Commands For ACL

9.1 Commands for ACL

9.1.1 absolute-periodic/periodic

Command: absolute-periodic {Monday |Tuesday |Wednesday |Thursday |Friday |Saturday |Sunday} <start-time> to {Monday |Tuesday |Wednesday |Thursday |Friday |Saturday |Sunday} <end-time>
no absolute-periodic {Monday |Tuesday |Wednesday |Thursday |Friday |Saturday |Sunday} <start-time> to {Monday |Tuesday |Wednesday |Thursday |Friday |Saturday |Sunday} <end-time>
periodic { {Monday+Tuesday+Wednesday+Thursday+Friday+Saturday+Sunday} | daily | weekdays | weekend} <start-time> to <end-time>
no periodic { {Monday+Tuesday+Wednesday+Thursday+Friday+Saturday+Sunday} | daily | weekdays | weekend} <start-time> to <end-time>
Function: Define the time-range of different commands within one week and every recurring week subject to this time.
Parameters:

  • Monday: Monday.
  • Tuesday: Tuesday.
  • Wednesday: Wednesday.
  • Thursday: Thursday.
  • Friday: Friday.
  • Saturday: Saturday.
  • Sunday: Sunday.
  • daily: every day of the week.
  • weekdays: Monday thru Friday.
  • weekend: Saturday thru Sunday.
  • <start-time>: start time, HH:MM:SS (hour: minute: second).
  • <end-time>: end time, HH:MM:SS (hour: minute: second).
  • Remark: time-range polling is one minute per time, so the time error is one minute.

Command mode: Time-range Mode
Default: No time-range configuration.
Usage guide: Periodic time and date: the definition of period is a specific time period of Monday to Saturday and Sunday every week:
day1 hh:mm:ss To day2 hh:mm:ss or
{[day1+day2+day3+day4+day5+day6+day7]|weekend|weekdays|daily} hh:mm:ss To hh:mm:ss
Example: Set configurations effective within the period from 9:15:30 to 12:30:00 for Tuesday to Saturday.

active500EM(config)#time-range admin-timer
active500EM(Config-Time-Range-admin-timer)#absolute-periodic Tuesday 9:15:30 to Saturday 12:30:00

Make configurations effective within the period from 14:30:00 to 16:45:00 on Monday, Wednesday, Friday, and Sunday.

active500EM(Config-Time-Range-admin-timer)#periodic Monday Wednesday Friday Sunday 14:30:00 to 16:45:00

 

9.1.2 absolute start

Command: absolute start <start-time> <start-data> [end <end-time> <end-data>] no absolute start <start-time> <start-data> [end <end-time> <end-data>]
Function: Define an absolute time range. This time range operates subject to the clock on the switch.
Parameters:

  • <start-time>: start time, HH:MM:SS (hour: minute: second).
  • <end-time>: end time, HH:MM:SS (hour: minute: second).
  • <start-data>: start data, the format is, YYYY.MM.DD (year.month.day).
  • <end-data>: end data, the format is, YYYY.MM.DD (year.month.day).
  • Remark: time-range is one minute per time, so the time error is one minute.

Command mode: Time-range Mode
Default: No time-range configuration.
Usage guide: Absolute time and date: assign a specific year, month, day, hour, and minute for ?start?. Multiple absolute time and date values will not be configured. When in repeated configuration, the latter configuration covers the absolute time and date of the former configuration.
Example: Make configurations effective from 6:00:00 to 13:30:00 from Oct. 1, 2004 to Jan. 26, 2005.

active500EM(config)#time-range admin-timer
active500EM(Config-Time-Range-admin-timer)#absolute start 6:00:00 2004.10.1 end 13:30:00 2005.1.26

 

9.1.3 access-list deny-preemption

Command: access-list deny-preemption
no access-list deny-preemption
Function: Enable the deny-preemption function. The no command disables the deny-preemption function.
Parameters: None.
Command mode: Global Mode
Default: Enable deny-preemption.
Usage guide: Enable the deny-preemption function for use between the ACL module and other modules. The function limits the number of ACL rules. By default, the firewall must be enabled before using this command. If the ACL has been sent to the hardware, this command takes effect after resetting the firewall.
Example: Disable the deny-preemption function.

