Configure ACE actions
Note
DEMO FEATURE - Policy Based Routing (Redirect Next Hop) per VRF is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information, see VOSS Feature Support Matrix.
Configure ACE actions to determine the process that occurs after a packet matches an ACE.
Before you begin
The ACE exists.
Procedure
Example
Configure ACE actions:
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#filter acl ace action 1 47 permit redirect-next-hop 192.0.2.5 unreachable deny count
Display the configuration using the show filter ace action command:
Switch:1(config)#show filter acl action ==================================================================================================== Ace Action Table (Part I) ==================================================================================================== Acl Ace AceName Admin Oper Mode Mlt Remark Remark Id Id State State Id DSCP Dot1p ---------------------------------------------------------------------------------------------------- 1 47 ace47 Disable Down permit 0 disable disable ==================================================================================================== Ace Action Table (Part II) ==================================================================================================== Acl Ace Redirect Vrf Unreach Police Internal Id Id Next-Hop name -able Qos ---------------------------------------------------------------------------------------------------- 1 47 2.0.0.0 GlobalRouter deny 0 0 ==================================================================================================== Ace Action Table (Part III) ==================================================================================================== Acl Ace Ipfix Count Log CopyTo Monitor Monitor Monitor Id Id Pcap Dst-Mlt Dst-Vlan Dst-Port ---------------------------------------------------------------------------------------------------- 1 47 disable enable disable disable 1 0 ==================================================================================================== Ace Action Table (Part IV) ==================================================================================================== Acl Ace Monitor Dscp Ttl Monitor Isid QoS Remove-Tag Id Id Dst-Ip Isid Offset ---------------------------------------------------------------------------------------------------- 1 47 0.0.0.0 ---- ---- --- --- --- Displayed 1 of 1 Entries
Display the configuration using the show filter acl config command:
Switch:1(config)#show filter acl config ==================================================================================================== Filter ACL-ACE Configuration ==================================================================================================== ---------------------------------------------------------------------------------------------------- filter acl 1 type inPort name "ACL-1-2/1" filter acl port 1 2/1 filter acl ace 1 1 name "ACE_99" filter acl ace action 1 1 deny filter acl ace ethernet 1 1 src-mac eq 30:0:0:0:0:0:0:ffff filter acl ace ethernet 1 1 ether-type eq 0x800 filter acl ace ip 1 1 ip-protocol-type eq 17 filter acl ace protocol 1 1 dst-port eq telnet filter acl ace 1 1 enable filter acl ace 1 2 name "ACE_100" filter acl ace action 1 2 permit filter acl ace ethernet 1 2 src-mac eq 30:0:0:0:0:0:0:ffff filter acl ace ethernet 1 2 ether-type eq 0x800 filter acl ace ip 1 2 ip-protocol-type eq 17 filter acl ace protocol 1 2 dst-port eq ssh
Display the configuration using the show filter acl ace command:
Switch:1(config)#show filter acl ace ==================================================================================================== Ace Action Table (Part I) ==================================================================================================== Acl Ace AceName Admin Oper Mode Mlt Remark Remark Id Id State State Id DSCP Dot1p ---------------------------------------------------------------------------------------------------- 1 47 ace47 Disable Down permit 0 disable disable ==================================================================================================== Ace Action Table (Part II) ==================================================================================================== Acl Ace Redirect Vrf Unreach Police Internal Id Id Next-Hop name -able Qos ---------------------------------------------------------------------------------------------------- 1 47 2.0.0.0 GlobalRouter deny 0 0 ==================================================================================================== Ace Action Table (Part III) ==================================================================================================== Acl Ace Ipfix Count Log CopyTo Monitor Monitor Monitor Id Id Pcap Dst-Mlt Dst-Vlan Dst-Port ---------------------------------------------------------------------------------------------------- 1 47 disable enable disable disable 1 0 ==================================================================================================== Ace Action Table (Part IV) ==================================================================================================== Acl Ace Monitor Dscp Ttl Monitor Isid QoS Remove-Tag Id Id Dst-Ip Isid Offset ---------------------------------------------------------------------------------------------------- 1 47 0.0.0.0 ---- ---- --- --- --- Displayed 1 of 1 Entries
Variable definitions
Use the data in the following table to use the filter acl ace action command.
Variable |
Value |
---|---|
<acl-id> |
Specifies the ACL ID. Use the CLI Help to see the available range for the switch. |
<ace-id> |
Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch. |
count |
Enables the ability to count matching packets. Use this parameter with either a security or QoS ACE. The default is disabled. |
<deny|permit> |
Configures the action mode for security ACEs. Note:
For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs. With QoS ACEs, the action mode is not configurable. QoS ACEs are always set to action mode permit. |
monitor-isid-offset <1–1000> |
Specifies the offset ID which will be mapped to the actual monitor I-SID where packets are mirrored. Monitor I-SID = base monitor I-SID + offset ID. The base monitor I-SID is 16776000. |
remove-tag |
Removes the outer VLAN tag for matching packets.
Note:
remove-tag is available only when matching packets are denied. |
qos <0–5> |
Defines the Quality of Service (QoS) profiles for the system. The monitoring I-SID can support six different QoS levels from 0 to 5. You can configure each QoS level individually. The default value is 1. |
internal-qos <0–7> |
This variable is a QoS action.The default value is 1. |
monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} |
Configures mirroring to a destination port or ports. This action is a security action. Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |
monitor-dst-mlt <1–512> |
Configures mirroring to a destination MLT in the range of 1 to 512. |
redirect-next-hop WORD <1–45> |
Specifies the nexthop IPv4 or IPv6 address for redirect node. This action is a security action. Note:
redirect-next-hop is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
unreachable <permit|deny> |
Denies or permits packet dropping when the next hop for the packet is unreachable. The default value is deny. This action is a security action. Note:
unreachable is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
vrf WORD<1–16> |
Specifies the direct next hop VRF name. The name must be in the ranger of 1 to 16 characters. Note:
vrf is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
remark-dscp <phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7> |
Specifies the new Per-Hop Behavior (PHB) for matching packets: phbcs0, phbcs1, phbaf11, phbaf12, phbaf13, phbcs2, phbaf21, phbaf22, phbaf23, phbcs3, phbaf31, phbaf32, phbaf33, phbcs4, phbaf41, phbaf42, phbaf43, phbcs5, phbef, phbcs6, phbcs7. This action is a QoS action. |
remark-dot1p <0–7> |
Specifies the new 802.1 priority bit for matching packets: zero, one, two, three, four, five, six, or seven. This action is a QoS action. |