Creates policy access-list match criteria.
access-list | Specifies access-list rule model to select multiple match criteria per rule. |
list_dot_rule | Specifies the access-list name and rule name in the format list_name.rule_name. |
matches | Selects up to 5 match criteria. |
app-signature | Associates an application signature to a policy profile. |
group | Associates an application signature group to a policy profile. |
group | Defines the application signature group name. |
name | Associates an application signature name to a policy profile. |
name | Defines the name assigned to the application signature (range 1–32). |
ether | Selects the type field in Ethernet II packet. |
ether | Defines the type field in Ethernet II packet (data: 0–65535 or 0x0–0xFFFF; mask: 1–16). |
mask | Selects a mask. |
ether_mask | Selects the number of most significant bits to match data value (range 1–16). |
icmp6type | Selects ICMPv6 type.code. |
icmp6type | Defines the ICMPv6 type.code (data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)). |
icmp6_mask | Specifies the number of most significant bits to match data value (range 1–16). |
icmptype | Selects an ICMP type.code. |
icmptype | Specifies the ICMP type.code - (data: a.b; mask: 1-16). |
icmp_mask | Specifies the number of most significant bits to match data value (range 1–16). |
ipdestsocket | Specifies a destination IP address with optional post-fixed port or port-range. |
ipdestsocket | Defines the destination IP address with optional post-fixed port or port-range - (data: a.b.c.d [:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64). |
ipdest_mask | Specifies the number of most significant bits to match data value (range 1–64). |
ipfrag | Selects IP fragmentation flag. |
ipproto | Specifies protocol field in IP packet. |
ipproto | Defines the protocol field in IP packet (data: 0–255 or 0x0-0xFF; mask: 1–8). IPv4 only (ICMP). |
ipproto_mask | Specifies the number of most significant bits to match the data value (range 1–8). |
ipsourcesocket | Specifies the source IP address with optional post-fixed port or port-range. |
ipsourcesocket | Defines the source IP address with optional post-fixed port or port-range - (data: a.b.c.d [:ab (0–65535) [-cd (0-65535)]]; mask: 1-48, 64). |
ipsrc_mask | Specifies the number of most significant bits to match data value (range 1–64). |
iptos | Specifies IPv4 type of service/IPv6 traffic class field. |
iptos | Defines the IPv4 type of service/IPv6 traffic class field (data: 0–255; mask: 1–8). |
iptos_mask | Specifies the number of most significant bits to match data value (range 1–8). |
ipttl | Specifies IP time to live. |
ipttl | Defines the IP time to live (data: 0–255 or 0x0–0xFF; mask:1–8). |
ipttl_mask | Specifies the number of most significant bits to match data value (range 1–8). |
tcpdestportIP | Specifies TCP port/port-range destination with optional post-fix IPv4 address. |
tcpdestportIP | Defines the TCP port/port-range destination with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask: 1–64). |
tcpdest_mask | Specifies the number of most significant bits to match data value (range 1–64). |
tcpsourceportIP | Specifies TCP port/port-range source with optional post-fix IPv4 address. |
tcpsourceportIP | Defines the TCP port/port-range source with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask: 1–64). |
tcpsrc_mask | Specifies the number of most significant bits to match data value (range 1–64). |
udpdestportIP | Specifies UDP port/port-range destination with optional post-fix IPv4 address. |
udpdestportIP | Defines the UDP port/port-range destination with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]); mask:1-64). |
udpdest_mask | Specifies the number of most significant bits to match data value (range 1–64). |
udpsourceportIP | Specifies UDP port/port-range source with optional post-fix IPv4 address. |
udpsourceportIP | Defines the UDP port/port-range source with optional post-fix IPv4 address (data: ab [-cd] [:c.d.e.f]). |
udpsrc_mask | Specifies the number of most significant bits to match data value (range 1–64). |
actions | Specifies selecting one or more actions to occur when there is a match. |
cos | Specifies Class of Service (CoS) as an action. |
cos | Defines the CoS (0–255), or -1 for no CoS, or CoS with no forwarding behavior to remove the existing forwarding settings. |
drop | Specifies dropping any packets that match this rule. |
forward | Specifies forwarding any packets that match this rule. |
mirror-destination | Specifies mirroring any packets that match this rule. |
control_index | Defines which mirror destination control index (1–4). |
syslog | Enables, disables, or prohibits Syslog using event Policy.LogRuleHit on first rule use. |
N/A.
To use this command, the policy rule model must be set to access-list (use command configure policy rule-model [access-list | hierarchical]).
The following example creates the policy access list "ACL1.ace3" with match criteria of IP source address "10.1.1.1" and mask "32" with the action to forward with Class of Service level "2":
# create policy access-list ACL1.ace3 matches ipsource 10.1.1.1 mask 32 actions forward cos 2
This command was first available in ExtremeXOS 30.5.
This command is available on all Universal switches supported in this document.