Configure ACE actions
Note
DEMO FEATURE - Policy Based Routing (Redirect Next Hop) per VRF is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information, see VOSS Feature Support Matrix.
Configure ACE actions to determine the process that occurs after a packet matches an ACE.
Before you begin
Create ACE and ACL.
Procedure
- Configure ACE actions:
filter acl ace action <acl-id> <ace-id> <permit | deny>
Note
For VSP 8600 Series, the filter ACL ACE deny action does not apply to the Extensible Authentication Protocol (MKPDU), Link Layer Discovery Protocol, Virtual Link Aggregation Control Protocol, Link Aggregation Control Protocol, Topology Discovery Protocol, and Bridge Protocol Data Unit (BPDU) Guard frames. The system still snoops these packets to the Central Processing Unit (CPU) for processing.
- Optional:
Configure the QoS level for matching
packets:
filter acl ace action <acl-id> <ace-id> <permit | deny> internal-qos <0-7>
Note
This step does not apply to IPv6 filtering.
- Optional: Configure the next
hop IPv4 or IPv6 address for redirect mode for matching packets:
filter acl ace action <acl-id> <ace-id> <permit | deny> redirect-next-hop WORD<1-45> [count | unreachable | vrf {WORD <1-16>}]
Important
Ensure you configure the ACE match rules so that you only collect the desired traffic. For example, routed packets.
- Optional:
Configure the QoS dot1 priority for matching
packets:
filter acl ace action <acl-id> <ace-id> <permit | deny> remark-dot1p <0-7>
Note
This step does not apply to IPv6 filtering.
Example
Configure ACE actions:
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#filter acl ace action 1 47 permit redirect-next-hop 192.0.2.5 unreachable deny count
Display the configuration using the show filter ace action command:
Switch:1(config)#show filter acl action
=========================================================================================
Ace Action Table (Part I)
=========================================================================================
Acl Ace AceName Admin Oper Mode Mlt Remark Remark
Id Id State State Id DSCP Dot1p
-----------------------------------------------------------------------------------------
1 47 ace47 Disable Down permit 0 disable disable
=========================================================================================
Ace Action Table (Part II)
=========================================================================================
Acl Ace Redirect Vrf Unreach Police Internal
Id Id Next-Hop name -able Qos
-----------------------------------------------------------------------------------------
1 47 2.0.0.0 GlobalRouter deny 0 0
=========================================================================================
Ace Action Table (Part III)
=========================================================================================
Acl Ace Ipfix Count Log CopyTo Monitor Monitor Monitor
Id Id Pcap Dst-Mlt Dst-Vlan Dst-Port
-----------------------------------------------------------------------------------------
1 47 disable enable disable disable 1 0
=========================================================================================
Ace Action Table (Part IV)
=========================================================================================
Acl Ace Monitor Dscp Ttl Monitor Isid QoS Remove-Tag
Id Id Dst-Ip Isid Offset
-----------------------------------------------------------------------------------------
1 47 0.0.0.0 ---- ---- --- --- ---
Displayed 1 of 1 Entries
Display the configuration using the show filter acl config command:
Switch:1(config)#show filter acl config
====================================================================================
Filter ACL-ACE Configuration
====================================================================================
------------------------------------------------------------------------------------
filter acl 1 type inPort name "ACL-1"
filter acl set 1 policer svc-rate 100 peak-rate 200
filter acl port 1 1/1
filter acl ace 1 1
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 src-mac eq aa:bb:cc:dd:ee:ff
filter acl ace policer 1 1 svc-rate 300 peak-rate 400
filter acl ace 1 1 enable
filter acl ace 1 2
filter acl ace action 1 2 permit count
filter acl ace ethernet 1 2 dst-mac eq ff:ff:ff:ff:ff:ff
filter acl ace policer 1 2 svc-rate 500 peak-rate 600
filter acl ace 1 2 enable
filter acl 3 type inPort name "ACL-3"
filter acl set 3 policer svc-rate 800 peak-rate 1000
filter acl port 3 1/7-1/8
filter acl ace 3 2
filter acl ace action 3 2 permit count
filter acl ace ethernet 3 2 dst-mac eq 00:00:00:00:00:33
