seq (rules in IPv4 extended bACLs)

Parameters

seq

(Optional) Enables you to assign a sequence number to the rule. If you do not specify seq seq-value, the rule is added at the end of the list.

seq-value

Valid values range from 1 through 65535.

permit

Specifies rules to permit traffic.

deny

Specifies rules to deny traffic.

hard-drop

For bACLs, equivalent to deny.

ip-protocol

Indicates the type of IP packet you are filtering. The options are as follows:

<0-255>

Protocol number custom value from 0 through 255.

icmp

Internet Control Message Protocol

ip

Any IP protocol

tcp

(Supported only if the containing ACL is applied to incoming traffic) Transmission Control Protocol

udp

User Datagram Protocol

S_IPaddress

Specifies a source address for which you want to filter the subnet.

mask

Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.

host

Specifies a source address.

S_IPaddress

The source address.

any

Specifies all source addresses.

source-operator

If you specified tcp or udp ip-protocol, the following optional operators are available:

eq

The policy applies to the TCP or UDP port name or number you enter after eq.

gt

The policy applies to TCP or UDP port numbers equal to or greater than the port number or the numeric equivalent of the port name you enter after gt.

lt

The policy applies to TCP or UDP port numbers that are equal to or less than the port number or the numeric equivalent of the port name you enter after lt.

neq

The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.

range

The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range keyword. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53 (two values separated by a space). The first port number in the range must be lower than the last number in the range.

S_port-numbers

(Valid only when ip-protocol is UDP or TCP) Specifies one or more source or destination port numbers.

vlan vlanID

Specifies a VLAN interface to which the ACL is bound.

TCP-flags

If you specify tcp ip-protocol, one or more of the following flags are available:

ack

Filters packets for which the ack (acknowledge) flag is set.

fin

Filters packets for which the fin (finish) flag is set.

rst

Filters packets for which the rst (reset) flag is set.

sync

Filters packets for which the syn (synchronize) flag is set.

urg

Filters packets for which the urg (urgent) flag is set.

push

Filters packets for which the psh (push) flag is set.

count

Enables statistics for the rule.

log

Not supported for bACLs.

mirror

Not supported for bACLs.

copy-sflow

Not supported for bACLs.

fragment

Filter fragmented packets. This keyword and non-fragment keyword cannot be used together.

non-fragment

Filter non-fragmented packets. This keyword and fragment keyword cannot be used together.