active500EM(config)#no access-list deny-preemption

 

9.1.4 access-list (ip extended)

Command: access-list <num> {deny | permit} icmp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence <prec>] [tos <tos>][time-range<time-range-name>]] no access-list <num>
Function: Create a numeric extended IP access rule to match a specific IP protocol or all IP protocols.
Parameters:

  • <num>: the number of access-lists. Values include 100-299.
  • <protocol>: the number of?IP upper-layer protocols. Values include 0-255.
  • <sIpAddr>: the source IP address in dotted decimal notation format.
  • <sMask >: the reverse mask of source IP in dotted decimal notation format.
  • <dIpAddr>: the destination IP address in dotted decimal notation format.
  • <dMask>: the reverse mask of the destination IP in dotted decimal notation format. Attentive position o, ignored position1.
  • <igmp-type>: the type of?IGMP values; valid values include 0-15.
  • <icmp-type>: the type of?ICMP valid values include 0-255.
  • <icmp-code>:?ICPMP protocol number; valid values 0-255.
  • <prec>: IP priority; valid values are?0-7.
  • <tos>: to value; valid values are?0-15.
  • <sPort>: source port number; valid values are 0-65535.
  • <sPortMin>: the down boundary of the source port.
  • <sPortMax>: the up boundary of the source port.
  • <dPortMin>: the down boundary of the destination port.
  • <dPortMax>: the up boundary of the destination port.
  • <dPort>: destination port number; valid values include 0-65535.
  • <time-range-name>: name of the time-range.

Command mode: Global Mode
Default: No access-lists configured.
Usage guide: When the user assigns a specific <num> for the first time, the ACL of the serial number is created. Lists are added into this ACL. The access list, which is marked 200-299, can configure non-continual reverse masks of the IP address. <igmp-type> represents the type of the IGMP packet. Values include the following:
17(0x11): IGMP QUERY packet
18(0x12): IGMP V1 REPORT packet
22(0x16): IGMP V2 REPORT packet
23(0x17): IGMP V2 LEAVE packet
34(0x22): IGMP V3 REPORT packet
19(0x13): DVMR packet
20(0x14): PIM V1 packet
Note: The packet types included are not the types excluding IP OPTION. Normally, IGMP packets contain OPTION fields and the configuration is not used for this type of packet. If?the user?wants to configure the packets containing OPTION, please follow the instructions to configure OFFSET.
Example: Create the numeric extended access-list with serial number of 110. Deny?ICMP packets to pass and permit?UDP packets with a destination address of 192. 168. 0. 1 and destination port of?32 to pass.

active500EM(config)#access-list 110 deny icmp any any-destination
active500EM(config)#access-list 110 permit udp any host-destination 192.168.0.1 d-port 32

 

9.1.5 access-list (ip standard)

Command: access-list <num> {deny | permit} {{<sIpAddr> <sMask >} | any-source| {host-source <sIpAddr>}}
no access-list <num><span>
Function: Create a numeric standard IP access-list. If this access-list exists, then add a rule list. The no command deletes a numeric standard IP access-list.
Parameters:

  • <num>: the number of the access-list with valid values 100-199.
  • <sIpAddr>: the source IP address in dotted decimal notation format.
  • <sMask>: the reverse mask of the source IP in dotted decimal notation format.

Command mode: Global Mode
Default: No access-lists configured.
Usage guide: When the user assigns the specific <num> for the first time, the ACL of the serial number is created. The lists are added into this ACL.
Example: Create a numeric standard IP access list with serial number of 20. Permit data packets with source address of 10.1.1.0/24 to pass and deny other packets with source address of 10.1.1.0/16.

active500EM(config)#access-list 20 permit 10.1.1.0 0.0.0.255
active500EM(config)#access-list 20 deny 10.1.1.0 0.0.255.255

 

9.1.6 access-list (mac extended)

Command: access-list <num> {deny | permit} {any-source-mac | {host-source-mac <host-smac>} | {<smac> <smac-mask>}} {any-destination-mac | {host-destination-mac <host-dmac>} | {<dmac> <dmacmask>}} {untagged-eth2 | tagged-eth2 | untagged-802-3 | tagged-802-3} [<offset1> <length1> <value1> [ <offset2> <length2> <value2> [ <offset3> <length3> <value3> [ <offset4> <length4> <value4>]]]]] no access-list <num><span>
Function: Define an extended numeric MAC ACL rule. The no command deletes an extended numeric MAC access-list rule.
Parameters:

