Configure ACE actions

Note

Note

DEMO FEATURE - Policy Based Routing (Redirect Next Hop) per VRF is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information, see VOSS Feature Support Matrix.

Configure ACE actions to determine the process that occurs after a packet matches an ACE.

Before you begin

  • Create ACE and ACL.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure ACE actions:

    filter acl ace action <acl-id> <ace-id> <permit | deny>

    Note

    Note

    For VSP 8600 Series, the filter ACL ACE deny action does not apply to the Extensible Authentication Protocol (MKPDU), Link Layer Discovery Protocol, Virtual Link Aggregation Control Protocol, Link Aggregation Control Protocol, Topology Discovery Protocol, and Bridge Protocol Data Unit (BPDU) Guard frames. The system still snoops these packets to the Central Processing Unit (CPU) for processing.

  3. Optional: Configure ACE actions to count matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> count

  4. Optional: Configure the QoS level for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> internal-qos <0-7>

    Note

    Note

    This step does not apply to IPv6 filtering.

  5. Optional: Enable mirroring on destination MLT for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> monitor-dst-mlt <1-512>

  6. Optional: Enable mirroring on a port for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

  7. Optional: Enable mirroring on destination I-SID for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> monitor-isid-offset <1-1000>

  8. Optional: Configure the next hop IPv4 or IPv6 address for redirect mode for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> redirect-next-hop WORD<1-45> [count | unreachable | vrf {WORD <1-16>}]

    Important

    Important

    Ensure you configure the ACE match rules so that you only collect the desired traffic. For example, routed packets.

  9. Optional: Configure the next hop IPv4 or IPv6 address for redirect mode for matching packets for a VRF. If the next hop is unreachable, you can also configure ACE actions to permit/deny packet dropping within the VRF:

    filter acl ace action <acl-id> <ace-id> <permit | deny> redirect-next-hop WORD<1-45> vrf WORD <1-16> unreachable <permit | deny>

  10. Optional: Configure the next hop IPv4 or IPv6 address for redirect mode for matching packets for a VRF. If the next hop is unreachable, you can also configure ACE actions to count matching packets, or to permit/deny packet dropping within the VRF:

    filter acl ace action <acl-id> <ace-id> <permit | deny> redirect-next-hop WORD<1-45> vrf WORD <1-16> unreachable <permit | deny> count

  11. Optional: Configure the QoS dot1 priority for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> remark-dot1p <0-7>

    Note

    Note

    This step does not apply to IPv6 filtering.

  12. Optional: Configure the QoS phb and dscp for matching packets:

    filter acl ace action <acl-id> <ace-id> <permit | deny> remark-dscp [phbcs0 | phbcs1 | phbaf11 | phbaf12 | phbaf13 | phbcs2 | phbaf21 | phbaf22 | phbaf23 | phbcs3 | phbaf31 | phbaf32 | phbaf33 | phbcs4 | phbaf41 | phbaf42 | phbaf43 | phbcs5 | phbef | phbcs6 | phbcs7]

  13. Optional: Configure the mode when next hop is unreachable:

    filter acl ace action <acl-id> <ace-id> <permit | deny> unreachable [permit | deny]

  14. Ensure the configuration is correct:

    show filter acl action <acl-id> <ace-id>

    OR

    show filter acl config

    OR

    show filter acl ace

Example

Configure ACE actions:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#filter acl ace action 1 47 permit redirect-next-hop 192.0.2.5 unreachable deny count

Display the configuration using the show filter ace action command:

Switch:1(config)#show filter acl action
=========================================================================================
                           Ace Action Table (Part I)
=========================================================================================
Acl  Ace  AceName                  Admin   Oper    Mode   Mlt Remark  Remark
Id   Id                            State   State           Id DSCP    Dot1p
-----------------------------------------------------------------------------------------
1    47   ace47                    Disable Down    permit 0   disable disable

=========================================================================================
                           Ace Action Table (Part II)
=========================================================================================
Acl  Ace  Redirect                      Vrf                     Unreach Police  Internal
Id   Id   Next-Hop                      name                    -able           Qos
-----------------------------------------------------------------------------------------
1    47   2.0.0.0                       GlobalRouter            deny    0       0

=========================================================================================
                          Ace Action Table (Part III)
=========================================================================================
Acl  Ace  Ipfix   Count   Log     CopyTo  Monitor  Monitor   Monitor
Id   Id                           Pcap    Dst-Mlt  Dst-Vlan  Dst-Port
-----------------------------------------------------------------------------------------
1    47   disable enable  disable disable 1        0

=========================================================================================
                           Ace Action Table (Part IV)

=========================================================================================

Acl  Ace  Monitor           Dscp     Ttl      Monitor    Isid   QoS Remove-Tag

Id   Id   Dst-Ip                              Isid       Offset

-----------------------------------------------------------------------------------------
1    47   0.0.0.0           ----     ----     ---        ---    ---

