Access Control List Commands

When you attach an ARP access list to a LAG interface as well as to a physical interface that is a member of that LAG interface, the priority order is:

1. LAG interface

2. Physical interface

Use the no form of this command to detach an ARP access group.

Note: An ARP access-list is supported only on switch ports.

Note: To attach an ARP access-group to an interface, the ingress-arp TCAM group should be enabled. See the hardware-profile filter for Qumran-1 command for details.

Command Syntax

arp access-group NAME in

no arp access-group NAME in

Parameters

NAME

ARP access list name

Command Mode

Interface mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)#permit ip any mac any

(config-arp-acl)#exit

(config)#interface xe1

(config-if)#arp access-group arp1 in

(config-if)#exit

(config)#interface xe1

(config-if)#no arp access-group arp1 in

(config-if)#exit

arp access-list

Use this command to define a named access control list (ACL) that determines whether to accept or drop the ARP packets, based on the ARP request or response option configured.

An ACL is made up of one or more ACL specifications. You can repeat this command and add multiple specifications. Each time you give this command, the specification is added to the end of the list.

Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied. For this reason, place the most frequently occurring specifications at the top of the list.

The device stops checking the specifications after a match occurs.

There is an implied deny specification for traffic that is not permitted. A single-entry ACL with only one deny specification is the same as denying all traffic. You must have at least one permit specification in an ACL or all traffic is blocked.

Use the no form of this command to remove an ACL specification.

Note: An ARP access list is supported only on switch ports.

Command Syntax

arp access-list NAME

no arp access-list NAME

Parameters

NAME

ARP access list name

Command Mode

Configure mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#configure terminal

(config)#arp access-list arp1

arp access-list default

Use this command to modify the default rule action of an access list.

The default rule is applicable only when an access list is attached to an interface. The default rule will have the lowest priority and only ARP packets not matching any of the user defined rules match the default rule.

Command Syntax

default (deny-all|permit-all)

Parameters

deny-all

Drop all packets.

permit-all

Accept all packets.

Default

The default rule is deny-all when an access list is attached to an interface.

Command Mode

ARP access-list mode

Applicability

This command was introduced in OcNOS version 3.0.

Examples

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)#default permit-all

arp access-list remark

Use this command to add a description to a named ARP access control list (ACL).

Use the no form of this command to remove an ACL description.

Command Syntax

remark LINE

no remark

Parameters

LINE

ACL description up to 100 characters.

Command Mode

ARP access-list mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)# remark Permit arp request packets

arp access-list request

Use this command to configure ARP access control entry in an ARP access control list (ACL).

This command determines whether to accept or drop a packet based on the configured match criteria.

Use the no form of this command to remove an ACL specification.

Note: Configuring the same filter again with a change of sequence number or change of action will result in updating the sequence number or filter action.

Command Syntax

Parameters

<1-268435453>

ARP ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

request

ARP request.

Internet Protocol (IP).

A.B.C.D/M

Source IP prefix and length.

A.B.C.D A.B.C.D

Source IP address and mask.

host A.B.C.D

A single source host IP address.

any

Match any source IP address.

mac

MAC address configuration.

any

Match any source mac address.

XX-XX-XX-XX-XX-XX

Source MAC address (Option 1).

XX:XX:XX:XX:XX:XX

Source MAC address (Option 2).

XXXX.XXXX.XXXX

Source MAC address (Option 3).

XX-XX-XX-XX-XX-XX

Source wildcard (Option 1).

XX:XX:XX:XX:XX:XX

Source wildcard (Option 2).

XXXX.XXXX.XXXX

Source wildcard (Option 3).

host (XX-XX-XX-XX-XX-XX)

A single source host MAC address.

vlan <1-4094>

VLAN identifier.

inner-vlan <1-4094>

Inner VLAN identifier.

Command Mode

ARP access-list mode

Applicability

This command was introduced in OcNOS version 3.0.

Examples

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)#10 permit request ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0

(config-arp-acl)#no 10

arp access-list resequence

Use this command to modify the sequence numbers of an ARP access list.

Note: IP Infusion Inc. recommends to use a non-overlapping sequence space for a new sequence number set to avoid unexpected rule matches during transition.

Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.

Command Syntax

resequence <1-268435453> INCREMENT

Parameters

<1-268435453>

Starting sequence number.

INCREMENT

Sequence number increment steps.

Command Mode

ARP access-list mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)#resequence 15 15

arp access-list response

Use this command to configure an ARP access control entry in an ARP access control list (ACL).

This command determines whether to accept or drop an ARP response packet based on the configured match criteria.

Use the no form of this command to remove an ACL specification.

Note: Configuring the same filter again with a change of sequence number or change of action will result in updating the sequence number or filter action.

Command Syntax

Parameters

<1-268435453>

ARP ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

response

ARP response

A.B.C.D/M

Source/destination IP prefix and length.

A.B.C.D A.B.C.D

Source/destination IP address and mask.

host A.B.C.D

A single source/destination host IP address.

any

Match any source/destination IP address.

mac

MAC address configuration.

any

Match any source/destination MAC address.

XX-XX-XX-XX-XX-XX

Source/destination MAC address (Option 1).

XX:XX:XX:XX:XX:XX

Source/destination MAC address (Option 2).

XXXX.XXXX.XXXX

Source/destination MAC address (Option 3).

XX-XX-XX-XX-XX-XX

Source/destination wildcard (Option 1).

XX:XX:XX:XX:XX:XX

Source/destination wildcard (Option 2).

XXXX.XXXX.XXXX

Source/destination wildcard (Option 3).

vlan <1-4094>

VLAN identifier.

inner-vlan <1-4094>

Inner VLAN identifier.

