seq (rules in IPv4 extended
ACLs)
Inserts filtering rules in IPv4 extended
ACLs. Extended ACLs permit or deny traffic according to source addresses, as well as other
parameters.
Syntax
seq
seq-value
{
permit
|
deny
|
hard-drop
}
ip-protocol
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
source-operator
[
S_port-numbers
]
]
[
TCP-flags
]
[
vlan
vlanID
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
fragment
|
non-fragment
]
{
permit
|
deny
|
hard-drop
}
ip-protocol
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
source-operator
[
S_port-numbers
]
]
[
TCP-flags
]
[
count
]
[
vlan
vlanID
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
fragment
|
non-fragment
]
no
{
permit
|
deny
|
hard-drop
}
ip-protocol
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
source-operator
[
S_port-numbers
]
]
[
TCP-flags
]
[
vlan
vlanID
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
fragment
|
non-fragment
]
Parameters
- seq
- (Optional) Enables you to assign a sequence number to the rule. If you do not specify
seq
seq-value, the rule is added at the end of the list.
- seq-value
- Valid values range from 1 through 65535.
- permit
- Specifies rules to permit traffic.
- deny
- Specifies rules to deny traffic.
-
hard-drop
- Overrides the trap behavior for control frames. However,
hard-drop does not override a
permit for this address in a preceding rule.
- ip-protocol
- Indicates the type of IP packet you are filtering. The options are as follows:
- <0-255>
- Protocol number custom value from 0 through 255.
- icmp
- Internet Control Message Protocol
- ip
- Any IP protocol
- tcp
- (Supported only if the containing ACL is applied to incoming traffic) Transmission Control Protocol
- udp
- User Datagram Protocol
- S_IPaddress
- Specifies a source address for which you want to filter the subnet.
- mask
- Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.
- host
- Specifies a source address.
- S_IPaddress
- The source address.
- any
- Specifies all source addresses.
- source-operator
- If you specified
tcp or
udp
ip-protocol, the following optional operators are available:
- eq
- The policy applies to the TCP or UDP port name or number you enter after
eq.
- gt
- The policy applies to TCP or UDP port numbers equal to or greater than the port number or the numeric equivalent of the port name you enter after
gt.
- lt
- The policy applies to TCP or UDP port numbers that are equal to or less than the port number or the numeric equivalent of the port name you enter after
lt.
- neq
- The policy applies to all TCP or UDP port numbers except the port number or port name you enter after
neq.
- range
- The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the
range keyword. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53 (two values separated by a space). The first port number in the range must be lower than the last number in the range.
- S_port-numbers
- (Valid only when ip-protocol is
UDP or TCP) Specifies one or more source port numbers.
- vlan
vlanID
- Specifies a VLAN interface to which the ACL is bound.
- TCP-flags
- If you specify
tcp
ip-protocol, one or more of the following flags are available:
- ack
- Filters packets for which the
ack (acknowledge) flag is set.
- fin
- Filters packets for which the
fin (finish) flag is set.
- rst
- Filters packets for which the
rst (reset) flag is set.
- sync
- Filters packets for which the
syn (synchronize) flag is set.
- urg
- Filters packets for which the
urg (urgent) flag is set.
- push
- Filters packets for which the
psh (push) flag is set.
- count
- Enables statistics for the rule.
- log
- Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the
debug access-list-log buffer command.
- mirror
- (Supported for rules in ACLs applied on physical interfaces to inbound traffic. Not supported for PBR, rACLs, or ACL-RL.) Mirrors packets matching the rule.
- copy-sflow
- For incoming traffic, sends matching packets
to the sFlow collector.
-
fragment
-
Filter fragmented packets. This keyword and non-fragment keyword cannot be used
together.
-
non-fragment
-
Filter non-fragmented packets. This keyword and fragment keyword cannot be used
together.
Modes
ACL configuration mode
Usage Guidelines
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
You can specify a mask in either of the following ways:
- Wildcard mask format—for example, 0.0.0.255. The advantage of this format is that it enables you mask any bit, for example by specifying 0.255.0.255.
- Classless Interdomain Routing (CIDR) format—in which you specify the number of bits of the prefix. For example, appending /24 to an IPv4 address is equivalent to specifying 0.0.0.255 as wildcard mask format.
Although in an extended-ACL rule you can include
log,
mirror, and
copy-sflow, only one of
the three is processed, as follows:
- In a permit rule, the order of
precedence is mirror > copy-sflow >
log.
- In a deny or hard-drop rule, the
order of precedence is log >
copy-sflow > mirror.
If you are defining rules for a QoS ACL, be
aware of the following considerations for ACLs implemented under flow-based QoS.
(For details, refer to the
Extreme SLX-OS QoS and Traffic Management Configuration Guide.)
- Because ACLs applied for QoS use
implement a unified counter for all rules in an ACL, rule-level count keywords
are ignored.
- The deny keyword
functions as a PASS THROUGH: For a match, QoS action defined for that class
is not applied.
For both interface ACLs and receive-path ACLs, you use identical commands to create the ACLs. You also use identical commands to define permit/deny rules in the ACLs. The only variance is the command you use to apply the ACL:
- To apply an interface ACL, from an interface-subtype configuration mode you use the
{
ip
|
ipv6
|
mac
}
access-group command.
- To apply a receive-path ACL, from global configuration mode, you use the
{
ip
|
ipv6
}
receive access-group command.
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no followed by the full syntax without
seq
seq-value.
Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. On the SLX 9540
and SLX 9640, fragment match is only supported on BGP FS profile. This ACL can also be used with
RACL, PBR, and RL. Do not use Layer-4 matching along with fragment matching. Fragmented
packets might not have Layer-4 information and most likely cause issues. ACL filtering of
fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.
Examples
The following example creates an IPv4 extended ACL and defines rules.
device(config)# ip access-list extended extdACL5
device(conf-ipacl-ext)# seq 5 deny tcp host 10.24.26.145 any eq 23
device(conf-ipacl-ext)# seq 7 deny tcp any any eq 80
device(conf-ipacl-ext)# seq 10 deny udp any any range 10 25
device(conf-ipacl-ext)# seq 15 permit tcp any any
The following example creates an IPv4 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL.
device(config)# ip access-list extended ipv4-receive-acl-example
device(conf-ipacl-ext)# hard-drop tcp host 10.0.0.1 any count
device(conf-ipacl-ext)# hard-drop udp any host 20.0.0.1 count
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq telnet count
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq bgp count
device(conf-ipacl-ext)# hard-drop tcp host 10.0.0.3 host 224.0.0.1 count
device(conf-ipacl-ext)# exit
device(config)# ip receive access-group ipv4-receive-acl-example
