seq (rules in IPv4 standard bACLs)

Inserts filtering rules in IPv4 standard ACLs crafted as IP broadcast ACLs (bACLs).

Syntax

seq seq-value { permit | deny } { S_IPaddress mask | host S_IPaddress | any } [ count ] [ fragment | non-fragment ]

no seq seq-value

{ permit | deny } { S_IPaddress mask | host S_IPaddress | any } [ count ] [ fragment | non-fragment ]

no { permit | deny } { S_IPaddress mask | host S_IPaddress | any } [ count ] [ fragment | non-fragment ]

Parameters

seq

(Optional) Enables you to assign a sequence number to the rule. If you do not specify seq seq-value, the rule is added at the end of the list.

seq-value: Valid values range from 1 through 65535.

permit

Specifies rules to permit traffic.

deny

Specifies rules to deny traffic.

hard-drop

For bACLs, equivalent to deny.

S_IPaddress

Specifies a source address for which you want to filter the subnet.

mask: Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.

host

Specifies a source address.

S_IPaddress: The source address.

any

Specifies all source addresses.

count

Enables statistics for the rule.

log

Not supported for bACLs.

copy-sflow

Not supported for bACLs.

fragment: Filter fragmented packets. This keyword and non-fragment keyword cannot be used together.

non-fragment: Filter non-fragmented packets. This keyword and fragment keyword cannot be used together.

Modes

ACL configuration mode

Usage Guidelines

This topic describes filtering rules in a standard IPv4 ACL intended for use as an IP broadcast ACL (bACL).

Broadcast ACLs are not supported on SLX 9150 or SLX 9250 devices.

This command configures rules to permit or drop traffic based on source addresses. You can also enable counters.

The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.

You can specify a mask in either of the following ways:

Wildcard mask format—for example, 0.0.0.255. The advantage of this format is that it enables you mask any bit, for example by specifying 0.255.0.255.
Classless Interdomain Routing (CIDR) format—in which you specify the number of bits of the prefix. For example, appending /24 to an IPv4 address is equivalent to specifying 0.0.0.255 as wildcard mask format.

To delete a rule from an ACL, do the relevant of the following:

If you know the rule number, enter no seq seq-value.
If you do not know the rule number, type no and then enter the full syntax without seq seq-value.

Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. On the SLX 9540 and SLX 9640, fragment match is only supported on BGP FS profile. This ACL can also be used with RACL, PBR, and RL. Do not use Layer-4 matching along with fragment matching. Fragmented packets might not have Layer-4 information and most likely cause issues. ACL filtering of fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.

Examples

The following example creates an IPv4 standard bACL, defines rules for it, and applies the bACL to an interface.

device# configure
device(config)# ip access-list standard bACL_int_3
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4
device(conf-ipacl-std)# seq 15 deny any
device(conf-ipacl-std)# exit
device(config)# interface ethernet 0/5
device(conf-if-eth-0/5)# ip subnet-broadcast-acl bACL_int_3

The following example shows how to create a IPv4 standard bACL, define rules for it, and apply the ACL at device level.

device# configure
device(config)# ip access-list standard bACL_glb_9
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4
device(conf-ipacl-std)# seq 15 deny any
device(conf-ipacl-std)# exit
device(config)# ip global-subnet-broadcast-acl bACL_glb_9