  • <num>: the access-list number which is a decimal number with valid values 1100-1199.
  • deny: if rules are matching, deny access.
  • permit: if rules are matching, permit access.
  • <any-source-mac>: any source address.
  • <any-destination-mac>: any destination address.
  • <host-smac>, <smac>: source MAC address.
  • <smac-mask>: mask (reverse mask) of the source MAC address.
  • <host-dmac> , <dmac>: destination of the MAC address.
  • <dmac-mask>: mask (reverse mask) of the destination MAC address.
  • untagged-eth2: format of untagged Ethernet II packets.
  • tagged-eth2: format of tagged Ethernet II packets.
  • untagged-802-3: format of untagged Ethernet 802.3 packets.
  • tagged-802-3: format of tagged Ethernet 802.3 packets.
  • Offset(x): the offset from the packet head. The range is (12-79). The window must start from the back of the source MAC. Offset(x+1) must be longer than Offset(x)+len(x).
  • Length(x): length with valid values 1-4. Offset(x)+Length(x) should not be longer than 80 (currently should not be longer than 64).
  • Value(x): hex expression.
  • Value range: when Length(x) =1, it is 0-ff: when Length(x) =2, it is 0-ffff; when Length(x) =3, it is0-ffffff: when Length(x) =4, it is 0-ffffffff .
  • For Offset(x), different types of data frames are associated to different value ranges:
    • for untagged-eth2 type frame: <12-75>
    • for untagged-802.2 type frame: <20-75>
    • for untagged-eth2 type frame: <12-79>
    • for untagged-eth2 type frame: <12-15> <24-79>

Command mode: Global Mode
Default: No access-list configured.
Usage guide: When the user assigns a specific <num> for the first time, the ACL of the serial number is created. The lists are added to this ACL.
Example: Permit tagged-eth2 with any source MAC address and any destination MAC address with packets whose 17th and 18th byte is 0x08, 0x0 to pass.

active500EM(config)#access-list 1100 permit any-source-mac any-destination-mac tagged-eth2 16 2 0800

 

9.1.7 access-list (mac-ip extended)

Command: access-list <num> {deny|permit}{any-source-mac| {host-source-mac<host-smac>}|{<smac><smacmask>}}
{any-destination-mac|{host-destination-mac <host-dmac>}|{<dmac><dmacmask>}}
icmp {{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}}
{{<destination><destination-wildcard>}|any-destination| {host-destination<destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] no access-list <num>
Function: Define an extended numeric MAC-IP ACL rule. The no command deletes an extended numeric MAC-IP ACL access-list rule.
Parameters:

  • num: access-list serial number in decimal format with values from 3100-3299.
  • deny: if rules match, deny access.
  • permit: if rules match, permit access.
  • any-source-mac: any source MAC address.
  • any-destination-mac: any destination MAC address.
  • host-smac , smac: source MAC address.
  • smac-mask, mask: mask (reverse mask) of the source MAC address.
  • host-dmac, dmas: destination MAC address.
  • dmac-mask: mask (reverse mask) of the destination MAC address.
  • protocol: number of the name or IP protocol. It can be a key word: eigrp, gre, icmp, igmp, igrp, ip, ipinip, ospf, tcp, udp, or an integer from 0-255 from the list of numbered IP addresses. Use the key word ?ip? to match all internet protocols (including ICMP, TCP,?and UDP) lists.
  • source-host-ip, source: number of the source network or source hosts for packet delivery. The format used is numbers in the 32-bit binary system in dotted decimal format.
  • host: the IP address of the source host or the IP address of the network.
  • source-wildcard: reverse of the source IP. The format is numbers in the 32-bit binary system in decimal with four-point separation, reverse mask.
  • destination-host-ip destination: number of the destination network or hosts for which packets are delivered. The valid format includes numbers in the 32-bit binary system in dotted decimal format.
  • host: the address is the destination host or the network IP address.
  • destination-wildcard: mask of the destination. Valid values include numbers from the 32-bit binary system formatted decimal numbers with four-point separation, reverse mask.
  • s-port(optional): option to match TCP/UDP source port.
  • port1 (optional): value of the TCP/UDP source interface number. The interface number is an integer from 0-65535.
  • d-port(optional): option to match TCP/UDP destination interface.
  • <sPortMin>: the down boundary of the source port.
  • <sPortMax>: the up boundary of the source port.
  • port3 (optional): value of the TCP/UDP destination interface number. The interface number is an integer from 0-65535.
  • <dPortMin>: the down boundary of the destination port.
  • <dPortMax>: the up boundary of the destination port.
  • [ack] [fin] [psh] [rst] [urg] [syn] (optional): only for TCP protocol. Multiple choices of tag positions are available. When the TCP data reports the configuration of the corresponding position, initialization of the TCP data report is enabled to form a match when connected.
  • precedence (optional): packets can be filtered by priority; valid values are from 0-7.
  • tos (optional): packets can be filtered by service type; valid values are from 0-15.
  • icmp-type (optional): ICMP packets can be filtered by packet type; valid values are from 0-255.
  • icmp-code (optional): ICMP packets can be filtered by packet code; valid values are from 0-255.
  • igmp-type (optional): ICMP packets can be filtered by IGMP packet name or packet type; valid values are from 0-255.
  • <time-range-name>: name of the time range.

