Action Modifiers
Additional actions can also be specified, independent of whether the
packet is dropped or forwarded. These additional actions are called action
modifiers. Not all action modifiers are available on all switches, and not
all are available for both ingress and egress ACLs. The action modifiers
are:
- class-id value
0-4095—Signifies that the rule will
be installed in the LOOKUP stage access-list resource.
Class-id range varies from platform to platform.
- count
countername—Increments the counter
named in the action modifier.
Note
The
CLEAR-Flow counters work when the ACL is applied to
a VLAN, but not if applied to a port or
wildcard.
- ingress— All platforms
- egress— All platform. On egress, count does not
work in combination with deny action.
Note
On
egress, count does not work in combination with deny
action in some platforms
- add-vlan-id—Adds a new outer
VLAN ID. If the packet
is untagged it will add a VLAN tag to the packet. If the
packet is tagged, it will add an additional VLAN tag. Only
supported in VLAN Lookup stage (VFP).
- byte-count byte
counter name—Increments the byte
counter named in the action modifier
- packet-count packet counter name—Increments the
packet counter named in the action modifier.
- log—Logs the packet header.
- log-raw—Logs the packet header in hex
format.
- meter
metername—Takes action depending on
the traffic rate. (Ingress and egress meters are supported
on the platforms listed for these features in the
Switch Engine v33.1.1 Licensing Guide
document.
- mirror—Rules that contain mirror as an
action modifier will use a separate slice.
- mirror-cpu—Mirrors a copy of the packet to
the CPU in order to log it. It is supported only in
ingress.
- qosprofile qosprofilename—Forwards the packet
to the specified QoS
profile.
- ingress—all platforms
- egress—does not forward the packets to
the specified qosprofile. If the action modifier
“replace-dot1p” is present in the ACL rule, the
dot1p field in the packet is replaced with the
value from associated qosprofile. All ExtremeSwitching Universal switches.
- redirect ipv4
addr—Forwards the packet to the
specified IPv4 address.
- redirect-no-replace-l2-sa IP nexthop
address—Forwards the packet to the
specified IPv4 address without changing the source MAC
address. Only apply to “L3 routable” traffic. Layer-2
traffic is not subject to matching.
- redirect-port port—Overrides the forwarding
decision and changes the egress port used. If the specified
port is part of a load share group then this action will
apply the load sharing algorithm.
- redirect-port-list port_list—Supports multiple
redirect ports as arguments. When used in an ACL, matching
packets are now redirected to multiple ports as specified in
the ACL while overriding the default forwarding decision.
Maximum number of ports that can be mentioned in this list
is 64.
- redirect-port-no-sharing port—Overrides the forwarding decision and
changes the egress port used. If the specified port is part
of a load share group then this action overrides the load
sharing algorithm and directs matching packets to only this
port.
- redirect-name name—Specifies the name of the
flow-redirect that must be used to redirect matching
traffic.
- redirect-vlan—Redirects the traffic to all
ports in the matching VLAN. With L3 unicast routing, floods
on the egress VLAN members.
- replace-dscp—Replaces the packet‘s DSCP
field with the value from the associated QoS profile.
- replace-dot1p—Replaces the packet‘s 802.1p
field with the value from the associated QoS profile.
- replace-dot1p-value value—Replaces the packet's 802.1p field with
the value specified without affecting the QoS profile
assignment.
- replace-ethernet-destination-address mac-address—Replaces the packet's
destination MAC address; this is applicable only to layer-2
forwarded traffic.
- replace-vlan-id —Replaces an outer VLAN ID in a
double-tagged packet or a single VLAN tag in a single-tagged
packet.