seq (ip access-list rules)

Inserts or removes filtering rules in IPv4 access control lists (ACLs).

Syntax

seq { 1-65535 } [ permit | deny ] [ tcp | udp | icmp | igmp | ip |esp | 1-254 ] | [ vxlan | nvgre | gre | ipip |gtpc | gtpu ] { 1-4294967295 } [ src-ip | prefix-length | src-ip src-mask ] [ dst-ip | prefix-length | dst-ip dst-mask ] { sport 1-65535} { dport 1-65535 } {sport-end 1-65535 } { dport-end 1-65535 } { dscp 1-63 } { length 64-9000 | length-end 65-9000 } { push } { sync } { ack } { fin } { urg } { cwr } { ece } { reset } {{ { morefragment | dontfragment }} { vlan 0-4095} { count } { log } { qos-forwarding-group group-name }
no seq ID

Parameters

seq ID
Specifies the sequence ID for the rule. This parameter is optional. Valid values range from 1 through 65535 and the value must be unique within the selected IP ACL. If the value is not specified, a non-assigned value starting from 10 with an increment of 10 is assigned.
permit |deny
Specifies the forwarding action for the matching traffic.
tcp|udp | icmp |igmp | ip | esp
Specifies the numerical protocol type of the traffic for non-tunneled packets.
number
Specifies the custom protocol number to be matched. Valid values range from 1 through 254.
push |sync | ack |fin |urg |cwr | ece | reset
Specifies the TCP protocol configuration. (Valid for only the TCP protocol.)
vxlan |nvgre | gre | ipip | gtpc | gtpu
Specifies the tunnel types supported for tunneled traffic.
For tunnel types, IP address and masks are mapped to the outer header. Valid values range from 1 through 4294967295.
  • VXLAN and NVGRE tunnels allow VNID or VSID values in the range of 1 through 16777215.
  • GTP-U and GTP-C tunnels allow tunnel ID values in the range of 1 through 4294967295.
src-ip | prefix-length | src-mask | dst-ip | prefix-length | dst-mask
Specifies the source IP address, the source IP mask, the destination IP address, and destination IP address mask of the traffic.
IP addresses and masks display in a dot-separated, decimal format.
Instead of using the IP address mask, the subnet prefix length can be specified with the source IP address and the destination IP address keywords.
length |length-end
Specifies the length of the IPv4 packets. The valid value range is 64 through 9000.
The length range, and length end parameters are provided to match based on range. Valid ranges are from 65 through 9000.
When specifying range, the length value is mandatory.
Specifying length end alone is not valid. Length must be less than the length end.
sport | sport-end
Specifies the sport source port value. The valid value range is 1 through 65535.
The source port range and parameters are provided to match on range.
When specifying range, the source port value is mandatory.
Specifying source port end alone is not valid.
The source port value must be less than the source port end.
dport |dport-end
Specifies the destination port and the destination port end. Valid values range from 1 through 65535.
When specifying a match based on the range, destination port range, and destination port parameters are provided.
When specifying range, the destination port value is mandatory.
Specifying destination end alone is not valid.
The destination port value must be less than the destination port end.
count
Enables counters for the rule.
log
Enables the system log (syslog) for the rule.
dscp
Specifies the type of service field for IPv4 protocol. The valid value ranges are through 1 to 63.
vlan vlan-ID
Specifies the VLAN ID. The valid values ranges are from 0 to 4095.
morefragment | dontfragment
Specifies the fragment parameters.
qos-forwarding-group group-name
Specifies the name of the Quality of Service (QoS) forwarding group.

Modes

IP ACL config mode

Usage Guidelines

GRE tunnel-type:
  • Version-1 packets are not filtered with this setting.
  • Version-0 packets are filtered successfully with this setting when checksum, key, or sequence number are not configured.
GTP-U tunnel type:
  • Packets with outer IP and UDP port settings (ACL configured with the IP address and the combination of source port and destination port) are not forwarded to the egress.

The IPv4 address and IPv4 mask must be configured in dotted-decimal notation.

Duplicate ACL rules are not allowed.

Conflicting ACL rules (rules with same match condition and different forwarding action) are not allowed.

The following specified length limitation applies to the specified port end and destination port end range length configuration.
Important

Important

If you configure an IPv4 or an IPv6 ACL rule to match a specific IP length and also configure an IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with specific length will not work.

IPvn rules configured with specified lengths that overlap IPvn length-range configurations fail silently.

Example 1. The IPv6 ACL rule in this example will not work because the rule with a specific length (bold font) overlaps the configured IP ACL range from 100 through 200. The rule with the overlapping specified length fails silently.

ip access-list v4acl
 seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200

ipv6 access-list v6acl
 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Example 2. The IPv6 ACL rule (bold font) in this example will not work because the rule with a specific length overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.

ipv6 access-list v6acl
 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
 seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Example 3. This IPv6 ACL rule example will not work because in this configuration, because the rule with a specific length (bold font) overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.

ipv6 access-list v6acl-1
 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200

ipv6 access-list v6acl-2
 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150

Examples

The following example configures seq 1 for IP access list P4.

device# configure terminal
device(config)#ip access-list P4
device(config-ip-acl)# seq 1 permit udp 
1.1.1.1 255.0.0.0 2.2.2.2 255.0.0.0 dontfragment

device# show running-config access-list 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0 

device# show running-config ip access-list ip-acl 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0 

device# show running-config ip access-list all 
ip access-list ip-acl 
  seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0

The following example deletes seq 1.

device(config-mac-acl)# no seq 1