Command mode: Global Mode
Default: No access-list configured.
Usage guide: When the user assigns a specific <num> for the first time, a serial number ACL is created. The lists are added into this ACL. The access lists which are marked 3200-3299 can configure non-continual reverse masks for the IP address.
Example: Permit the passage of TCP packets with source MAC 00-12-34-45-XX-XX, any destination MAC address, source IP address 100.1.1.0 0.255.255.255, and source port 100 and destination interface 40000.

active500EM(config)#access-list 3199 permit 00-12-34-45-67-00 00-00-00-00-FF-FF any-destination-mac tcp 100.1.1.0 0.255.255.255 s-port 100 any-destination d-port 40000

 

9.1.8 access-list(mac standard)

Command: access-list <num> {deny|permit} {any-source-mac | {host-source-mac <host-smac> } | {<smac> <smac-mask>} }
no access-list
Function: Define a standard numeric MAC ACL rule. The no command deletes the standard numeric MAC ACL access-list rule.
Parameters:

  • <num>: the access-list number; valid values include a decimal number from 700-799.
  • deny: if rules match, deny access
  • permit: if rules match, permit access.
  • <host-smac>, <sumac>: source MAC address
  • <sumac-mask>: mask (reverse mask) of source MAC address.

Command mode: Global Mode
Default: No access-list configured.
Usage guide: When the user assigns a specific <num> for the first time, the ACL of the serial number is created. The lists are added into this ACL.
Example: Permit the passage of packets with source MAC address 00-00-XX-XX-00-01, and deny passage of packets with source MAC address 00-00-00-XX-00-ab.

active500EM(config)# access-list 700 permit 00-00-00-00-00-01 00-00-FF-FF-00-00
active500EM(config)# access-list 700 deny 00-00-00-00-00-ab 00-00-00-FF-00-00

 

9.1.9 clear access-group statistic interface

Command: clear access-group [in | out] statistic interface [ethernet] <IFNAME>
Functions: Clear the specified interface packet statistics.
Parameters:

  • in: inbound packets.
  • out: outbound packets.
  • ethernet: Ethernet port.
  • <IFNAME>: interface name or number.

Command mode: Admin Mode
Default: None.
Usage guide: Clear the specified interface packet statistics.
Example: Clear the packet statistics from interface1/0/1.

active500EM#clear access-group out statistic interface ethernet 1/0/1

 

9.1.10 firewall

Command: firewall {enable | disable}
Function: Enable or disable a firewall.
Parameters:

  • enable: enable the firewall.
  • disable: disable the firewall.

Command mode: Global Mode
Default: Enable the firewall.
Usage guide: Whether enabling or disabling a firewall, access rules can be configured. When the firewall is enabled, the rules can be used for configuration of specific ports. When the firewall is disabled, all ACLs tied to those ports will be deleted.
Example: Enable the firewall.

active500EM(config)#firewall enable

 

9.1.11 firewall default

Command: firewall default {permit | deny [ipv4 | ipv6 | all]}
Function: Configure default actions of the firewall.
Parameters:

  • permit: permit data packets to pass.
  • deny [ipv4 | ipv6 | all]: deny ipv4|ipv6 data packets to pass. If default deny * is configured, it can be cancelled by default permit.