Displayed 1 of 1 Entries

Display the configuration using the show filter acl config command:

Switch:1(config)#show filter acl config 

====================================================================================
                          Filter ACL-ACE Configuration
====================================================================================
------------------------------------------------------------------------------------
filter acl 1 type inPort name "ACL-1" 
filter acl set 1 policer svc-rate 100 peak-rate 200 
filter acl port 1 1/1 
filter acl ace 1 1 
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 src-mac eq aa:bb:cc:dd:ee:ff 
filter acl ace policer 1 1 svc-rate 300 peak-rate 400
filter acl ace 1 1 enable
filter acl ace 1 2 
filter acl ace action 1 2 permit count
filter acl ace ethernet 1 2 dst-mac eq ff:ff:ff:ff:ff:ff 
filter acl ace policer 1 2 svc-rate 500 peak-rate 600
filter acl ace 1 2 enable
filter acl 3 type inPort name "ACL-3" 
filter acl set 3 policer svc-rate 800 peak-rate 1000 
                    
filter acl port 3 1/7-1/8 
                    
filter acl ace 3 2 
                    
filter acl ace action 3 2 permit count
                    
filter acl ace ethernet 3 2 dst-mac eq 00:00:00:00:00:33 
                    
filter acl ace policer 3 2 svc-rate 1000 peak-rate 4000
                    
filter acl ace 3 2 enable

Display the configuration using the show filter acl ace command:

Switch:1(config)#show filter acl ace

================================================================================ 
                           Ace Action Table (Part I)
================================================================================ 
Acl  Ace  AceName                  Admin   Oper    Mode   Mlt Remark  Remark
Id   Id                            State   State           Id DSCP    Dot1p
-------------------------------------------------------------------------------- 
1    1    ACE-1                    Enable  Up      permit 0   disable disable
1    2    ACE-2                    Enable  Up      permit 0   disable disable
3    2    ACE-2                    Enable  Up      permit 0   disable disable
4    4    ACE-4                    Disable Down    permit 0   disable disable
6    10   ACE-10                   Disable Down    permit 0   disable disable
15   15   ACL15                    Enable  Up      permit 0   phbaf23 disable

================================================================================
                           Ace Action Table (Part II)
================================================================================
Acl  Ace  Redirect                 Vrf               Unreach Police  Internal
Id   Id   Next-Hop                 name              -able           Qos     
--------------------------------------------------------------------------------
1    1    0.0.0.0             GlobalRouter            deny    0       0       
1    2    0.0.0.0             GlobalRouter            deny    0       0       
3    2    0.0.0.0             GlobalRouter            deny    0       0  
4    4    0.0.0.0             GlobalRouter            deny    0       0
6    10   0:0:0:0:0:0:0:0     GlobalRouter            deny    0       0
15   15   0:0:0:0:0:0:0:0     GlobalRouter            deny    0       0


================================================================================  
                          Ace Action Table (Part III)
================================================================================   
Acl  Ace  Ipfix   Count   Log     CopyTo  Monitor  Monitor   Monitor
Id   Id                           Pcap    Dst-Mlt  Dst-Vlan  Dst-Port
-----------------------------------------------------                       
1    1    disable enable  disable 0        0                   
1    2    disable enable  disable 0        0                   
3    2    disable enable  disable 0        0  
4    4    disable disable disable 0        0
6    10   disable disable disable 0        0
15   15   disable enable  disable 0        0

================================================================================  
                           Ace Action Table (Part IV)
================================================================================
Acl  Ace  Monitor           Dscp     Ttl      Monitor    Isid   QoS Remove-Tag
Id   Id   Dst-Ip                              Isid       Offset
--------------------------------------------------------------------------------
1    1    0.0.0.0           ----     ----     ---        ---    --- 
1    2    0.0.0.0           ----     ----     ---        ---    --- 
3    2    0.0.0.0           ----     ----     ---        ---    --- 
4    4    0.0.0.0           ----     ----     ---        ---    ---
6    10   0.0.0.0           ----     ----     ---        ---    ---
15   15   0.0.0.0           ----     ----     ---        ---    ---


Displayed 3 of 3 Entries


================================================================================ 

                                 ACE Arp Table
================================================================================ 
AclId  AceId  Operation
-------------------------------------------------------------------------------- 
1      1            
1      2            
3      2
4      4
6      10
15     15

Displayed 3 of 3 entries


================================================================================  
                          ACE Ethernet Table (Part I)
================================================================================
Acl  Ace  Operator/              Operator/              Operator/
Id   Id   SourceMac              DestMac                PortList
-------------------------------------------------------------------------------- 
1    1    eq aa:bb:cc:dd:ee:ff                                                 
1    2    eq ff:ff:ff:ff:ff:ff                         
3    2    eq 00:00:00:00:00:33   
4    4
6    10
15   15

