access-group ip-acl-01 in
!
show running-config ipv6 access-list
Use this command to show the running system status and configuration details for IPv6 access lists.
Command Syntax
show running-config ipv6 access-list
Parameters
None
Default
None
Command Mode
Privileged exec mode, configure mode, and route-map mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show running-config ipv6 access-list
ipv6 access-list test
10 permit any any any