filter acl ace action

Configure the access control entry (ACE) action mode as deny or permit.

Syntax

default filter acl ace action <acl-id> <ace-id> { permit | deny } internal-qos
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt count
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt count redirect-next-hop
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt redirect-next-hop
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt redirect-next-hop unreachable
default filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-ports
default filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop
default filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dot1p
default filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dscp
default filter acl ace action <acl-id> <ace-id> { permit | deny }
default filter acl ace action <acl-id> <ace-id> { permit | deny } count
filter acl ace action <acl-id> <ace-id> { permit | deny }
filter acl ace action <acl-id> <ace-id> { permit | deny } count
filter acl ace action <acl-id> <ace-id> { permit | deny } internal-qos <0-7>
filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt <1-512>
filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-ports {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45>
filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dot1p <0-7>
filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dscp <0-256 | 0-256>
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45> [count | unreachable | vrf {WORD <1-16>}]
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45> unreachable { permit | deny }
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45> unreachable { permit | deny } count
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45> vrf WORD <1-16> unreachable { permit | deny }
filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop WORD<1-45> vrf WORD <1-16> unreachable { permit | deny } count
no filter acl ace action <acl-id> <ace-id> { permit | deny }
no filter acl ace action <acl-id> <ace-id> { permit | deny } count
no filter acl ace action <acl-id> <ace-id> { permit | deny } internal-qos
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt count
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt count [log [redirect-next-hop]]
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt count redirect-next-hop
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt log
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt log redirect-next-hop
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-mlt redirect-next-hop
no filter acl ace action <acl-id> <ace-id> { permit | deny } monitor-dst-ports
no filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dscp
no filter acl ace action <acl-id> <ace-id> { permit | deny } redirect-next-hop
no filter acl ace action <acl-id> <ace-id> { permit | deny } remark-dot1p

Command Parameters

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

<permit|deny>

Configures the action mode for security access control entries (ACEs). Each ACE has a mode of permit or deny the matched traffic. You can use filters to configure metering of permitted traffic.

Note

For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs.

With QoS ACEs, the action mode is not configurable. QoS ACEs are always set to action mode permit.

count

Enables the ability to count matching packets. Use this parameter with either a security or QoS access control entry (ACE). The default is disabled.

internal-qos

Configures the Quality of Service (QoS) level. The default value is 1.

monitor-dst-mlt <1-512>

Configures mirroring to a destination MLT group. This action is a security action.

monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Configures mirroring to a destination port or ports. This action is a security action.

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

redirect-next-hop WORD<1-15>

Specifies the next-hop IP address for redirect mode (a.b.c.d). This action is a security action.

vrf WORD<1-16>

Applies a VRF name to the redirect next hop IP address.

remark-dot1p <0-7>

Specifies the new 802.1 priority bit for matching packets: zero, one, two, three, four, five, six, or seven. This action is a QoS action.

remark-dscp <0-63>

Specifies the new Per-Hop Behavior (PHB) for matching packets:

phbcs0
phbcs1
phbaf11
phbaf12
phbaf13
phbcs2
phbaf21
phbaf22
phbaf23
phbcs3
phbaf31
phbaf32
phbaf33
phbcs4
phbaf41
phbaf42
phbaf43
phbcs5
phbef
phbcs6
phbcs7

This action is a QoS action.

Default

The default to configure ACE actions to meter flows after a packet matches an ACE is disabled.

Command Mode

Global Configuration

Usage Guidelines

DEMO FEATURE - Policy Based Routing (Redirect Next Hop) per VRF is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.