Configure ACEs

Use an ACE to define packet attributes and the desired behavior for packets that carry the attribute or list of attributes.

Before you begin

  • The ACL exists. If you want to use IPv6 filters, you must specify the packet type as IPv6 at the ACL level to enable IPv6 filtering.

About this task

ACLs are by default created in enabled state while ACEs are by default created in disabled state. Use CLI commands to enable an ACE.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create and name an ACE:

    filter acl ace <acl-id> <ace-id> [name WORD<0-32>]

    The ACE ID determines ACE precedence (that is, the lower the ID, the higher the precedence).

    Note

    Note

    For some hardware platforms, the ACE ID range is from 1 to 1000. If you try to create an ACE ID outside the range, the device displays the following error message:

    Invalid input detected at '^' marker
  3. Configure the mode as deny or permit:

    filter acl ace action <acl-id> <ace-id> <deny|permit>

    Note

    Note

    For VSP 8600 Series, the filter ACL ACE deny action does not apply to the Extensible Authentication Protocol (MKPDU), Link Layer Discovery Protocol, Virtual Link Aggregation Control Protocol, Link Aggregation Control Protocol, Topology Discovery Protocol, and Bridge Protocol Data Unit (BPDU) Guard frames. The system still snoops these packets to the Central Processing Unit (CPU) for processing.

  4. Configure ACE actions as required.
  5. Ensure the configuration is correct:

    show filter acl ace <acl-id> <ace-id>

  6. Ensure the filter is enabled:

    filter acl ace <acl-id> <ace-id> enable

  7. Optionally, reset an ACE to default values (reset the ACE name to the default name and the administrative state to the default value of disable):

    default filter acl ace <acl-id> <ace-id>

  8. Optionally, delete an ACE ID:

    no filter acl ace <acl-id> <ace-id>

Variable Definitions

Use the data in the following table to use the filter acl ace and the filter acl ace action commands.

Variable

Value

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

<deny|permit>

Configures the action mode for security ACEs.

Note:

For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs. With QoS ACE, the action mode is not configurable. QoS ACEs are always set to action mode permit.

enable

Enables an ACE within an ACL.

After you enable an ACE, to make changes, first disable it.

name WORD<0-32>

Specifies an optional descriptive name for the ACE that uses 0–32 characters.