seq (ip access-list rules)

Inserts or removes filtering rules in IP Access Control Lists (ACLs).

Syntax

seq { 1-65535 } [ permit | deny ] [ tcp | udp | icmp | igmp | ip |esp | 1-254 ] | [ vxlan | nvgre | gre | ipip |gtpc | gtpu ] { 1-4294967295 } [ src-ip | prefix-length | src-ip src-mask ] [ dst-ip | prefix-length | dst-ip dst-mask ] { sport 1-65535} { dport 1-65535 } {sport-end 1-65535 } { dport-end 1-65535 } { dscp 1-63 } { length 64-9000 | length-end 65-9000 } { push } { sync } { ack } { fin } { urg } { cwr } { ece } { reset } { [ morefragment | dontfragment ] } { vlan 0-4095} { count } { log }

no seq id

Parameters

seq id

Specifies the sequence ID for the rule. This parameter is optional. Valid values range from 1 through 65535 and value must be unique within the selected IP ACL. If the value is not specified, a non-assigned value starting from 10 with an increment of 10 is assigned.

permit |deny

Specifies the forwarding action for the matching traffic.

tcp|udp | icmp |igmp | ip | esp | number

Specifies the protocol type of the traffic for non-tunneled packets.

number

Specifies the custom protocol number to be matched. Valid values range from 1 through 254.

push |sync | ack |fin |urg |cwr | ece | reset

Specifies the TCP protocol configuration. (Valid for only the TCP protocol.)

Specifies the tunnel types supported for tunneled traffic. For tunnel types IP address and masks are mapped to the outer header. Valid values range from 1 through 4294967295.

vxlan and nvgre tunnels allow vnid or vsid values in range of 1 through 16777215.
gtpu and gtpc tunnels allow tunnel id values in range of 1 through 4294967295.

Specifies the source IP, source mask, destination IP, and destination mask of the traffic. These IP address and mask are displayed in dot separated decimal format.

Instead of mask, subnet prefix length also can be specified with src-ip and dst-ip .

length |length-end: Specifies the length of the IPv4 packets. The valid value range is 64 through 9000.; To match based on length range, length and length-end parameters are provided. The valid range is 65 through 9000.; When specifying range, length value is mandatory; specifying length-end alone is not valid. Length must be less than the length-end.
sport | sport-end: Specifies the sport source port value. The valid value range is 1 through 65535.; To match based on sport range, sport and sport-end parameters are provided.; When specifying range, sport value is mandatory; specifying sport-end alone is not valid. The source port value must be less than the sport-end.
dport |dport-end: Specifies the destination port. Valid value range is 1 through 65535.; To match based on dport range, dport and dport-end parameters are provided.; When specifying range, dport value is mandatory; specifying dport-end alone is not valid. The destination port value must be less than dport-end.
count: Enables counters for the rule.
log: Enables syslog for the rule.
dscp: Specifies the type of service field for IPv4 protocol. The valid value range is 1 to 63.
vlan vlan-id: Specifies the vlan-id. The valid value range is 0 to 4095.
morefragment | dontfragment: Specifies the fragment parameters.

Modes

IP ACL config mode

Usage Guidelines

GRE tunnel-type:

Version-1 packets are not filtered with this setting.
Version-0 packets are filtered successfully with this setting when Checksum, Key, or Sequence number are not configured.

GTPU tunnel type:

Packets with outer IP and UDP port settings (ACL configured with ip address and sport/dport combination) are not forwarded to the egress.

The IPv4 Address and mask must be configured in dotted decimal notation.

Duplicate ACL rules are not allowed.

Conflicting ACL rules (rules with same match condition and different forwarding action) are not allowed.

The following specified length limitation applies to the sport-end and dport-end range length configuration.

Important

If you configure an IPv4 or IPv6 ACL rule to match a specific IP length and also configure an IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with specific length will not work.

IPvn rules configured with specified lengths that overlap IPvn length-range configurations fail silently.

