Configure an IP ACE

Configure an IP ACE to filter on the source IP address, destination IP address, DiffServ Code Point (DSCP), protocol, IP options, IP fragmentation, and routed packets only.

Before you begin

The ACL exists.
The ACE exists.

About this task

The eq and mask parameters specify an operator for a field match condition: equal to or mask. The mask operator is an implied eq on the mask bits.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Configure an ACE for the DSCP attribute:

filter acl ace ip <acl-id> <ace-id> dscp eq {<0..63>|<0x00..0x3f>|phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbef|phbcs6|phbcs7}

OR

filter acl ace ip <acl-id> <ace-id> dscp mask {<0..63>|<0x00..0x3f>|phbcs0|phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|phbef|phbcs6|phbcs7} WORD<0x0-0x40>
Configure an ACE for the destination or source IP address attribute:

filter acl ace ip <acl-id> <ace-id> <dst-ip|src-ip> eq WORD<1–1024>

OR

filter acl ace ip <acl-id> <ace-id> <dst-ip|src-ip> mask WORD<1–1024> {<0–32>|null|<A.B.C.D>}
Configure an ACE for the IP fragmentation attribute:

filter acl ace ip <acl-id> <ace-id> ip-frag-flag eq <noFragment|anyFragment>
Configure an ACE for the IP options attribute:

filter acl ace ip <acl-id> <ace-id> ip-options any
Configure an ACE for the protocol type attribute:

filter acl ace ip <acl-id> <ace-id> ip-protocol-type eq WORD<1–256>
Configure an ACE for routed packets only:

filter acl ace ip <acl-id> <ace-id> routed-only

Note

This step does not apply to VSP 8600 Series or XA1400 Series.
Ensure the configuration is correct:

show filter acl ip <acl-id> <ace-id>
Optionally, delete all the attributes from the IP (Layer 3) portion of the ACE:

default filter acl ace ip <acl-id> <ace-id>

Example

Switch:1(config)#filter acl ace ip 1 12 dst-ip eq 198.51.100.0

Variable definitions

Use the data in the following table to use the filter acl ace ip command.


Variable	Value
`<ace-id>`	Specifies the ACE ID. Different hardware platforms support different ACE ID ranges. Use the CLI Help to see the available range for the switch.
`<acl-id>`	Specifies the ACL ID. Use the CLI Help to see the available range for the switch.
{<0–32>\|null\|<A.B.C.D>}	Specifies the mask value for the destination or source IP address For example: `filter acl ace ip 10 10 dst-ip mask 198.51.100.0 25` `filter acl ace ip 10 10 dst-ip mask 198.51.100.1 203.0.113.0` `filter acl ace ip 10 10 src-ip mask 198.51.100.2 22` `filter acl ace ip 10 10 src-ip mask 198.51.100.3 203.0.113.1`
<noFragment\|anyFragment>	Specifies a match option for IP fragments noFragment or anyFragment.
{<0..63>\|<0x00..0x3f>\|phbcs0\|phbcs1\|phbaf11\|phbaf12\|phbaf13\|phbcs2\|phbaf21\|phbaf22\|phbaf23\|phbcs3\|phbaf31\|phbaf32\|phbaf33\|phbcs4\|phbaf41\|phbaf42\|phbaf43\|phbcs5\|phbcs6\|phbef\|phbcs7}	Specifies the DSCP value using one of the following formats: Enter as an integer (0–63) or hex (0x00–0x3f), or as a string: phbcs0 — Enter as string “phbcs0”, integer 0 or hex 0x00 phbcs1 — Enter as string “phbcs1”, integer 8 or hex 0x08 phbaf11 — Enter as string “phbaf11” integer 10 or hex 0x0a phbaf12 — Enter as string “phbcaf12”, integer 12 or hex 0x0c phbaf13 — Enter as string “phbaf13”, integer 14 or hex 0x0e phbcs2 — Enter as string “phbcs2”, integer 16 or hex 0x10 phbaf21 — Enter as string “phbaf21”, integer 18 or hex 0x12 phbaf22 — Enter as string “phbaf22”, integer 20 or hex 0x14 phbaf23 — Enter as string “phbaf23”, integer 22 or hex 0x16 phbcs3 — Enter as string “phbcs3”, integer 24 or hex 0x18 phbaf31 — Enter as string “phbaf31”, integer 26 or hex 0x1a phbaf32 — Enter as string “phbaf32”, integer 28 or hex 0x1c phbaf33 — Enter as string “phbaf33”, integer 30 or hex 0x1e phbcs4 — Enter as string “phbcs4”, integer 32 or hex 0x20 phbaf41 — Enter as string “phbaf41”, integer 34 or hex 0x22 phbaf42 — Enter as string “phbaf42”, integer 36 or hex 0x24 phbaf43 — Enter as string “phbaf43”, integer 38 or hex 0x26 \|phbcs5 — Enter as string “phbcs5”, integer 40 or hex 0x28 phbef — Enter as string “phbef”, integer 46 or hex 0x2e phbcs6 — Enter as string “phbcs6”, integer 48 or hex 0x30 phbcs7 — Enter as string “phbcs7”, integer 56 or hex 0x38
`WORD<0x0-0x40>`	Specifies the mask value, for example, `filter acl ace ip 10 10 dscp mask 129 0x40`
`WORD<1-256>`	Specifies one or more IP protocol types: (1–256), or tcp, udp, ipsecesp, vrrp, snmp or undefined.
`WORD<1–1024>`	Specifies the destination or source IP address (a.b.c.d).