Command Mode

ARP access-list mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#configure terminal

(config)#arp access-list arp1

(config-arp-acl)#10 permit response ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0

(config-arp-acl)#no 10

clear access-list

Use this command to clear the access-list counters.

Command Syntax

clear access-list (NAME|) counters

Parameters

NAME

Access-list name.

Command Mode

Exec mode and Privilege exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#clear access-list counters

clear arp access-list

Use this command to clear the ARP access-list counters.

Command Syntax

clear arp access-list (NAME|) counters

Parameters

NAME

ARP access list name

Command Mode

Exec mode and privileged exec mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#clear arp access-list counters

clear ip access-list

Use this command to clear the IP access-list counters.

Command Syntax

clear ip access-list (NAME|) counters

Parameters

NAME

Access-list name.

Command Mode

Exec mode and Privilege exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#clear ip access-list counters

clear ipv6 access-list

Use this command to clear the IPv6 access-list counters.

Command Syntax

clear ipv6 access-list (NAME|) counters

Parameters

NAME

Access-list name.

Command Mode

Exec mode Privilege exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#clear ipv6 access-list counters

clear mac access-list

Use this command to clear the MAC access-list counters.

Command Syntax

clear mac access-list (NAME|) counters

Parameters

NAME

Access-list name.

Command Mode

Exec mode Privilege exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#clear mac access-list counters

ip access-group

Use this command to attach an IP access list to an interface or terminal line to filter incoming or outgoing IP packets.

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.

To delete the access-group, use the no form of this command without a time-range.

Note: An egress IP ACL is supported on physical and lag interfaces only. An egress IP ACL will match only routed traffic and not switched traffic. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.

Command Syntax

ip access-group NAME (in|out) (time-range TR_NAME|)

no ip access-group NAME (in|out) (time-range TR_NAME|)

Parameters

NAME

Access list name.

Filter incoming packets

out

Filter outgoing packets.

TR_NAME

Time range name set with the time-range command.

Command Mode

Line mode

Interface mode

Applicability

This command was introduced before OcNOS version 3.0. The time-range parameter was added in OcNOS version 5.0.

Examples

#configure terminal

(config)#ip access-list mylist

(config-ip-acl)#permit ip any any

(config-ip-acl)#exit

(config)#hardware-profile filter ingress-ipv4-ext enable

(config)#interface xe3

(config-if)#ip access-group mylist in

(config-if)#exit

(config)#interface xe3

(config-if)#no ip access-group mylist in time-range TIMER1

(config-if)#exit

(config)#line vty

(config-all-line)#no ip access-group mylist in

Usage: VLANs and LAGs

When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

1. VLAN interface

2. LAG interface

3. Physical interface

For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.

Usage: TCAM Groups

An access-group in the egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends to avoid such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.

To attach an IP ACL in the ingress direction the ingress-ipv4 or ingress-ipv4-ext TCAM group needs to be enabled and to attach an IP ACL in the egress direction the egress-ipv4 TCAM group needs to be enabled. See the hardware-profile filter for Qumran-1 commands for details.

Usage: VTY Interfaces

You can create ACLs for VTY interfaces to filter packets from management applications such as SSH, Telnet, NTP, SNMP, and SNMP traps. TCP, UDP, and ICMP are supported.

For an ACL for VTY, you create the ACL, configure it with rules, and associate the ACL to the terminal line in line mode.

VTY ACLs do not support the following:

• The default rule deny all. You must explicitly set up a deny all rule based on your requirements.

• VLAN-specific rules.

• Rules with TCP flags.

• Rules with dscp, fragments, log, precedence, and sample parameters.

• Rules with ICMP code and message types.

Usage: Timed ACL on interfaces

You create a timer range that is identified by a name and configured with a start time, end time, and frequency. Once you create the time range, you can tie the ACL configuration to the time-range object. This allows you to create an access group that is enabled when the timer has started and disabled when the timer ends. You can also disassociate an access group from the timer if needed.

ip access-list

Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming IP packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.

Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.

The device stops checking the specifications after a match occurs.

There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.

Use the no form of this command to remove an ACL.

Command Syntax

ip access-list NAME

no ip access-list NAME

Parameters

NAME

Access-list name.

Default

No default value is specified

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ip-acl-01

ip access-list default

Use this command to modify the default rule action of access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the IP packets not matching any of the user defined rules match default rule.

Command Syntax

default (deny-all|permit-all)

Parameters

deny-all

Drop all packets.

permit-all

Accept all packets.

Default

No default value is specified

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ip-acl-01

(config-ip-acl)#default permit-all

ip access-list filter

Use this command to configure access control entry in an access control list (ACL).

This determines whether to accept or drop an IP packet based on the configured match criteria.

Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.

Note: Configuring the same filter again with change of sequence number or change of action results in update of sequence number or filter action.

Command Syntax

(<1-268435453>|) (deny|permit) (<0-255>|ahp|any|eigrp|esp|gre|ipip|ipcomp|ipv6ip |ospf|pim|rsvp|vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)

no (<1-268435453>|)(deny|permit)(<0-255> |ahp | any | eigrp | esp | gre | ipip | ipcomp | ipv6ip | ospf | pim | rsvp| vrrp) (A.B.C.D/ M|A.B.C.D A.B.C.D | host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63> |af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)

no (<1-268435453>)

Parameters

<1-268435453>

IPv4 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

<0-255>

IANA assigned protocol number.

any

Any protocol packet.

ahp

Authentication Header packet.

eigrp

Enhanced Interior Gateway Routing Protocol packet.

esp

Encapsulating Security Payload packet.

gre

Generic Routing Encapsulation packet.

ipip

IPv4 over IPv4 encapsulation packet.

ipcomp

IP Payload Compression Protocol packet.

ipv6ip

IPv6 over IPv4 encapsulation packet.

ospf

Open Shortest Path First packet.

pim

Protocol Independent Multicast packet

rsvp

Resource Reservation Protocol packet.

vrrp

Virtual Router Redundancy Protocol packet.