================================================================================
                          ACE Ethernet Table (Part II)

================================================================================
Acl  Ace  Operator/              Operator/              Operator/
Id   Id   EtherType              VlanId                 VlanTagPrio
--------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15                          eq 10

Displayed 3 of 3 entries


================================================================================     
                             ACE Ip Table (Part I)
================================================================================
Acl  Ace  Operator/          SourceIp        Operator/          DestIp
Id   Id   SourceIp           mask            DestIp             mask
--------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15

================================================================================ 
                             ACE Ip Table (Part II)

================================================================================
Acl  Ace  Ip     Operator/            Operator/            Operator/
Id   Id   Option IpFragFlag           IpProtoType          Dscp
--------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15

Displayed 3 of 3 entries


================================================================================
                            ACE Ipv6 Table (Part I)
================================================================================
Acl  Ace  Operator/                     SrcIpv6
Id   Id   SrcIpv6                       mask
--------------------------------------------------------------------------------
1    1           
1    2            
3    2
4    4
6    10
15   15

================================================================================
                            ACE Ipv6 Table (Part II)

================================================================================
Acl  Ace  Operator/                     DstIpv6
Id   Id   DstIpv6                       mask
--------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15

=================================================================================
                           ACE Ipv6 Table (Part III)
=================================================================================
Acl  Ace  Operator/                     Operator/
Id   Id   NxtHdr                        Traffic-Cls
---------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15

Displayed 3 of 3 entries


==================================================================================
                               ACE Policer Table

==================================================================================
Acl   Ace   Service-rate Peak-rate
Id    Id
----------------------------------------------------------------------------------
1     1     300          400  
1     2     500          600    
3     2     1000         4000
4     4     
6     10 
15    15    

Displayed 3 of 3 entries


===================================================================================
                          ACE Protocol Table (Part I)
===================================================================================
Acl  Ace  Operator/              Operator/
Id   Id   SrcPort                DstPort
-----------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4     eq aa:bb:cc:dd:ee:ff
6    10    eq ff:ff:ff:ff:ff:ff 
15   15    eq 00:00:00:00:00:33 

====================================================================================
ACE Protocol Table (Part II)

====================================================================================
Acl  Ace  Operator/              Operator/
Id   Id   TcpFlags               IcmpMsgType
------------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15

=====================================================================================
                         ACE Protocol Table (Part III)
=====================================================================================
Acl  Ace  Operator/
Id   Id   Routing-Type
-------------------------------------------------------------------------------------
1    1            
1    2            
3    2
4    4
6    10
15   15


Displayed 3 of 3 entries

Variable definitions

Use the data in the following table to use the filter acl ace action command.

-

Variable

Value

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

count

Enables the ability to count matching packets. Use this parameter with either a security or QoS ACE. The default is disabled.

<deny|permit>

Configures the action mode for security ACEs.

Note:

For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs. With QoS ACEs, the action mode is not configurable. QoS ACEs are always set to action mode permit.

monitor-isid-offset <1–1000>

Specifies the offset ID which will be mapped to the actual monitor I-SID where packets are mirrored.

Monitor I-SID = base monitor I-SID + offset ID.

The base monitor I-SID is 16776000.

internal-qos <0–7>

This variable is a QoS action.The default value is 1.

Note:

This does not apply to IPv6 filtering.

monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Configures mirroring to a destination port or ports. This action is a security action.

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

monitor-dst-mlt <1–512>

Configures mirroring to a destination MLT in the range of 1 to 512.

redirect-next-hop WORD <1–45>

Specifies the nexthop IPv4 or IPv6 address for redirect node.

This action is a security action.

Note:

redirect-next-hop is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

unreachable <permit|deny>

Denies or permits packet dropping when the next hop for the packet is unreachable.

The default value is deny.

This action is a security action.

Note:

unreachable is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

vrf WORD<1–16>

Specifies the direct next hop VRF name. The name must be in the ranger of 1 to 16 characters.

Note:

vrf is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

remark-dscp <phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7>

Specifies the new Per-Hop Behavior (PHB) for matching packets: phbcs0, phbcs1, phbaf11, phbaf12, phbaf13, phbcs2, phbaf21, phbaf22, phbaf23, phbcs3, phbaf31, phbaf32, phbaf33, phbcs4, phbaf41, phbaf42, phbaf43, phbcs5, phbef, phbcs6, phbcs7.

This action is a QoS action.

Note:

This action applies to IPv6 filtering.

remark-dot1p <0–7>

Specifies the new 802.1 priority bit for matching packets: zero, one, two, three, four, five, six, or seven.

This action is a QoS action.

Note:

This does not apply to IPv6 filtering.