Command mode: Global Mode.
Default: Permit.
Usage guide: This command affects all packets from the port entrance.
Example: Configure the firewall default action as permitting packets to pass.

active500EM(config)#firewall default permit

 

9.1.12 ip access extended

Command: ip access extended <name>
no ip access extended
Function: Create a named extended IP access list. The no command removes the named extended IP access list including all rules.
Parameters:

  • <name>: access list name. The name can be formed by non-all-digit characters. The valid length is 1 to 32 characters.

Command mode: Global Mode
Default: Not configured.
Usage guide: When this command is issued for the first time, an empty access list will be created.
Example: Create an extended IP access list named tcpFlow.

active500EM(config)#ip access-list extended tcpFlow

 

9.1.13 ip access standard

Command: ip access standard <name>
no ip access standard
Function: Create a named standard access list. The no command removes the named standard access list including all rules in the list.
Parameters:

  • <name>: access list name. The name can be formed by non-all-digit characters. The valid length is 1 to 32.

Command mode: Global Mode
Default: Not configured.
Usage guide: When this command is issued for the first time, an empty access list will be created.
Example: Create a standard IP access list named ipFlow.

active500EM(config)#ip access-list standard ipFlow

 

9.1.14 ipv6 access-list

Command: ipv6 access-list <num-std> {deny | permit} {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}}
ipv6 access-list <num-ext> {deny | permit} icmp {{ <sIPv6Prefix/sPrefixlen> } | any-source | {host-source <sIPv6Addr> }} { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [ <icmp-type> [ <icmp-code> ]] [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] ipv6 access-list <num-ext> {deny | permit} tcp {{ <sIPv6Prefix/<sPrefixlen> } | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] {{ <dIPv6Prefix/<dPrefixlen> } | any-destination | {host-destination <dIPv6Addr> }} [dPort { <dPort> | range <dPortMin> <dPortMax> }] [syn | ack | urg | rst | fin | psh] [dscp <dscp> ] [flow-label <flowlabel> ][time-range <time-range-name> ] ipv6 access-list <num-ext> {deny | permit} udp {{ <sIPv6Prefix/<sPrefixlen> } | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] {{ <dIPv6Prefix/<dPrefixlen> } | any-destination | {host-destination <dIPv6Addr> }} [dPort { <dPort> | range <dPortMin> <dPortMax> }] [dscp <dscp> ] [flow-label <flowlabel> ][time-range <time-range-name> ] ipv6 access-list <num-ext> {deny | permit} <next-header> { <sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr> }} { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] no ipv6 access-list { <num-std> | <num-ext> }
Functions: Create a numbered standard IP access-list. If the access-list already exists, then a rule will be added to the current access-list. The no command deletes a numbered standard IP access-list.
Parameters:

  • <num-std>: list number. The list range is between 500 and 599.
  • <num-ext>: list number. The list range is between 600 and 699.
  • <sIPv6Prefix>: IPV6 source address prefix.
  • <sPrefixlen>: IPV6 source address prefix length. The valid range is between 1 and 128.
  • <sIPv6Addr>: IPV6 source address.
  • <dIPv6Prefix>: IPV6 destination address prefix.
  • <dPrefixlen>: IPV6 destination address prefix length. The valid range is between 1 and 128.
  • <dIPv6Addr>: IPV6 destination address.
  • <icmp-type>:?ICMP type.
  • <icmp-code>: the?ICMP protocol code.
  • <dscp>: IPv6 priority. The valid range is from 0 to 63.
  • <flowlabel>: flow tag value. The valid range is from 0 to 1048575.
  • syn?ack?urg?rst?fin?psh?tcp: label position.
  • <sPort>: source port number. The valid range is from 0 to 65535.
  • <sPortMin>: source port minimum boundary.
  • <sPortMax>: source port maximum boundary.
  • <dPort>: destination port number. The valid range is from 0 to 65535.
  • <dPortMin>: destination port minimum boundary.
  • <dPortMax>: destination port maximum boundary.
  • <next-header>: IPv6 next header. The valid range is from 0 to 255.
  • <time-range-name>: time-range name.