filter acl ace policer 3 2 svc-rate 1000 peak-rate 4000
filter acl ace 3 2 enable
Display the configuration using the show filter acl ace command:
Switch:1(config)#show filter acl ace
================================================================================
Ace Action Table (Part I)
================================================================================
Acl Ace AceName Admin Oper Mode Mlt Remark Remark
Id Id State State Id DSCP Dot1p
--------------------------------------------------------------------------------
1 1 ACE-1 Enable Up permit 0 disable disable
1 2 ACE-2 Enable Up permit 0 disable disable
3 2 ACE-2 Enable Up permit 0 disable disable
4 4 ACE-4 Disable Down permit 0 disable disable
6 10 ACE-10 Disable Down permit 0 disable disable
15 15 ACL15 Enable Up permit 0 phbaf23 disable
================================================================================
Ace Action Table (Part II)
================================================================================
Acl Ace Redirect Vrf Unreach Police Internal
Id Id Next-Hop name -able Qos
--------------------------------------------------------------------------------
1 1 0.0.0.0 GlobalRouter deny 0 0
1 2 0.0.0.0 GlobalRouter deny 0 0
3 2 0.0.0.0 GlobalRouter deny 0 0
4 4 0.0.0.0 GlobalRouter deny 0 0
6 10 0:0:0:0:0:0:0:0 GlobalRouter deny 0 0
15 15 0:0:0:0:0:0:0:0 GlobalRouter deny 0 0
================================================================================
Ace Action Table (Part III)
================================================================================
Acl Ace Ipfix Count Log CopyTo Monitor Monitor Monitor
Id Id Pcap Dst-Mlt Dst-Vlan Dst-Port
-----------------------------------------------------
1 1 disable enable disable 0 0
1 2 disable enable disable 0 0
3 2 disable enable disable 0 0
4 4 disable disable disable 0 0
6 10 disable disable disable 0 0
15 15 disable enable disable 0 0
================================================================================
Ace Action Table (Part IV)
================================================================================
Acl Ace Monitor Dscp Ttl Monitor Isid QoS Remove-Tag
Id Id Dst-Ip Isid Offset
--------------------------------------------------------------------------------
1 1 0.0.0.0 ---- ---- --- --- ---
1 2 0.0.0.0 ---- ---- --- --- ---
3 2 0.0.0.0 ---- ---- --- --- ---
4 4 0.0.0.0 ---- ---- --- --- ---
6 10 0.0.0.0 ---- ---- --- --- ---
15 15 0.0.0.0 ---- ---- --- --- ---
Displayed 3 of 3 Entries
================================================================================
ACE Arp Table
================================================================================
AclId AceId Operation
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
Displayed 3 of 3 entries
================================================================================
ACE Ethernet Table (Part I)
================================================================================
Acl Ace Operator/ Operator/ Operator/
Id Id SourceMac DestMac PortList
--------------------------------------------------------------------------------
1 1 eq aa:bb:cc:dd:ee:ff
1 2 eq ff:ff:ff:ff:ff:ff
3 2 eq 00:00:00:00:00:33
4 4
6 10
15 15
================================================================================
ACE Ethernet Table (Part II)
================================================================================
Acl Ace Operator/ Operator/ Operator/
Id Id EtherType VlanId VlanTagPrio
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15 eq 10
Displayed 3 of 3 entries
================================================================================
ACE Ip Table (Part I)
================================================================================
Acl Ace Operator/ SourceIp Operator/ DestIp
Id Id SourceIp mask DestIp mask
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
================================================================================
ACE Ip Table (Part II)
================================================================================
Acl Ace Ip Operator/ Operator/ Operator/
Id Id Option IpFragFlag IpProtoType Dscp
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
Displayed 3 of 3 entries
================================================================================
ACE Ipv6 Table (Part I)
================================================================================
Acl Ace Operator/ SrcIpv6
Id Id SrcIpv6 mask
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
================================================================================
ACE Ipv6 Table (Part II)
================================================================================