A.B.C.D/M

Source IP prefix and length.

A.B.C.D A.B.C.D

Source IP address and mask.

host A.B.C.D

A single source host IP address.

any

Match any source IP address.

A.B.C.D/M

Destination IP prefix and length.

A.B.C.D A.B.C.D

Destination IP address and mask.

host A.B.C.D

A single destination host IP address.

any

Match any destination IP address.

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

precedence

Match packets with given precedence value.

<0-7>

Enter precedence value 0-7.

critical

Match packets with critical precedence (5).

flash

Match packets with flash precedence (3).

flashoverride

Match packets with flash override precedence (4).

immediate

Match packets with immediate precedence (2).

internet

Match packets with internetwork control precedence (6).

network

Match packets with network control precedence (7).

priority

Match packets with priority precedence (1).

routine

Match packets with routine precedence (0).

vlan

Match packets with given vlan value.

<1 - 4094>

VLAN identifier.

inner-vlan

Match packets with given inner vlan value.

<1 - 4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ip-acl-01

(config-ip-acl)#11 permit any 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255

(config-ip-acl)#no 11

ip access-list icmp

Use this command to permit or deny ICMP packets based on the given source and destination IP address. Even DSCP, precedence, vlan ID and inner vlan ID can be configured to permit or deny with the given values.

Use the no form of this command to remove an ACL specification.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Command Syntax

(<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)

no (<1-268435453>|)(deny|permit) (icmp) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef ))| (precedence (<0-7>| critical| flash | flashoverride|immediate| internet| network| priority| routine))|) (vlan <1-4094>|) (inner-vlan <1-4094>|)

Parameters

<1-268435453>

IPv4 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

icmp

Internet Control Message Protocol packet.

A.B.C.D/M

Source IP prefix and length.

A.B.C.D A.B.C.D

Source IP address and mask.

host A.B.C.D

A single source host IP address.

any

Match any source IP address.

A.B.C.D/M

Destination IP prefix and length.

A.B.C.D A.B.C.D

Destination IP address and mask.

host A.B.C.D

A single destination host IP address.

any

Match any destination IP address.

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

precedence

Match packets with given precedence value.

<0-7>

Enter precedence value 0-7.

critical

Match packets with critical precedence (5).

flash

Match packets with flash precedence (3).

flashoverride

Match packets with flash override precedence (4).

immediate

Match packets with immediate precedence (2).

internet

Match packets with internetwork control precedence (6).

network

Match packets with network control precedence (7).

priority

Match packets with priority precedence (1).

routine

Match packets with routine precedence (0).

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

inner-vlan

Match packets with given inner-vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ip-icmp

(config-ip-acl)#200 permit icmp any any

ip access-list remark

Use this command to add a description to a named IPv4 access control list (ACL).

Use the no form of this command to remove an ACL description.

Command Syntax

remark LINE

no remark

Parameters

LINE

ACL description up to 100 characters.

Default

No default value is specified

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list mylist

(config-ip-acl)#remark permit the inside admin address

(config-ip-acl)#exit

(config)#ip access-list mylist

(config-ip-acl)#no remark

(config-ip-acl)#exit

ip access-list resequence

Use this command to modify sequence numbers of the IP access list specifications.

Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.

Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.

Command Syntax

resequence <1-268435453> INCREMENT

Parameters

<1-268435453>

Starting sequence number.

INCREMENT

Sequence number increment steps.

Default

None

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list mylist

(config-ip-acl)#resequence 5 5

(config-ip-acl)#end

ip access-list tcp|udp

Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming TCP or UDP IP packet based on the specified match criteria. This form of command filters packets based on source and destination IP address along with protocol (TCP or UDP) and port.

Use the no form of this command to remove an ACL specification.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Note: TCP flags options and range options like neq, gt, lt and range are not supported by hardware in egress direction.

Note: Both Ack and established flag in tcp have same functionality in hardware.

Command Syntax

(<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip|echo |exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time| uucp|whois|www)| range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) vlan <1-4094>|)(inner-vlan <1-4094>|)

no (<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535>| bgp| chargen| cmd| daytime| discard| domain| drip| echo|exec|finger|ftp |ftp-data |gopher |hostname| ident| irc| klogin| kshell|login|lpd|nntp|pim-auto-rp |pop2 |pop3 |smtp| ssh| sunrpc| tacacs |talk|telnet|time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535> |bgp |chargen |cmd |daytime|discard|domain|drip|echo|exec|finger|ftp|ftp-data| gopher| hostname| ident| irc| klogin| kshell| login| lpd| nntp| pim-auto-rp | pop2| pop3| smtp |ssh |sunrpc|tacacs|talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | (precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|)(vlan <1-4094>|)(inner-vlan <1-4094>|)

Parameters

<1-268435453>

IPv4 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

tcp

Transmission Control Protocol.

udp

User Datagram Protocol.

A.B.C.D/M

Source or destination IP prefix and length.

A.B.C.D A.B.C.D

Source or destination IP address and mask.

host A.B.C.D

Source or destination host IP address.

any

Any source or destination IP address.

Source or destination port equal to.

Source or destination port greater than.

Source or destination port less than.

neq

Source or destination port not equal to.

<0-65535>

Source or destination port number.

range

Range of source or destination port numbers:

<0-65535>

Lowest value in the range.