Command mode: Global Mode
Default: No access-list configured.
Usage guide: When this command is configured for the first time it creates a 520 standard IP access-list. The next configuration will add to the current access-list.
Example: Create a 520 standard IP access-list. Allow the source packet from 2003:1:2:3::1/64 to pass through the net. Deny all other packets from the source address 2003:1:2::1/48 to pass through.

active500EM(config)#ipv6 access-list 520 permit 2003:1:2:3::1/64
active500EM(config)#ipv6 access-list 520 deny 2003:1:2:::1/48

 

9.1.15 ipv6 access standard

Command: ipv6 access-list standard <name>
no ipv6 access-list standard
Function: Create a name-based standard IPv6 access list. The no command deletes the name-based standard IPv6 access list (including all entries).
Parameter:

  • <name>: access list name. The character string length is from 1 to 32.

Command mode: Global Mode
Default: No access list is configured.
Usage guide: The first time this command is configured only an empty access list with no entry will be created.
Example: Create a standard IPv6 access list named ip6Flow.

active500EM(config)#ipv6 access-list standard ip6Flow

 

9.1.16 ipv6 access extended

Command: ipv6 access-list extended <name>
no ipv6 access-list extended
Function: Create a name-based extended IPv6 access list. The no command deletes the name-based extended IPv6 access list.
Parameter:

  • <name>: name for the access list. The valid character string length is from 1 to 32 characters.

Command mode: Global Mode
Default: No IP address is configured.
Usage guide: The first time this command is configured only an empty access list with no entries will be created.
Example: Create an extended IPv6 access list named tcpFlow.

active500EM(config)#ipv6 access-list extended tcpFlow

 

9.1.17 {ip|ipv6|mac|mac-ip} access-group

Command: {ip|ipv6|mac|mac-ip} access-group <name> {in | out} [traffic-statistic] no {ip|ipv6|mac|mac-ip} access-group <name> {in | out}
Function: Apply an access-list on some port directions and, using the parameters, add the ACL rule statistics. The no command deletes the access-list bind on the port.
Parameter:

  • <name>: access list name. The valid character string length is from 1 to 32.

Command mode: Port Mode
Default: The port entry is not a bound ACL.
Usage guide: One port can bind ingress and egress rules. An egress ACL can filter the packets on the egress and ingress directions. Packets matching the specified rules can be allowed or denied. ACL can support IP ACL, MAC ACL, MAC-IP ACL, and IPv6 ACL. The ingress direction of the port can bind four kinds of ACL at the same time. There are four resources on the egress direction of the port. IP and MAC ACL engage one resource. MAC-IP and IPv6 ACL engage two resources. Therefore, the egress direction of the port can not bind four kinds of ACL at the same time. When binding three kinds of ACL at the same time, the types should be IP/MAC/MAC-IP or IP/MAC/IPv6. When binding two kinds of ACL at the same time, any combination of ACL types is valid. Each type can only be applied to the port.
When binding egress ACL to a port:
1. the IP ACL that matches the TCP/UDP range can not be bound.
2. the MAC-IP ACL that matches TCP/UDP range can not be bound.
3. the IP ACL that matches flowlabel can not be bound.
There are four kinds of packet header fields based on: MAC ACL, IP ACL, MAC-IP ACL and IPv6 ACL. ACL filter behavior (permit or deny) conflicts when a data packet matches multiple types of the four ACLs. Priorities are specified for each ACL. This priority determines the final packet filter behavior when there is a conflict.
When binding ACL to a port, the limits are:
1. each port can bind a MAC-IP ACL, a IP ACL, a MAC ACL and a IPv6 ACL.
When binding four ACLs and the data packet matches multiple ACLs, the priority (from high to low) is:
Ingress IPv6 ACL
Ingress MAC-IP ACL
Ingress MAC ACL
Ingress IP ACL
Example: Bind AAA access-list to the entry direction of the port.

active500EM(Config-If-Ethernet1/0/5)#ip access-group aaa in

 

9.1.18 mac access extended

Command: mac-access-list extended <name>
no mac-access-list extended
Functions: Define a named MAC ACL or enter access-list configuration mode. The no command deletes this ACL.
Parameters:

  • <name>: access-list name excluding blank or quotation marks. It must start with a letter and the length cannot exceed 32 characters. (the access-list name is case sensitive.)

