filter acl ace ip

Use IP access control entries (ACEs) to filter on the source IP address, destination IP address, DiffServ Code Point (DSCP), protocol, IP options, IP fragmentation parameters, and routed packets.

Syntax

default filter acl ace ip <acl-id> <ace-id>
filter acl ace ip <acl-id> <ace-id> dscp eq <0-63 | 0-63>
filter acl ace ip <acl-id> <ace-id> dst-ip eq {A.B.C.D}
filter acl ace ip <acl-id> <ace-id> dst-ip mask {A.B.C.D} <0-32>
filter acl ace ip <acl-id> <ace-id> dst-ip mask {A.B.C.D} {A.B.C.D}
filter acl ace ip <acl-id> <ace-id> dst-ip range {A.B.C.D} {A.B.C.D}
filter acl ace ip <acl-id> <ace-id> ip-frag-flag eq { noFragment | anyFragment }
filter acl ace ip <acl-id> <ace-id> ip-options any
filter acl ace ip <acl-id> <ace-id> ip-protocol-type eq WORD<1-256>
filter acl ace ip <acl-id> <ace-id> src-ip eq {A.B.C.D}
filter acl ace ip <acl-id> <ace-id> src-ip mask {A.B.C.D} <0-32>
filter acl ace ip <acl-id> <ace-id> src-ip mask {A.B.C.D} {A.B.C.D}
filter acl ace ip <acl-id> <ace-id> dscp mask <0-63 | 0-63> <0-0x40 | 0x0-0x0>
filter acl ace ip <acl-id> <ace-id> dst-ip eq WORD <1-1024>
filter acl ace ip <acl-id> <ace-id> routed-only
no filter acl ace ip <acl-id> <ace-id> dscp
no filter acl ace ip <acl-id> <ace-id> dst-ip
no filter acl ace ip <acl-id> <ace-id> ip-frag-flag
no filter acl ace ip <acl-id> <ace-id> ip-options
no filter acl ace ip <acl-id> <ace-id> ip-protocol-type
no filter acl ace ip <acl-id> <ace-id> src-ip
no filter acl ace ip <acl-id> <ace-id> routed-only
no filter acl ace ip <acl-id> <ace-id>

Command Parameters

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

dscp <eq|mask> WORD <0-256>

The <eq|mask> parameter specifies an operator for a field match condition. The equals to parameter specifies the PHB name or DSCP value {0 to 256, where 256 => disable}, or:

phbcs0
phbcs1
phbaf11
phbaf12
phbaf13
phbcs2
phbaf21
phbaf22
phbaf23
phbcs3
phbaf31
phbaf32
phbaf33
phbcs4
phbaf41
phbaf42
phbaf43
phbcs5
phbcs6
phbef
phbcs7

dst-ip <eq|mask> WORD <1-1024>

The <eq|mask> parameter specifies an operator for a field match condition.

The WORD<1-1024> parameter specifies the destination IP address list in one of the following formats:

a.b.c.d
[w.x.y.z-p.q.r.s]
[l.m.n.o/mask]
[a.b.c.d/len]

ip-frag-flag eq <noFragment|anyFragment>

The eq parameter specifies an operator for a field match condition: equal to.

The ip-frag-flag parameter specifies a match option for IP fragments: noFragment or anyFragment.

ip-options any

Matches to an IP option. Any is the only option.

ip-protocol-type <eq> WORD <1-256>

The <eq> parameter specifies an operator for a field match condition: equal to.

The WORD<1-256> parameter specifies one or more IP protocol types:

(1-256)
icmp
tcp
udp
ipsecesp
ipsecah
ospf
vrrp
undefined

src-ip <eq|mask> WORD <1-1024>

The <eq|mask> parameter specifies an operator for a field match condition: equal to, not equal to, less than or equal to, greater than or equal to.

The WORD<1-1024> parameter specifies a source IP address list in one of the following formats:

a.b.c.d
[w.x.y.z-p.q.r.s]
[l.m.n.o/mask]
[a.b.c.d/len]

routed-only: Specifies a field match condition for IPv4 routed packets only. The default is disabled.

Default

None

Command Mode

Global Configuration

Usage Guidelines

The routed-only parameter is not supported on VSP 8600 Series or XA1400 Series.

The routed-only parameter is not supported for Multicast packets.