seq (rules in IPv4 standard
bACLs)
Inserts filtering rules in IPv4 standard
ACLs crafted as IP broadcast ACLs (bACLs).
Syntax
seq
seq-value
{
permit
|
deny
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
fragment
|
non-fragment
]
{
permit
|
deny
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
fragment
|
non-fragment
]
no
{
permit
|
deny
}
{
S_IPaddress
mask
|
host
S_IPaddress
|
any
}
[
count
]
[
fragment
|
non-fragment
]
Parameters
- seq
- (Optional) Enables you to assign a sequence number to the rule. If you do not specify
seq
seq-value, the rule is added at the end of the list.
- seq-value
- Valid values range from 1 through 65535.
- permit
- Specifies rules to permit traffic.
- deny
- Specifies rules to deny traffic.
-
hard-drop
- For bACLs, equivalent to
deny.
- S_IPaddress
- Specifies a source address for which you want to filter the subnet.
- mask
- Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.
- host
- Specifies a source address.
- S_IPaddress
- The source address.
- any
- Specifies all source addresses.
- count
- Enables statistics for the rule.
- log
- Not supported for bACLs.
- copy-sflow
- Not supported for bACLs.
-
fragment
-
Filter fragmented packets. This keyword and non-fragment keyword cannot be used
together.
-
non-fragment
-
Filter non-fragmented packets. This keyword and fragment keyword cannot be used
together.
Modes
ACL configuration mode
Usage Guidelines
This topic describes filtering rules in a standard IPv4 ACL intended for use as an IP
broadcast ACL (bACL).
Broadcast ACLs are not supported on SLX 9150 or SLX 9250
devices.
This command configures rules to permit or drop
traffic based on source addresses. You can also enable counters.
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
You can specify a mask in either of the following ways:
- Wildcard mask format—for example, 0.0.0.255. The advantage of this format is that it enables you mask any bit, for example by specifying 0.255.0.255.
- Classless Interdomain Routing (CIDR) format—in which you specify the number of bits of the prefix. For example, appending /24 to an IPv4 address is equivalent to specifying 0.0.0.255 as wildcard mask format.
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax without
seq
seq-value.
Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. On the SLX 9540
and SLX 9640, fragment match is only supported on BGP FS profile. This ACL can also be used with
RACL, PBR, and RL. Do not use Layer-4 matching along with fragment matching. Fragmented packets might
not have Layer-4 information and most likely cause issues. ACL filtering of fragmented and
non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.
Examples
The following example creates an IPv4 standard
bACL, defines rules for it, and applies the bACL to an interface.
device# configure
device(config)# ip access-list standard bACL_int_3
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4
device(conf-ipacl-std)# seq 15 deny any
device(conf-ipacl-std)# exit
device(config)# interface ethernet 0/5
device(conf-if-eth-0/5)# ip subnet-broadcast-acl bACL_int_3
The following example shows how to create a IPv4 standard bACL, define rules for
it, and apply the ACL at device level.
device# configure
device(config)# ip access-list standard bACL_glb_9
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4
device(conf-ipacl-std)# seq 15 deny any
device(conf-ipacl-std)# exit
device(config)# ip global-subnet-broadcast-acl bACL_glb_9