<0-65535>

Highest value in the range.

bgp

Border Gateway Protocol.

chargen

Character generator.

cmd

Remote commands.

daytime

Daytime.

discard

Discard.

domain

Domain Name Service.

drip

Dynamic Routing Information Protocol.

echo

Echo.

exec

EXEC.

finger

Finger.

ftp

File Transfer Protocol.

ftp-data

FTP data connections.

gopher

Gopher.

hostname

NIC hostname server.

ident

Ident Protocol.

irc

Internet Relay Chat.

klogin

Kerberos login.

kshell

Kerberos shell.

lpd

Printer service.

nntp

Network News Transport Protocol.

pim-auto-rp

PIM Auto-RP.

pop2

Post Office Protocol v2.

pop3

Post Office Protocol v3.

smtp

Simple Mail Transport Protocol.

ssh

Secure Shell.

sunrpc

Sun Remote Procedure Call.

tacacs

TAC Access Control System.

talk

Talk.

telnet

Telnet.

time

Time.

uucp

UNIX-to-UNIX Copy Program.

whois

WHOIS/NICNAME

www

World Wide Web.

netconf-ssh

Secure Shell Network Configuration

netconf-tls

Transport Layer Security Network Configuration

nntp

Range of source or destination port numbers:

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34.

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

precedence

Match packets with given precedence value.

<0-7>

Precedence.

critical

Match packets with critical precedence (5).

flash

Match packets with flash precedence (3).

flashoverride

Match packets with flash override precedence (4).

immediate

Match packets with immediate precedence (2).

internet

Match packets with internetwork control precedence (6).

network

Match packets with network control precedence (7).

priority

Match packets with priority precedence (1).

routine

Match packets with routine precedence (0).

ack

Match on the Acknowledgment (ack) bit.

established

Matches only packets that belong to an established TCP connection.

fin

Match on the Finish (fin) bit.

psh

Match on the Push (psh) bit.

rst

Match on the Reset (rst) bit.

syn

Match on the Synchronize (syn) bit.

urg

Match on the Urgent (urg) bit.

biff

Biff.

bootpc

Bootstrap Protocol (BOOTP) client.

bootps

Bootstrap Protocol (BOOTP) server.

discard

Discard.

dnsix

DNSIX security protocol auditing.

domain

Domain Name Service.

echo

Echo.

isakmp

Internet Security Association and Key Management Protocol.

mobile-ip

Mobile IP registration.

nameserver

IEN116 name service.

netbios-dgm

Net BIOS datagram service.

netbios-ns

Net BIOS name service.

netbios-ss

Net BIOS session service.

non500-isakmp

Non500-Internet Security Association and Key Management Protocol.

ntp

Network Time Protocol.

pim-auto-rp

PIM Auto-RP.

rip

Routing Information Protocol.

snmp

Simple Network Management Protocol.

snmptrap

SNMP Traps.

sunrpc

Sun Remote Procedure Call.

syslogS

ystem Logger.

tacacs

TAC Access Control System.

talk

Talk.

tftp

Trivial File Transfer Protocol.

time

Time.

who

Who service.

xdmcp

X Display Manager Control Protocol.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

inner-vlan

Match packets with given inner vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ip-acl-02

(config-ip-acl)#deny udp any any eq tftp

(config-ip-acl)#deny tcp any any eq ssh

(config-ip-acl)#end

ipv6 access-group in

Use this command to attach an IPv6 access list to an interface to filter incoming IPv6 packets.

When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

1. VLAN interface

2. LAG interface

3. Physical interface

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

To delete the access-group, use the no form of this command without a time-range.

Note: To attach IPv6 ACL in the ingress direction ingress-ipv6 TCAM group needs to be enabled. See the hardware-profile filter for Qumran-1 command for details.

Command Syntax

ipv6 access-group NAME in (time-range TR_NAME|)

no ipv6 access-group NAME in (time-range TR_NAME|)

Parameters

NAME

Access list name.

TR_NAME

Time range name set with the time-range command.

Default

No default value is specified

Command Mode

Interface mode

Applicability

This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)#permit ipv6 any any

(config-ipv6-acl)#exit

(config)#hardware-profile filter ingress-ipv6 enable

(config)#interface xe3

(config-if)#ipv6 access-group mylist in

(config)#interface xe3

(config-if)#no ipv6 access-group mylist in

(config)#interface xe3

(config-if)#ipv6 access-group mylist in time-range TIMER1

(config)#interface xe3

(config-if)#no ipv6 access-group mylist in time-range TIMER1

ipv6 access-list

Use this command to define a IPv6 access control list (ACL) that determines whether to accept or drop an incoming IPv6 packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.

Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.

The device stops checking the specifications after a match occurs.

There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.

Note: IPv6 routing protocols need neighbor discovery to establish sessions. Applying IPv6 ACLs implicitly drops all the ICMPv6 packets, thereby affecting the protocol sessions. To overcome this problem, an implicit ICMPv6 permit rule is added to the IPv6 ACLs.

If required behavior is to deny the icmpv6, the implicit rule can be deleted. For example, create an IPv6 ACL:

(config)#ipv6 access-list ipv6-acl

#show ipv6 access-lists

IPv6 access list ip1

268435453 permit icmpv6 any any

To delete this rule:

(config)#ipv6 access-list ipv6-acl

(config-ipv6-acl)#no 268435453 permit icmpv6 any any

#show ipv6 access-lists

IPv6 access list ip1

Use the no form of this command to remove the ACL.

Command Syntax

ipv6 access-list NAME

no ipv6 access-list NAME

Parameters

NAME

Access-list name.

Default

No default value is specified

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list ipv6-acl-01

(config-ipv6-acl)#exit

ipv6 access-list default

Use this command to modify the default rule action of IPv6 access-list. Default rule is applicable only when IPv6 access-list is attached to interface. Default rule will have the lowest priority and only the IPv6 packets not matching any of the user defined rules match default rule.

