seq (rules in IPv4 standard ACLs)
Inserts filtering rules in IPv4 standard ACLs. Standard ACLs permit or deny traffic according to source address only.
Syntax
seq
seq-value
{
permit
|
deny
|
hard-drop
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
log
]
[
copy-sflow
]
{
permit
|
deny
|
hard-drop
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
log
]
[
copy-sflow
]
no
{
permit
|
deny
|
hard-drop
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
log
]
[
copy-sflow
]
Parameters
- seq
- (Optional) Enables you to assign a sequence number to the rule. If you do not specify
seq
seq-value, the rule is added at the end of the list.
- seq-value
- Valid values range from 1 through 65535.
- permit
- Specifies rules to permit traffic.
- deny
- Specifies rules to deny traffic.
-
hard-drop
- Overrides the trap behavior for control frames. However,
hard-drop does not override a
permit for this address in a preceding rule.
- S_IPaddress
- Specifies a source address for which you want to filter the subnet.
- mask
- Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.
- host
- Specifies a source address.
- S_IPaddress
- The source address.
- any
- Specifies all source addresses.
- count
- Enables statistics for the rule.
- log
- Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the
debug access-list-log buffer command.
- copy-sflow
- For incoming traffic, sends matching packets
to the sFlow collector.
Modes
ACL configuration mode
Usage Guidelines
This command configures rules to permit or drop traffic based on source addresses. You can also enable counters, logging, and sFlow.
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
You can specify a mask in either of the following ways:
- Wildcard mask format—for example, 0.0.0.255. The advantage of this format is that it enables you mask any bit, for example by specifying 0.255.0.255.
- Classless Interdomain Routing (CIDR) format—in which you specify the number of bits of the prefix. For example, appending /24 to an IPv4 address is equivalent to specifying 0.0.0.255 as wildcard mask format.
Although in a standard-ACL rule you can specify both
log and
copy-sflow, only one of the two is processed, as follows:
- In a permit rule, only
copy-sflow is processed.
- In a deny or hard-drop rule, only
log is processed.
If you are defining rules for a QoS ACL, be aware of the following considerations for ACLs implemented under flow-based QoS. For details, refer to the
Extreme SLX-OS QoS and Traffic Management Configuration Guide.
- Do not include the
count keyword in ACLs intended for flow-based QoS implementation, because such ACLs automatically share a common counter.
- The
deny keyword functions as a "pass-through": For a match, QoS action defined for that class is not applied.
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax without
seq
seq-value.
Examples
The following example shows how to create a IPv4 standard ACL, define rules for it, and apply the ACL to an interface:
device# configure
device(config)# ip access-list standard stdACL3
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4
device(conf-ipacl-std)# seq 15 deny any
device(conf-ipacl-std)# exit
device(config)# interface ethernet 0/5
device(conf-if-eth-0/5)# ipv4 access-group stdACL3 in
