Configure ACEs

Use an ACE to define packet attributes and the desired behavior for packets that carry the attribute or list of attributes.

Before you begin

The ACL exists. If you want to use IPv6 filters, you must specify the packet type as IPv6 at the ACL level to enable IPv6 filtering.

ACLs are by default created in enabled state while ACEs are by default created in disabled state. Use CLI commands to enable an ACE.

Enter Global Configuration mode:

enable

configure terminal
Create and name an ACE:

filter acl ace <1-2048> <1-2000> [name WORD<0-32>]

The ACE ID determines ACE precedence (that is, the lower the ID, the higher the precedence).
Configure the mode as deny or permit:

filter acl ace action <1-2048> <1-2000> <deny|permit>
Configure ACE actions as required.
Ensure the configuration is correct:

show filter acl ace <1-2048> <1-2000>
Ensure the filter is enabled:

filter acl ace <1-2048> <1-2000> enable
Optionally, reset an ACE to default values (reset the ACE name to the default name and the administrative state to the default value of disable):

default filter acl ace <1-2048> <1-2000>
Optionally, delete an ACE ID:

no filter acl ace <1-2048> <1-2000>

Use the data in the following table to use the filter acl ace and the filter acl ace action commands.


Variable	Value
`<1-2048>`	Specifies the ACL ID.
`<1-2000>`	Specifies the ACE ID.
<deny\|permit>	Configures the action mode for security ACEs. Note: For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs. With QoS ACE, the action mode is not configurable. QoS ACEs are always set to action mode permit.
enable	Enables an ACE within an ACL. After you enable an ACE, to make changes, first disable it.
name `WORD<0-32>`	Specifies an optional descriptive name for the ACE that uses 0–32 characters.