The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.
deny-cpu—Prevents packets that are copied or switched to the CPU from reaching the CPU. The data-plane forwarding of these packets is unaffected. For example, use this action to match broadcast packets and prevent them from reaching the CPU, but still allow them to be flooded to other VLAN members. You can also use this action to match Spanning Tree Protocol packets and prevent them from reaching the CPU, and instead flood them to other VLAN members in certain configurations where Spanning Tree is enabled.
copy-cpu-off—Prevents packets that are copied to the CPU from reaching the CPU. The data-plane forwarding of these packets is unaffected. For example, use this action to cancel the “mirror-cpu” action in another rule. This action does not prevent packets that are switched to the CPU (for example, broadcast, layer-3 unicast miss) from reaching the CPU.
copy-cpu-and-drop—Overrides the above action to facilitate the above action in a “catch-all” rule. It sends matching packets only to the CPU.
add-vlan-id—Adds a new outer VLAN ID. If the packet is untagged, it adds a VLAN tag to the packet. If the packet is tagged, it adds an additional VLAN tag. Only supported in VLAN lookup stage (VFP).
Note
The ExtremeSwitching X695 does not support adding an additional (third) VLAN tag to a double-tagged packet.replace-dscp-value—Replaces the existing DSCP value of the packet
do-ipfix—Records the matching packet. Can be used on both ingress and egress. Attempting to install a policy with this action on an unsupported chip will result in failure in HAL. The ExtremeSwitching X435, X465, X590, X690, X695 series switches do not support this action.
do-not-ipfix—Cancels recording for the matching packet. Can be used to reduce demand on egress IPFIX capacity (and to reduce recording loss) during packet flooding situations. Attempting to install a policy with this action on an unsupported chip will result in failure in HAL. The ExtremeSwitching X435, X465, X590, X690, X695 series switches do not support this action.
redirect-port-copy-cpu-allowed—Redirects a packet out of an output port, but does not enforce a requirement that Copy to CPU must be cancelled.
redirect-port-list-copy-cpu-allowed—Redirects a packet out of an output port to a list of ports, but does not enforce a requirement that Copy to CPU must be cancelled.