Example 1. The IPv6 ACL rule in this example will not work because the rule with a specific length (bold font) overlaps the configured IP ACL range from 100 through 200. The rule with the overlapping specified length fails silently.

ip access-list v4acl
 seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200

ipv6 access-list v6acl
 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Example 2. The IPv6 ACL rule (bold font) in this example will not work because the rule with a specific length overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.

ipv6 access-list v6acl
 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
 seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Example 3. This IPv6 ACL rule example will not work because in this configuration, because the rule with a specific length (bold font) overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.

ipv6 access-list v6acl-1
 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200

ipv6 access-list v6acl-2
 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Table 1. Error messages
Message	Reason
`Error: seqid 10 already exist ip1.`	Sequence id is repeated within IP ACL named ip1.
`Error: source ip address must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1`	Incorrect IPv4 address format for values src/dest address, src/dest mask values.
`% Value '0' not in range <1-65535>.`	Example: Sequence-id range error.
`% Value 'ip' not in range <1-254>`	Example: IP address outside valid range error.
`% Value '4294967296' not in range <1-4294967295>.`	Example: Tunnel-id range error.
`% Value '65536' not in range <1-65535>.`	Example: Source port range error.
`% Value '65536' not in range <1-65535>.`	Example: Destination port range error.
`% Value '63' not in range <64-9000>.`	Example: Packet length error.
`% Value '65' not in range <0-63>.`	Example: DSCP range error.
`% Value '4096' not in range <0-4095>.`	Example: VLAN range error.

Examples

The following example configures seq 1 for IP access list P4.

device# configure terminal
device(config)#ip access-list P4
device(config-ip-acl)# seq 1 permit udp 1.1.1.1 255.0.0.0 2.2.2.2 255.0.0.0 dontfragment

device# show running-config access-list 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0 

device# show running-config ip access-list ip-acl 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0 

device# show running-config ip access-list all 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0

The following example deletes seq 1.

device(config-mac-acl)# no seq 1

Error messages:

Sequence id is repeated within ip access-list:

device(config-ip-acl)# seq 10 permit ip any any 
Error: seqid 10 already exist ip1.

Incorrect IPv4 address format for src/dest address and src/dest mask:

device(config-ip-acl)# permit ip 123. 123. any 
Error: source ip address must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1

device(config-ip-acl)# permit ip 10.0.0.1 255. any 
Error: source ip mask must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1 

device(config-ip-acl)# permit ip any 1234. 255.0.0.0 
Error: destination ip address must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1 

device(config-ip-acl)# permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255. 
Error: destination ip mask must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1

Sequence id range:

device(config-ip-acl)# seq 0 
% Value '0' not in range <1-65535>. 

device(config-ip-acl)# seq 65536 
% Value '65536' not in range <1-65535>.

IPv4 address/mask range:

device(config-ip-acl)# seq 10 permit ip abc. abc. 
% Value 'ip' not in range <1-254>. 

device(config-ip-acl)# seq 10 permit ip asdf asdf 
% Value 'ip' not in range <1-254>.

Tunnel-id range errors:

device(config-ip-acl)# seq 10 permit gtpu 4294967296 
% Value '4294967296' not in range <1-4294967295>. 

device(config-ip-acl)# seq 10 permit nvgre 4294967296 
% Value '4294967296' not in range <1-4294967295>.

Source port range:

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 sport 65536 
% Value '65536' not in range <1-65535>. 

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 sport 65535 sport-end 65536 
% Value '65536' not in range <1-65535>.

Destination port range:

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 dport 65536 
% Value '65536' not in range <1-65535>. 

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 dport 65535 dport-end 65536 
% Value '65536' not in range <1-65535>.

Packet length range:

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 length 63 
% Value '63' not in range <64-9000>. 

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 length 9001 
% Value '9001' not in range <64-9000>. 

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 length 65 length-end 9001 
% Value '9001' not in range <65-9000>.

dscp range:

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 dscp 
<0-63>  Dscp from 0-63 

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 dscp 65 
% Value '65' not in range <0-63>.

vlan range:

device(config-ip-acl)# seq 10 permit udp 10.0.0.2 255.255.0.0 20.0.0.2 255.255.0.0 vlan 4096 
% Value '4096' not in range <0-4095>.

Duplicate rule:

device(config-ip-acl)# seq 1 permit ip any any 
device(config-ip-acl)# seq 2 permit ip any any 
Error: Sequence 2 is duplicate of Sequence 1.

Conflicting rule:

device(config-ip-acl)# seq 1 permit ip any any 
device(config-ip-acl)# seq 2 deny ip any any 
Error: Sequence 2 is conflicting with Sequence 1.