Advanced Layer 3 ACL rules and features

Many advanced ACL features are implemented per ACL rule, according to parameters that you specify.

Note

Some advanced features also require global configuration.

The following table describes advanced rule keywords for all supported devices.

Table 1. Layer 3 ACL advanced keywords
Keyword	Description	IPv4 standard ACL	IPv6 standard ACL	IPv4 extended ACL	IPv6 extended ACL	Comments
copy-sflow	sFlow monitoring	P/D; I	P/D; I	P/D; I	P/D; I
count	Counter statistics	P/D/H; I/O	P/D/H; I	P/D/H; I/O	P/D/H; I
drop-precedence-force	Re-marking drop-precedence	NA	NA	P; I	P; I	Only under default, vxlan-visibility, and border-routing TCAM profiles.
dscp	DSCP filtering	NA	NA	P/D/H; I/O	P/D/H; I
dscp-force	DSCP re-marking	NA	NA	P; I	P; I	For routed traffic only.
log ( SLX 9150, SLX 9250)	Logging	P/D/H; I	P/D/H; I	P/D/H; I	P/D/H; I
log ( SLX 9540, SLX 9640)	Logging	P/D; I	P/D; I	P/D; I	P/D; I
mirror ( SLX 9150, SLX 9250)	Mirroring	NA	NA	P/D/H; I	P/D/H; I	Effective only in ACLs applied to physical interfaces. Not supported for: rACLs (receive-path) ACL-RL (rate-limiting)
mirror ( SLX 9540, SLX 9640)	Mirroring	NA	NA	P/D; I	P/D; I	Effective only in ACLs applied to physical interfaces. Not supported for: PBR ACLs (policy-based routing) rACLs (receive-path) ACL-RL (rate-limiting)

Key:

P—Supported in a permit rule
D—Supported in a deny rule
H—Supported in a hard-drop rule
I—Supported in an ACL applied to incoming traffic
O—Supported in an ACL applied to outgoing traffic
NA—Not available

For details, refer to the following Extreme SLX-OS Command Reference topics:

seq (rules in IPv4 standard ACLs)
seq (rules in IPv4 extended ACLs)
seq (rules in IPv6 standard ACLs)
seq (rules in IPv6 extended ACLs)

Parsing priorities among keywords

There are parsing priorities among the copy-sflow, log, and mirror keywords, as follows:

Although in a standard-ACL rule you can include log and copy-sflow, only one of the two is processed, as follows:
- In a permit rule, the order of precedence is copy-sflow > log.
- In a deny or hard-drop rule, the order of precedence is log > copy-sflow.
Although in an extended-ACL rule you can include log, mirror, and copy-sflow, only one of the three is processed, as follows:
- In a permit rule, the order of precedence is mirror > copy-sflow > log.
- In a deny or hard-drop rule, the order of precedence is log > copy-sflow > mirror.

Consider the following extended IPv4 ACL:

device(config)# ip access-list extended ip_acl_01
device(conf-ipacl-ext)# seq 10 permit host 10.24.26.145 any count log mirror copy-sflow
device(conf-ipacl-ext)# seq 20 deny host 10.34.36.245 any count log mirror copy-sflow

In the permit rule, only the mirror keyword is processed.
In the deny rule, only the log keyword is processed.