Command mode: Global Mode
Default: No access-lists configured.
Usage guide: The first time this command is used only an empty name access-list is created and no list item is included.
Example: Create a MAC ACL named mac-acl.

active500EM(config)#mac-access-list extended mac-acl
active500EM(config-mac-ext-nacl-mac-acl)#

 

9.1.19 mac-ip access extended

Command: mac-ip-access-list extended <name>
no mac-ip-access-list extended
Functions: Define a named MAC-IP ACL or enter access-list configuration mode. The no command deletes this ACL.
Parameters:

  • <name>: access-list name excluding blank or quotation marks. It must start with a letter and the length cannot exceed 32 characters. (the access-list name is case sensitive).

Command mode: Global Mode
Default: No named MAC-IP access-list.
Usage guide: The first time this command is used only an empty name access-list is created and no list item is included.
Example: Create a MAC-IP ACL named macip-acl.

active500EM(config)#mac-ip-access-list extended macip-acl
active500EM(config-macip-ext-nacl-macip-acl)#

 

9.1.20 permit | deny (ip extended)

Command: {deny | permit} icmp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence <prec>] [tos <tos>][time-range<time-range-name>] no {deny | permit} icmp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence <prec>] [tos <tos>][time-range<time-range-name>] Function: Creates an extended name IP access rule to match a specific IP protocol or all IP protocols.
Parameters:

  • <sIpAddr>: the source IP address; valid values are in dotted decimal notation.
  • <sMask >: reverse mask of the source IP; valid values are in dotted decimal notation.
  • <dIpAddr>: the destination IP address; valid values are in dotted decimal notation.
  • <dMask>: the reverse mask of the destination IP; valid values are in dotted decimal notation (attentive position o, ignored position 1).
  • <igmp-type>: type of IGMP; valid values include 0-15.
  • <icmp-type>: type of ICMP; valid values include 0-255.
  • <icmp-code>:?ICMP protocol number; valid values include 0-255.
  • <prec>: IP priority; valid values include 0-7.
  • <tos>: to value; valid values include 0-15.
  • <sPort>: source port number; valid values include 0-65535.
  • <sPortMin>: the down boundary of the source port.
  • <sPortMax>: the up boundary of the source port.
  • <dPort>: destination port number; valid values include 0-65535.
  • <dPortMin>: down boundary of the destination port.
  • <dPortMax>: up boundary of the destination port.
  • <time-range-name>: time range name.

Command mode: Name extended IP access-list Configuration Mode
Default: No access-list configured.
Usage guide: Creates an extended name IP access rule to match a specific IP protocol or all IP protocols.
Example: Create the extended access-list, deny icmp packet to pass, and permit udp packet with destination address 192. 168. 0. 1 and destination port 32 to pass.

active500EM(config)#access-list ip extended udpFlow
active500EM(config-ip-ext-nacl-udpFlow)#deny igmp any any-destination
active500EM(config-ip-ext-nacl-udpFlow)#permit udp any host-destination 192.168.0.1 d-port 32

 

9.1.21 permit | deny (ip standard)

Command: {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}}
no {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}}
Function: Create a standard IP access rule. The no command deletes this standard IP access rule.
Parameters:

  • <sIpAddr>: the source IP address; the format is dotted decimal notation.
  • <sMask >: the reverse mask of the source IP; the format is dotted decimal notation.

Command mode: Name standard IP access-list Configuration Mode
Default: No access-list configured.
Usage guide: Creates a standard IP access rule.
Example: Permit packets with source address 10.1.1.0/24 to pass, and deny other packets with source address 10.1.1.0/16.

active500EM(config)#access-list ip standard ipFlow
active500EM(config-std-nacl-ipFlow)#permit 10.1.1.0 0.0.0.255
active500EM(config-std-nacl-ipFlow)#deny 10.1.1.0 0.0.255.255

 

9.1.22 permit | deny (ipv6 extended)