Acl Ace Operator/ DstIpv6
Id Id DstIpv6 mask
--------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
=================================================================================
ACE Ipv6 Table (Part III)
=================================================================================
Acl Ace Operator/ Operator/
Id Id NxtHdr Traffic-Cls
---------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
Displayed 3 of 3 entries
==================================================================================
ACE Policer Table
==================================================================================
Acl Ace Service-rate Peak-rate
Id Id
----------------------------------------------------------------------------------
1 1 300 400
1 2 500 600
3 2 1000 4000
4 4
6 10
15 15
Displayed 3 of 3 entries
===================================================================================
ACE Protocol Table (Part I)
===================================================================================
Acl Ace Operator/ Operator/
Id Id SrcPort DstPort
-----------------------------------------------------------------------------------
1 1
1 2
3 2
4 4 eq aa:bb:cc:dd:ee:ff
6 10 eq ff:ff:ff:ff:ff:ff
15 15 eq 00:00:00:00:00:33
====================================================================================
ACE Protocol Table (Part II)
====================================================================================
Acl Ace Operator/ Operator/
Id Id TcpFlags IcmpMsgType
------------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
=====================================================================================
ACE Protocol Table (Part III)
=====================================================================================
Acl Ace Operator/
Id Id Routing-Type
-------------------------------------------------------------------------------------
1 1
1 2
3 2
4 4
6 10
15 15
Displayed 3 of 3 entries
Variable definitions
Use the data in the following table to use the filter acl ace action command.
-
|
Variable |
Value |
|---|---|
|
<acl-id> |
Specifies the ACL ID. Use the CLI Help to see the available range for the switch. |
|
<ace-id> |
Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch. |
|
count |
Enables the ability to count matching packets. Use this parameter with either a security or QoS ACE. The default is disabled. |
|
<deny|permit> |
Configures the action mode for security ACEs. Note:
For each Security ACE, you must define one or more actions as well as the associated action mode (permit or deny). Otherwise, the security ACE cannot be enabled. There is no default configuration for Security ACEs. With QoS ACEs, the action mode is not configurable. QoS ACEs are always set to action mode permit. |
|
monitor-isid-offset <1–1000> |
Specifies the offset ID which will be mapped to the actual monitor I-SID where packets are mirrored. Monitor I-SID = base monitor I-SID + offset ID. The base monitor I-SID is 16776000. |
|
internal-qos <0–7> |
This variable is a QoS action.The default value is 1. Note:
This does not apply to IPv6 filtering. |
|
monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} |
Configures mirroring to a destination port or ports. This action is a security action. Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |
|
monitor-dst-mlt <1–512> |
Configures mirroring to a destination MLT in the range of 1 to 512. |
|
redirect-next-hop WORD <1–45> |
Specifies the nexthop IPv4 or IPv6 address for redirect node. This action is a security action. Note:
redirect-next-hop is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
|
unreachable <permit|deny> |
Denies or permits packet dropping when the next hop for the packet is unreachable. The default value is deny. This action is a security action. Note:
unreachable is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
|
vrf WORD<1–16> |
Specifies the direct next hop VRF name. The name must be in the ranger of 1 to 16 characters. Note:
vrf is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix. |
|
remark-dscp <phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7> |
Specifies the new Per-Hop Behavior (PHB) for matching packets: phbcs0, phbcs1, phbaf11, phbaf12, phbaf13, phbcs2, phbaf21, phbaf22, phbaf23, phbcs3, phbaf31, phbaf32, phbaf33, phbcs4, phbaf41, phbaf42, phbaf43, phbcs5, phbef, phbcs6, phbcs7. This action is a QoS action. Note:
This action applies to IPv6 filtering. |
|
remark-dot1p <0–7> |
Specifies the new 802.1 priority bit for matching packets: zero, one, two, three, four, five, six, or seven. This action is a QoS action. Note:
This does not apply to IPv6 filtering. |