Command Syntax

default (deny-all|permit-all)

Parameters

deny-all

Drop all packets.

permit-all

Accept all packets.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ip access-list ipv6-acl-01

(config-ipv6-acl)#default permit-all

ipv6 access-list filter

Use this command to define an access-control entry in an access control list (ACL) that determines whether to accept or drop an IPv6 packet based on the criteria specified. This form of this command filters packets based on:

• Protocol

• Source IP address

• Destination IP address

• DSCP value

• VLAN identifier

Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Note: For IPv6 source and destination address filters, only the network part from the address (upper 64 bits) is supported due to hardware restriction. If the address length is more than 64 bits, it cannot be applied on the interfaces but it can be used with distributed lists in control plane protocols.

Command Syntax

(<1-268435453>|) (deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)

no (<1-268435453>|)(deny|permit)(<0-255>|ahp|any|eigrp|esp|gre|ipipv6|ipcomp |ipv6ipv6|ospf|pim|rsvp|vrrp) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)

no (<1-268435453>)

Parameters

<1-268435453>

IPv6 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

<0-255>

IANA assigned protocol number.

any

Any protocol packet.

ahp

Authentication Header packet.

eigrp

Enhanced Interior Gateway Routing Protocol packet.

esp

Encapsulating Security Payload packet.

gre

Generic Routing Encapsulation packet.

ipipv6

IPv4 over IPv6 Encapsulation packet.

ipcomp

IP Payload Compression Protocol packet.

ipv6ipv6

IPv6 over IPv6 Encapsulation packet.

ospf

Open Shortest Path First packet.

pim

Protocol Independent Multicast packet

rsvp

Resource Reservation Protocol packet.

vrrp

Virtual Router Redundancy Protocol packet.

X:X::X:X/M

Source Address with network mask length.

X:X::X:X X:X::X:X

Source Address with wild card mask.

any

Any source address.

X:X::X:X/M

Destination address with network mask length.

X:X::X:X X:X::X:X

Destination address with wild card mask.

any

Any destination address

any

Match any destination IP address.

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list ipv6-acl-01

(config-ipv6-acl)#permit ipipv6 any any

(config-ipv6-acl)#end

ipv6 access-list icmpv6

Use this command to permit or deny IPv6 ICMP packets with the given source and destination IPv6 address, DSCP value and VLAN ID.

Use the no form of this command to remove an ACL specification.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Command Syntax

(<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef)|) (vlan <1-4094>|)

no (<1-268435453>|)(deny|permit) (icmpv6) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((dscp (<0-63>|af11| af12| af13| af21| af22| af23| af31|af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5|cs6| cs7| default| ef )|) (vlan <1-4094>|)

Parameters

<1-268435453>

IPv6 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

icmpv6

Internet Control Message Protocol packet.

X:X::X:X/M

Source Address with network mask length.

X:X::X:X X:X::X:X

Source Address with wild card mask.

any

Any source address.

X:X::X:X/M

Destination address with network mask length.

X:X::X:X X:X::X:X

Destination address with wild card mask.

any

Any destination address

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)#200 permit icmpv6 any any

ipv6 access-list remark

Use this command to add a description to an IPv6 access control list (ACL).

Use the no form of this command to remove an access control list description.

Command Syntax

remark LINE

no remark

Parameters

LINE

ACL description up to 100 characters.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)# remark Permit the inside admin address

ipv6 access-list resequence

Use this command to modify sequence numbers of the IPv6 access list specifications.

Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.

Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.

Command Syntax

resequence <1-268435453> INCREMENT

Parameters

<1-268435453>

Starting Sequence number.

INCREMENT

Sequence number increment steps.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)#resequence 15 15

ipv6 access-list sctp

Use this command to allow ACL to permit or deny SCTP packets based on the given source and destination IPV6 address. Even DSCP and vlan ID can be configured to permit or deny with the given values.

Use the no form of this command to remove an ACL specification.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Note: Range options like neq, gt, lt and range are not supported by hardware in egress direction.

Command Syntax

(<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/ M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) (vlan <1-4094>|)

no (<1-268435453>|) (deny|permit) (sctp) (X:X::X:X/M|X:X::X:X X:X::X:X|any) (X:X::X:X/M|X:X::X:X X:X::X:X|any) {(eq|gt|lt|neq) (<0-65535>) | (range <0-65535> <0-65535>)| } (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)|) (vlan <1-4094>|)

Parameters

<1-268435453>

IPv6 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

sctp

Stream Control Transmission Protocol packet.

X:X::X:X/M

Source address with network mask length.

X:X::X:X

Source address with wild card mask.

X:X::X:X

Source address's wild card mask (ignored bits).

any

Any source address.

X:X::X:X/M

Destination address with network mask length.

X:X::X:X

Destination address with wild card mask.

X:X::X:X

Destination address's wild card mask (ignored bits).

any

Any destination address.

Source or destination port equal to.

Source or destination port greater than.

Source or destination port less than.

neq

Source or destination port not equal to.

<0-65535>

Source or destination port number.

range

Range of source or destination port numbers:

<0-65535>

Lowest value in the range.

<0-65535>

Highest value in the range.

dscp

Match packets with given DSCP value.

<0-63>

DSCP value.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)#200 permit sctp any any

ipv6 access-list tcp|udp

Use this command to define a IPv6 access control list (ACL) specification that determines whether to accept or drop an incoming IPv6 packet based on the criteria that you specify. This form of this command filters packets based on source and destination IPv6 address along with protocol (TCP or UDP) and port.

Use the no form of this command to remove an ACL specification.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Note: Range options such as neq, gt, lt and range are not supported by the hardware in the egress direction.

