filter acl ace protocol

Use protocol access control entries (ACEs) to filter on the TCP source port, UDP source port, TCP destination port, UDP destination port, ICMP message type, and TCP flags.

Syntax

default filter acl ace protocol <acl-id> <ace-id>
filter acl ace protocol <acl-id> <ace-id> dst-port eq WORD<1-60>
filter acl ace protocol <acl-id> <ace-id> dst-port mask WORD<1-60> <0x0-0xFFFF>
filter acl ace protocol <acl-id> <ace-id> icmp-msg-type eq WORD<1-200>
filter acl ace protocol <acl-id> <ace-id> icmpv6-msg-type eq WORD<1-200>
filter acl ace protocol <acl-id> <ace-id> src-port eq <0-65535>
filter acl ace protocol <acl-id> <ace-id> tcp-flags eq WORD<1-50>
filter acl ace protocol <acl-id> <ace-id> tcp-flags mask WORD<1-50> <0-0x3F | 0x0-0x0>
filter acl ace protocol <acl-id> <ace-id> routing-type eq <0-2>
filter acl ace protocol <acl-id> <ace-id> src-port mask <0-65535> <0x0-0xFFFF>
no filter acl ace protocol <acl-id> <ace-id>
no filter acl ace protocol <acl-id> <ace-id> dst-port
no filter acl ace protocol <acl-id> <ace-id> icmp-msg-type
no filter acl ace protocol <acl-id> <ace-id> src-port
no filter acl ace protocol <acl-id> <ace-id> tcp-flags
no filter acl ace protocol <acl-id> <ace-id> routing-type

Command Parameters

<ace-id>: Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.
<acl-id>: Specifies the ACL ID. Use the CLI Help to see the available range for the switch.
dst-port <eq|mask> WORD<1-60>: The <eq|mask> parameter specifies an operator for a field match condition: equal to.; The WORD<1-60> parameter specifies the destination port for the TCP protocol: (0-65535), or {echo| ftpdata| ftpcontrol| ssh| telnet| dns| http|bgp| hdot323| bootpServer| boorpClient| tftp| rip| rtp| rctp| undefined}.
icmp-msg-type <eq> WORD <1-200>: Specifies the Internet Control Message Protocol (ICMP) message type attribute of the protocol.; The <eq> parameter specifies an operator for a field match condition: equal to.; The WORD<1-200> parameter specifies one or more IP protocol types (0-255), or {echoreply|destunreach| sourcequench| redirect| echo-request| routeradv|routerselect| time-exceeded| param-problem| timestamp-request|timestamp-reply| addressmask-request| addressmask-reply| traceroute}.
icmpv6-msg-type <eq> WORD <1-200>: Specifies the ICMPv6 message type attribute of the protocol.; The <eq> parameter specifies an operator for a field match condition: equal to.; The WORD<1-200> parameter specifies one or more Icmpmsg type {0-255} or {destUnreach | pktTooBig | timeExceeded | paramProblem | echoRequest | echoReply | mcastListenReq | mcastListenRpt | mcastListenDone | routerSolicit | routerAdvert | neighborSolicit | neighborAdvert | redirectMsg | nodeInfoReq | nodeInfoRsp | v2McastListenRpt}.
routing-type eq <0-2>: This parameter represents the routing type attribute.
src-port <eq|mask> WORD<1-65535>: The <eq|mask> parameter specifies an operator for a field match condition.; The WORD <1-65535> parameter specifies the destination port for the TCP protocol {0-65535}.
tcp-flags <eq|mask> WORD<1-50>: Specifies TCP-flags attribute of the protocol.; The <eq|mask> parameter specifies an operator for a field match condition.; The WORD <1-50> parameter specifies one or more TCP flags: {none| fin| syn| rst| push| ack| urg|undefined}. The tcp-flags and icmp-msg-type command options support lists.

Default

None

Command Mode

Global Configuration