seq (rules in IPv4 extended ACLs)

Inserts filtering rules in IPv4 extended ACLs. Extended ACLs permit or deny traffic according to source addresses, as well as other parameters.

Syntax

seq seq-value { permit | deny | hard-drop } ip-protocol { S_IPaddress mask | host S_IPaddress | any } [ source-operator [ S_port-numbers ] ] [ TCP-flags ] [ vlan vlanID ] [ count ] [ log ] [ mirror ] [ copy-sflow ] [ fragment | non-fragment ] [ connlimit connlimit-value ]

no seq seq-value

{ permit | deny | hard-drop } ip-protocol { S_IPaddress mask | host S_IPaddress | any } [ source-operator [ S_port-numbers ] ] [ TCP-flags ] [ count ] [ vlan vlanID ] [ log ] [ mirror ] [ copy-sflow ] [ fragment | non-fragment ] [ connlimit connlimit-value ]

no { permit | deny | hard-drop } ip-protocol { S_IPaddress mask | host S_IPaddress | any } [ source-operator [ S_port-numbers ] ] [ TCP-flags ] [ vlan vlanID ] [ count ] [ log ] [ mirror ] [ copy-sflow ] [ fragment | non-fragment ] [ connlimit connlimit-value ]

Parameters

seq

(Optional) Enables you to assign a sequence number to the rule. If you do not specify seq seq-value, the rule is added at the end of the list.

seq-value: Valid values range from 1 through 65535.

permit

Specifies rules to permit traffic.

deny

Specifies rules to deny traffic.

hard-drop

Overrides the trap behavior for control frames. However, hard-drop does not override a permit for this address in a preceding rule.

ip-protocol

Indicates the type of IP packet you are filtering. The options are as follows:

<0-255>: Protocol number custom value from 0 through 255.
icmp: Internet Control Message Protocol
ip: Any IP protocol
tcp: (Supported only if the containing ACL is applied to incoming traffic) Transmission Control Protocol
udp: User Datagram Protocol

S_IPaddress

Specifies a source address for which you want to filter the subnet.

mask: Defines a mask, whose effect is to specify a subnet that includes the source address that you specified. For options to specify the mask, see the Usage Guidelines.

host

Specifies a source address.

S_IPaddress: The source address.

any

Specifies all source addresses.

source-operator

If you specified tcp or udp ip-protocol, the following optional operators are available:

eq: The policy applies to the TCP or UDP port name or number you enter after eq.
gt: The policy applies to TCP or UDP port numbers equal to or greater than the port number or the numeric equivalent of the port name you enter after gt.
lt: The policy applies to TCP or UDP port numbers that are equal to or less than the port number or the numeric equivalent of the port name you enter after lt.
neq: The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.
range: The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range keyword. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53 (two values separated by a space). The first port number in the range must be lower than the last number in the range.

S_port-numbers

(Valid only when ip-protocol is UDP or TCP) Specifies one or more source port numbers.

vlan vlanID

Specifies a VLAN interface to which the ACL is bound.

TCP-flags

If you specify tcp ip-protocol, one or more of the following flags are available:

ack: Filters packets for which the ack (acknowledge) flag is set.
fin: Filters packets for which the fin (finish) flag is set.
rst: Filters packets for which the rst (reset) flag is set.
sync: Filters packets for which the syn (synchronize) flag is set.
urg: Filters packets for which the urg (urgent) flag is set.
push: Filters packets for which the psh (push) flag is set.

count

Enables statistics for the rule.

log

Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the debug access-list-log buffer command.

mirror

(Supported for rules in ACLs applied on physical interfaces to inbound traffic. Not supported for PBR, rACLs, or ACL-RL.) Mirrors packets matching the rule.

copy-sflow

For incoming traffic, sends matching packets to the sFlow collector.

fragment: Filter fragmented packets. This keyword and non-fragment keyword cannot be used together.

non-fragment: Filter non-fragmented packets. This keyword and fragment keyword cannot be used together.

connlimit connlimit-value: Number of connections allowed per IP address.

Modes

ACL configuration mode

Usage Guidelines

The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.

You can specify a mask in either of the following ways:

Wildcard mask format—for example, 0.0.0.255. The advantage of this format is that it enables you mask any bit, for example by specifying 0.255.0.255.
Classless Interdomain Routing (CIDR) format—in which you specify the number of bits of the prefix. For example, appending /24 to an IPv4 address is equivalent to specifying 0.0.0.255 as wildcard mask format.

Although in an extended-ACL rule you can include log, mirror, and copy-sflow, only one of the three is processed, as follows:

In a permit rule, the order of precedence is mirror > copy-sflow > log.
In a deny or hard-drop rule, the order of precedence is log > copy-sflow > mirror.

If you are defining rules for a QoS ACL, be aware of the following considerations for ACLs implemented under flow-based QoS. (For details, refer to the Extreme SLX-OS QoS and Traffic Management Configuration Guide.)

Because ACLs applied for QoS use implement a unified counter for all rules in an ACL, rule-level count keywords are ignored.
The deny keyword functions as a PASS THROUGH: For a match, QoS action defined for that class is not applied.

For both interface ACLs and receive-path ACLs, you use identical commands to create the ACLs. You also use identical commands to define permit/deny rules in the ACLs. The only variance is the command you use to apply the ACL:

To apply an interface ACL, from an interface-subtype configuration mode you use the { ip | ipv6 | mac } access-group command.
To apply a receive-path ACL, from global configuration mode, you use the { ip | ipv6 } receive access-group command.

To delete a rule from an ACL, do the relevant of the following:

If you know the rule number, enter no seq seq-value.
If you do not know the rule number, type no followed by the full syntax without seq seq-value.

Filtering fragmented or non-fragmented packets is only supported on ingress ACLs. On the SLX 9540 and SLX 9640, fragment match is only supported on BGP FS profile. This ACL can also be used with RACL, PBR, and RL. Do not use Layer-4 matching along with fragment matching. Fragmented packets might not have Layer-4 information and most likely cause issues. ACL filtering of fragmented and non-fragmented packets is not supported on SLX 9150 and SLX 9250 devices.

When configured, the connlimit value behaves differently. When used with a permit rule, this command will limit the concurrent connections from a particular IP address to this value. When used with a deny rule, this command will allow connections up to this limit and deny any more connections from the particular IP address. Also, connection limiting is applicable only to the management interfaces and not applicable to the front panel (ethernet) ports. Existing sessions might be disrupted when this value is configured.

Examples

The following example creates an IPv4 extended ACL and defines rules.

device(config)# ip access-list extended extdACL5
                    device(conf-ipacl-ext)# seq 5 deny tcp host 10.24.26.145 any eq 23
                    device(conf-ipacl-ext)# seq 7 deny tcp any any eq 80
                    device(conf-ipacl-ext)# seq 10 deny udp any any range 10 25
                    device(conf-ipacl-ext)# seq 15 permit tcp any any

The following example creates an IPv4 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL.

device(config)# ip access-list extended ipv4-receive-acl-example
                    device(conf-ipacl-ext)# hard-drop tcp host 10.0.0.1 any count 
                    device(conf-ipacl-ext)# hard-drop udp any host 20.0.0.1 count 
                    device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq telnet count 
                    device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq bgp count 
                    device(conf-ipacl-ext)# hard-drop tcp host 10.0.0.3 host 224.0.0.1 count
                    device(conf-ipacl-ext)# exit
                    device(config)# ip receive access-group ipv4-receive-acl-example