Command Syntax

(<1-268435453>|) (deny|permit) tcp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535> |bgp|chargen|cmd|daytime|discard|domain|drip |echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>|)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any)((eq|gt|lt|neq) <0-65535>|bgp|chargen|cmd|daytime|discard|domain |drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto-rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk| telnet|time |uucp|whois|www) | (range <0-65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) (vlan <1-4094>|)

no (<1-268435453>|) (deny|permit) tcp (X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535> |bgp|chargen|cmd|daytime|discard|domain|drip |echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin|kshell |login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0-65535> <0-65535>)|)(X:X::X:X/M|X:X::X:X X:X::X:X|any) ((eq|gt|lt|neq) <0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp |ftp- data|gopher|hostname|ident|irc|klogin |kshell|login|lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www) | (range <0- 65535> <0-65535>)|) (dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef) | (vlan <1-4094>|)

Parameters

<1-268435453>

IPv6 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

tcp

Transmission Control Protocol.

udp

User Datagram Protocol.

X:X::X:X/M

Source or destination IPv6 prefix and length.

X:X::X:X X:X::X:X

Source or destination IPv6 address and mask.

any

Any source or destination IPv6 address.

Source or destination port equal to.

Source or destination port greater than.

Source or destination port less than.

neq

Source or destination port not equal to.

<0-65535>

Source or destination port number.

range

Range of source or destination port numbers:

<0-65535>

Lowest value in the range.

<0-65535>

Highest value in the range.

ftp

File Transfer Protocol (21).

ssh

Secure Shell (22).

telnet

Telnet (23).

www

World Wide Web (HTTP 80).

tftp

Trivial File Transfer Protocol (69).

bootp

Bootstrap Protocol (BOOTP) client (67).

bgp

Border Gateway Protocol.

chargen

Character generator.

cmd

Remote commands.

daytime

Daytime.

discard

Discard.

domain

Domain Name Service.

drip

Dynamic Routing Information Protocol.

echo

Echo.

exec

EXEC.

finger

Finger.

ftp

File Transfer Protocol.

ftp-data

FTP data connections.

gopher

Gopher.

hostname

NIC hostname server.

ident

Ident Protocol.

irc

Internet Relay Chat.

klogin

Kerberos login.

kshell

Kerberos shell.

lpd

Printer service.

nnt

Network News Transport Protocol.

pim-auto-rp

PIM Auto-RP.

pop2

Post Office Protocol v2.

pop3

Post Office Protocol v3.

smtp

Simple Mail Transport Protocol.

ssh

Secure Shell.

sunrpc

Sun Remote Procedure Call.

tacacs

TAC Access Control System.

talk

Talk.

telnet

Telnet.

time

Time.

uucp

UNIX-to-UNIX Copy Program.

whois

WHOIS/NICNAME

www

World Wide Web.

nntp

Range of source or destination port numbers:

dscp

Match packets with given DSCP value.

<0-63>

DSCP value.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

EF DSCP (101110) decimal value 46.

biff

Biff.

bootpc

Bootstrap Protocol (BOOTP) client.

bootps

Bootstrap Protocol (BOOTP) server.

discard

Discard.

dnsix

DNSIX security protocol auditing.

domain

Domain Name Service.

echo

Echo.

isakmp

Internet Security Association and Key Management Protocol.

mobile-ip

Mobile IP registration.

nameserver

IEN116 name service.

netbios-dgm

Net BIOS datagram service.

netbios-ns

Net BIOS name service.

netbios-ss

Net BIOS session service.

non500-isakmp

Non500-Internet Security Association and Key Management Protocol.

ntp

Network Time Protocol.

pim-auto-rp

PIM Auto-RP.

rip

Routing Information Protocol.

snmp

Simple Network Management Protocol.

snmptrap

SNMP Traps.

sunrpc

Sun Remote Procedure Call.

syslog

System Logger.

tacacs

TAC Access Control System.

talk

Talk.

tftp

Trivial File Transfer Protocol.

time

Time.

who

Who service.

xdmcp

X Display Manager Control Protocol.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

Default

No default value is specified

Command Mode

IPv6 access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#ipv6 access-list mylist

(config-ipv6-acl)#deny udp any eq tftp any

(config-ipv6-acl)#deny tcp fd22:bf66:78a4:10a2::/64 fdf2:860a:746a:e49c::/64 eq ssh

mac access-group

Use this command to attach a MAC access list to an interface to filter incoming packets.

When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

1. VLAN interface

2. LAG interface

3. Physical interface

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

To delete the access-group, use the no form of this command without a time-range.

Note: To attach a MAC ACL in the ingress direction ingress-l2 or ingress-l2-ext TCAM group needs to be enabled and to attach a MAC ACL in the egress direction egress-l2 TCAM group needs to be enabled. See the hardware-profile filter for Qumran-1 command for details.

Note: An egress ACL is supported on physical and lag interfaces only. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.

Command Syntax

mac access-group NAME (in|out) (in|out) (time-range TR_NAME|)

no mac access-group NAME (in|out) (time-range TR_NAME|)

Parameters

NAME

Access list name.

Filter incoming packets.

out

Filter outgoing packets.

TR_NAME

Time range name set with the time-range command.

Default

No default value is specified

Command Mode

Interface mode

Applicability

This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.

Examples

#configure terminal

(config)#mac access-list mylist

(config-mac-acl)#permit any any

(config-mac-acl)#exit

(config)#hardware-profile filter ingress-l2-ext enable

(config)#interface xe3

(config-if)#mac access-group mylist in

(config-if)#exit

(config)#interface xe3

(config-if)#mac access-group mylist in time-range TIMER1

(config-if)#exit

(config)#interface xe3

(config-if)#no mac access-group mylist in time-range TIMER1

(config-if)#exit

(config)#interface xe3

(config-if)#no mac access-group mylist in

(config-if)#exit

mac access-list

Use this command to define a MAC access control list (ACL) that determines whether to accept or drop an incoming packet based on specifications configured under the ACL. An ACL is made up of one or more ACL specifications.

