Configure an IP ACE

Configure an IP ACE to filter on the source IP address, destination IP address, DiffServ Code Point (DSCP), protocol, IP options, IP fragmentation, and routed packets only.

Before you begin

  • The ACL exists.

  • The ACE exists.

About this task

The eq and mask parameters specify an operator for a field match condition: equal to or mask. The mask operator is an implied eq on the mask bits.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure an ACE for the DSCP attribute:

    filter acl ace ip <acl-id> <ace-id> dscp eq {<0..63>|<0x00..0x3f>|phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbef|phbcs6|phbcs7}

    OR

    filter acl ace ip <acl-id> <ace-id> dscp mask {<0..63>|<0x00..0x3f>|phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbef|phbcs6|phbcs7} WORD<0x0-0x40>

  3. Configure an ACE for the destination or source IP address attribute:

    filter acl ace ip <acl-id> <ace-id> <dst-ip|src-ip> eq WORD<1–1024>

    OR

    filter acl ace ip <acl-id> <ace-id> <dst-ip|src-ip> mask WORD<1–1024> {<0–32>|null|<A.B.C.D>}

  4. Configure an ACE for the IP fragmentation attribute:

    filter acl ace ip <acl-id> <ace-id> ip-frag-flag eq <noFragment|anyFragment>

  5. Configure an ACE for the IP options attribute:

    filter acl ace ip <acl-id> <ace-id> ip-options any

  6. Configure an ACE for the protocol type attribute:

    filter acl ace ip <acl-id> <ace-id> ip-protocol-type eq WORD<1–256>

  7. Configure an ACE for routed packets only:

    filter acl ace ip <acl-id> <ace-id> routed-only

    Note

    Note

    This step does not apply to VSP 8600 Series or XA1400 Series.

  8. Ensure the configuration is correct:

    show filter acl ip <acl-id> <ace-id>

  9. Optionally, delete all the attributes from the IP (Layer 3) portion of the ACE:

    default filter acl ace ip <acl-id> <ace-id>

Example

Switch:1(config)#filter acl ace ip 1 12 dst-ip eq 198.51.100.0

Variable definitions

Use the data in the following table to use the filter acl ace ip command.

Variable

Value

<ace-id>

Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

{<0–32>|null|<A.B.C.D>}

Specifies the mask value for the destination or source IP address

For example:

filter acl ace ip 10 10 dst-ip mask 198.51.100.0 25

filter acl ace ip 10 10 dst-ip mask 198.51.100.1 203.0.113.0

filter acl ace ip 10 10 src-ip mask 198.51.100.2 22

filter acl ace ip 10 10 src-ip mask 198.51.100.3 203.0.113.1

<noFragment|anyFragment>

Specifies a match option for IP fragments noFragment or anyFragment.

{<0..63>|<0x00..0x3f>|phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7}

Specifies the DSCP value using one of the following formats:

  • Enter as an integer (0–63) or hex (0x00–0x3f), or as a string:

    • phbcs0 — Enter as string “phbcs0”, integer 0 or hex 0x00

    • phbcs1 — Enter as string “phbcs1”, integer 8 or hex 0x08

    • phbaf11 — Enter as string “phbaf11” integer 10 or hex 0x0a

    • phbaf12 — Enter as string “phbcaf12”, integer 12 or hex 0x0c

    • phbaf13 — Enter as string “phbaf13”, integer 14 or hex 0x0e

    • phbcs2 — Enter as string “phbcs2”, integer 16 or hex 0x10

    • phbaf21 — Enter as string “phbaf21”, integer 18 or hex 0x12

    • phbaf22 — Enter as string “phbaf22”, integer 20 or hex 0x14

    • phbaf23 — Enter as string “phbaf23”, integer 22 or hex 0x16

    • phbcs3 — Enter as string “phbcs3”, integer 24 or hex 0x18

    • phbaf31 — Enter as string “phbaf31”, integer 26 or hex 0x1a

    • phbaf32 — Enter as string “phbaf32”, integer 28 or hex 0x1c

    • phbaf33 — Enter as string “phbaf33”, integer 30 or hex 0x1e

    • phbcs4 — Enter as string “phbcs4”, integer 32 or hex 0x20

    • phbaf41 — Enter as string “phbaf41”, integer 34 or hex 0x22

    • phbaf42 — Enter as string “phbaf42”, integer 36 or hex 0x24

    • phbaf43 — Enter as string “phbaf43”, integer 38 or hex 0x26

    • |phbcs5 — Enter as string “phbcs5”, integer 40 or hex 0x28

    • phbef — Enter as string “phbef”, integer 46 or hex 0x2e

    • phbcs6 — Enter as string “phbcs6”, integer 48 or hex 0x30

    • phbcs7 — Enter as string “phbcs7”, integer 56 or hex 0x38

WORD<0x0-0x40>

Specifies the mask value, for example,

filter acl ace ip 10 10 dscp mask 129 0x40

WORD<1-256>

Specifies one or more IP protocol types: (1–256), or tcp, udp, ipsecesp, vrrp, snmp or undefined.

WORD<1–1024>

Specifies the destination or source IP address (a.b.c.d).