Actions

The actions are:
  • permit—The packet is forwarded.
  • deny—The packet is dropped.

The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.

The following actions are supported on all platforms:
  • deny-cpu—Prevents packets that are copied or switched to the CPU from reaching the CPU. The data-plane forwarding of these packets is unaffected. For example, use this action to match broadcast packets and prevent them from reaching the CPU, but still allow them to be flooded to other VLAN (Virtual LAN) members. You can also use this action to match Spanning Tree Protocol packets and prevent them from reaching the CPU, and instead flood them to other VLAN members in certain configurations where Spanning Tree is enabled.

  • copy-cpu-off—Prevents packets that are copied to the CPU from reaching the CPU. The data-plane forwarding of these packets is unaffected. For example, use this action to cancel the “mirror-cpu” action in another rule. This action does not prevent packets that are switched to the CPU (for example, broadcast, layer-3 unicast miss) from reaching the CPU.

  • copy-cpu-and-drop—Overrides the above action to facilitate the above action in a “catch-all” rule. It sends matching packets only to the CPU.

  • add-vlan-id—Adds a new outer VLAN ID. If the packet is untagged, it adds a VLAN tag to the packet. If the packet is tagged, it adds an additional VLAN tag. Only supported in VLAN lookup stage (VFP).

  • replace-dscp-value—Replaces the existing DSCP value of the packet

  • do-ipfix—Records the matching packet. Can be used on both ingress and egress. Attempting to install a policy with this action on an unsupported chip will result in failure in HAL. The ExtremeSwitching and Summit X590, series switches do not support this action.

  • do-not-ipfix—Cancels recording for the matching packet. Can be used to reduce demand on egress IPFIX capacity (and to reduce recording loss) during packet flooding situations. Attempting to install a policy with this action on an unsupported chip will result in failure in HAL. The ExtremeSwitching and Summit X590, series switches do not support this action.

  • redirect-port-copy-cpu-allowed—Redirects a packet out of an output port, but does not enforce a requirement that Copy to CPU must be cancelled.

  • redirect-port-list-copy-cpu-allowed—Redirects a packet out of an output port to a list of ports, but does not enforce a requirement that Copy to CPU must be cancelled.