Each packet that arrives at the device is compared to each specification in each ACL in the order that they are defined. The device continues to look until it has a match. If no match is found and the device reaches the end of the list, the packet is denied by default. For this reason, place the most frequently occurring specifications at the top of the list.

The device stops checking the specifications after a match occurs.

There is an implied deny specification for traffic that is not permitted. Implied specification can be updated to permit if the use-case is to deny a certain set of traffic.

Use the no form of this command to remove an ACL.

Command Syntax

mac access-list NAME

no mac access-list NAME

Parameters

NAME

Access-list name.

Default

No default value is specified

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#mac access-list mac-acl-01

(config-mac-acl)#exit

mac access-list default

Use this command to modify the default rule action of mac access-list. Default rule is applicable only when access-list is attached to interface. Default rule will have the lowest priority and only the packets not matching any of the user defined rules match default rule.

Command Syntax

default (deny-all|permit-all)

Parameters

deny-all

Drop all packets.

permit-all

Accept all packets.

Default

No default value is specified

Command Mode

MAC access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#mac access-list mac-acl-01

(config-mac-acl)#default permit-all

mac access-list filter

Use this command to define an access control entry (ACE) in a mac access control list (ACL) that determines whether to permit or deny packets with the given source and destination MAC, ether type, cos and VLAN values.

Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.

Note: Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

Note: Ether type option is not supported by hardware in egress direction

Command Syntax

no (<1-268435453>)

Parameters

ETHTYPE	Any Ethertype value (0x600 - 0xffff)
deny	Drop the packet.
permit	Accept the packet.
<1-268435453>	IPv4 ACL sequence number.
any	Source/Destination any.
XX-XX-XX-XX-XX-XX	Source/Destination MAC address (Option 1)
XX-XX-XX-XX-XX-XX	Source/Destination MAC address (Option 2).
XXXX.XXXX.XXXX	Source/Destination MAC address (Option 3).
XX-XX-XX-XX-XX-XX	Source/Destination wildcard (Option1).
XX:XX:XX:XX:XX:XX	Source/Destination wildcard (Option2).
XXXX.XXXX.XXXX	Source/Destination wildcard (Option3).
host	A single source/destination host.
aarp	Ethertype - 0x80f3.
appletalk	Ethertype - 0x809b.
decnet-iv	Ethertype - 0x6003
diagnostic	Ethertype - 0x6005
etype-6000	Ethertype - 0x6000
etype-8042	Ethertype - 0x8042
ip4	Ethertype - 0x0800
ip6	Ethertype - 0x86dd
mpls	Ethertype - 0x8847
lat	Ethertype - 0x6004
lavc-sca	Ethertype - 0x6007
mop-console	Ethertype - 0x6002
mop-dump	Ethertype - 0x6001
vines-echo	Ethertype - 0x0baf
WORD	Any Ethertype value
cos <0-7>	Cos value
vlan <1-4094>	VLAN identifier
inner-vlan <1 - 4094>	Inner-VLAN identifier

Default

No default value is specified

Command Mode

MAC access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#mac access-list mac-acl-01

(config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any

mac access-list remark

Use this command to add a description to a MAC access control list (ACL).

Use the no form of this command to remove an ACL description.

Command Syntax

remark LINE

no remark

Parameters

LINE

ACL description up to 100 characters.

Default

No default value is specified

Command Mode

MAC access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#mac access-list mylist

(config-mac-acl)# remark Permit the inside admin address

mac access-list resequence

Use this command to modify sequence numbers of mac access list specifications.

Note: Use a non-overlapping sequence space for new sequence number sets to avoid possible unexpected rule matches during transition.

Note: Re-sequencing an ACL attached to a management interface clears the ACL counters associated to it.

Command Syntax

resequence <1-268435453> INCREMENT

Parameters

<1-268435453>

Starting sequence number.

INCREMENT

Sequence number increment steps.

Default

No default value is specified

Command Mode

MAC access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#mac access-list mylist

(config-mac-acl)#resequence 15 15

show access-lists

Use this command to display a list of access list

Command Syntax

show access-lists (NAME|) (expanded|summary|)

Parameters

NAME

Access-list name.

expanded

Expanded access-list.

summary

Summary of access-list.

Default

None

Command Mode

Privileged Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show access-lists expanded

IP access list Iprule1

11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255

default deny-all

MAC access list Macrule1

10 permit host 0000.1234.1234 any

default deny-all

IPv6 access list ipv6-acl-01

10 deny ahp 3ffe::/64 4ffe::/64

default deny-all

#show access-lists summary

IPV4 ACL Iprule1

statistics enabled

Total ACEs Configured: 1

Configured on interfaces:

xe3/1 - egress (Router ACL)

Active on interfaces:

xe1/3 - ingress (Router ACL)

MAC ACL Macrule1

statistics enabled

Total ACEs Configured: 0

Configured on interfaces:

Active on interfaces:

IPV6 ACL ipv6-acl-01

statistics enabled

Total ACEs Configured: 2

Configured on interfaces:

xe7/1 - ingress (Router ACL)

Active on interfaces:

show arp access-lists

Use this command to display ARP access lists.

Note: Broadcast ARP request packets are counted twice.

Command Syntax

show arp access-lists (NAME|) (expanded|summary|)

Parameters

NAME

ARP access-list name.

expanded

Expanded access-list.

summary

Access-list summary.

Command Mode

Privileged Exec mode and Exec mode

Applicability

This command was introduced in OcNOS version 3.0.

Example

#show arp access-lists

ARP access list arp1

10 permit ip 1.1.1.0/24 mac 0000.0000.0001 FFFF.FFFF.FFF0

20 deny ip 2.2.2.0/24 mac any

default deny-all

#show arp access-lists summary

ARP ACL arp1

statistics enabled

Total ACEs Configured: 2

Configured on interfaces:

xe1 - ingress (Port ACL)

Active on interfaces:

xe1 - ingress (Port ACL)

show ip access-lists

Use this command to display IP access lists.

Note: In Qumran devices, when both ip access-list and mac access-list configured on the same interface with rules from both access-lists matching the packet, the match packet statistics is incremented only for the access-list whose hardware-profile filter is configured at the last. Also, when qos is configured on the same interface, along with ingress-acl statistics profile, ingress-qos statistics profile need to be enabled in order to get statistics for both qos entries and acl entries.

Note: See hardware-profile filter for Qumran-1 for filter groups and hardware-profile statistics.

Command Syntax

show ip access-lists (NAME|) (expanded|summary|)

Parameters

NAME

Access-list name.

expanded

Expanded access-list.

summary

Access-list summary.

Default

None

Command Mode

Exec mode and Privileged Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show ip access-lists

IP access list Iprule2

11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255

12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24

default deny-all

#show ip access-lists summary

IPV4 ACL Iprule3

statistics enabled

Total ACEs Configured: 4

Configured on interfaces:

sa1 - ingress (Port ACL)

sa3 - ingress (Router ACL)

sa8 - ingress (Port ACL)

vlan1.3 - ingress (Router ACL)

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

xe3/1 - egress (Router ACL)

Active on interfaces:

sa1 - ingress (Port ACL)

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

show ipv6 access-lists

Use this command to display IPv6 access lists.

Command Syntax

show ipv6 access-lists (NAME|) (expanded|summary|)

Parameters

NAME

Access-list name.

expanded

Expanded access-list.

summary

Summary of access-list.

Default

None

Command Mode

Privileged Exec mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show ipv6 access-lists

IPv6 access list ipv6-acl-01

10 deny ahp 3ffe::/64 4ffe::/64

20 permit ahp 78fe::1/48 68fe::1/48

30 permit ahp 3333::1/64 4444::1/48 fragments

40 permit ahp 5555::1/64 4444::1/48 dscp af23

default deny-all

#show ipv6 access-lists summary

IPV6 ACL ipv6-acl-01

statistics enabled

Total ACEs Configured: 4

Configured on interfaces:

sa3 - ingress (Router ACL)

vlan1.3 - ingress (Router ACL)

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

Active on interfaces:

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

show mac access-lists

Use this command to display MAC access lists.

Note: In Qumran devices, when both ip access-list and mac access-list configured on the same interface with rules from both access-lists matching the packet, match packet statistics is incremented only for the access-list whose hardware-profile filter is configured at the last. Also, when qos is configured on the same interface, along with ingress-acl statistics profile, ingress-qos statistics profile need to be enabled in order to get statistics for both qos entries and acl entries.

Note: See hardware-profile filter for Qumran-1 for filter groups and hardware-profile statistics.

Command Syntax

show mac access-lists (NAME|) (expanded|summary|)

Parameters

NAME

Access-list name.

expanded

Expanded access-list.

summary

Summary of access-list.

Default

None

Command Mode

Privileged Exec mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show mac access-lists

MAC access list Macrule2

default deny-all

MAC access list Macrule3

10 permit host 0000.1234.1234 any

20 deny host 1111.1111.AAAA any 65535

30 permit host 2222.2222.AAAA any 65535

40 permit 0000.3333.3333 0000.0000.FFFF 4444.4444.4444 0000.0000.FFFF

default deny-all [match=1126931077]

# show mac access-lists summary

MAC ACL Macrule3

statistics enabled

Total ACEs Configured: 4

Configured on interfaces:

sa3 - ingress (Router ACL)

sa8 - ingress (Port ACL)

vlan1.3 - ingress (Router ACL)

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

Active on interfaces:

xe1/1 - ingress (Port ACL)

xe1/2 - ingress (Router ACL)

xe1/3 - ingress (Router ACL)

show running-config access-list

Use this command to show the running system status and configuration details for MAC and IP access lists.

Command Syntax

show running-config access-list

Parameters

None

Default

None

Command Mode

Privileged Exec mode, configure mode, and route-map mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show running-config access-list

ip access-list abd

10 deny any any any

mac access-list abc

remark test

10 deny any any

show running-config aclmgr

Use this command to display the entire access list configurations along with the attachment to interfaces.

Command Syntax

show running-config aclmgr (all|)

Parameters

all

Show running config with defaults

Default

None

Command Mode

Exec mode and Privileged Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

>enable

#show running-config aclmgr

ip access-list ip-acl-01

11 permit ip 30.0.0.1 0.0.0.255 172.124.0.2 0.0.0.255

12 deny ip 30.0.0.2 0.0.0.255 182.124.0.3/24

mac access-list mac-acl-01

10 permit host 0000.1234.1234 any

20 permit host 0000.1111.AAAA any ipv4 cos 3 vlan 3

ipv6 access-list ipv6-acl-01

10 deny ipv6 3ffe::/64 4ffe::/64 dscp af43

20 permit ipv6 78fe::/64 68fe::/64 dscp cs3

interface xe1/1

ip access-group ip-acl-01 in

show running-config ipv6 access-list

Use this command to show the running system status and configuration details for IPv6 access lists.

Command Syntax

show running-config ipv6 access-list

Parameters

None

Default

None

Command Mode

Privileged exec mode, configure mode, and route-map mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show running-config ipv6 access-list

ipv6 access-list test

10 permit any any any