Command: {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [<icmp-type> [<icmp-code>]] [dscp <dscp>] [flow-label <fl>][time-range <time-range-name>] no {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [<icmp-type> [<icmp-code>]] [dscp <dscp>] [flow-label <fl>][time-range <time-range-name>] {deny | permit} tcp { <sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [d-port { <dPort> | range <dPortMin> <dPortMax> }] [syn | ack | urg | rst | fin | psh] [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] no {deny | permit} tcp { <sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [d-port { <dPort> | range <dPortMin> <dPortMax> }] [syn | ack | urg | rst | fin | psh] [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] {deny | permit} udp { <sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [d-port { <dPort> | range <dPortMin> <dPortMax> }] [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] no {deny | permit} udp { <sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr> }} [s-port { <sPort> | range <sPortMin> <sPortMax> }] { <dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr> }} [d-port { <dPort> | range <dPortMin> <dPortMax> }] [dscp <dscp> ] [flow-label <fl> ][time-range <time-range-name> ] {deny | permit} <next-header> {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [dscp <dscp>] [flow-label <fl>][time-range <time-range-name>] no {deny | permit} <next-header> {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [dscp <dscp>] [flow-label <fl>][time-range <time-range-name>] {deny | permit} {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [dscp <dscp>] [flow-label <fl>] [time-range<time-range-name>] no {deny | permit} {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [dscp <dscp>] [flow-label <fl>] [time-range<time-range-name>] Function: Create an extended IPv6 access control rule name for a specific IPv6 protocol.
Parameter:

  • <sIPv6Addr>: source IPv6 address.
  • <sPrefixlen>: lIPv6 address prefix length. The valid range is 1 and 128.
  • <dIPv6Addr>: IPv6 address destination.
  • <dPrefixlen>: lIPv6 address prefix length. The valid range is 1 and 128.
  • <igmp-type>: IGMP type.
  • <icmp-type>:?ICMP type.
  • <icmp-code>:?ICMP protocol number.
  • <dscp>: IPv6 priority. The valid range is between 0 and 63.
  • <flowlabel>: value of the flow label. The valid range is between 0 and 1048575.
  • syn,ack,urg,rst,fin,psh,tcp: label position.
  • <sPort>: source port number. The valid range is between 0 and 65535.
  • <sPortMin>: source port minimum boundary.
  • <sPortMax>: source port maximum boundary.
  • <dPort>: destination port number. The valid range is between 0 and 65535.
  • <dPortMin>: destination port minmum boundary.
  • <dPortMax>: destination port maximum boundary.
  • <next-header>: IPv6 next-header.
  • <time-range-name>: time range name.

Command mode: IPv6 Name Extended Access Control List Mode
Default: No access control list configured.
Usage guide: Creates an extended access control list.
Example: Create an extended access control list named udpFlow. Deny the?IGMP packets while allowing?UDP packets with a destination address of 2001:1:2:3::1 and destination port of 32.

active500EM(config)#ipv6 access-list extended udpFlow
active500EM(config-ipv6-ext-nacl-udpFlow)#deny igmp any any-destination
active500EM(config-ipv6-ext-nacl-udpFlow)#permit udp any-source host-destination 2001:1:2:3::1 dPort 32

 

9.1.23 permit | deny (ipv6 standard)

Command: {deny | permit} {{<sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}}
no {deny | permit} {{<sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}}
Function: Create a standard IPv6 access control rule name. The no command deletes the standard IPv6 access control rule name.
Parameter:

  • <sIPv6Prefix>: source IPv6 address prefix.
  • <sPrefixlen>: lIPv6 address prefix length. The valid range is between 1 and 128.
  • <sIPv6Addr>: source IPv6 address.

Command mode: Standard IPv6 Name Access List Mode
Default: No access list configured.
Usage guide: Create a standard name IPv6 access control rule.
Example: Permit packets with a source address of 2001:1:2:3::1/64 while denying those with a source address of 2001:1:2:3::1/48.

active500EM(config)#ipv6 access-list standard ipv6Flow
active500EM(config-ipv6-std-nacl-ipv6Flow)#permit 2001:1:2:3::1/64
active500EM(config-ipv6-std-nacl-ipv6Flow)#deny 2001:1:2:3::1/48

 

9.1.24 permit | deny (mac extended)

Command: {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [cos <cos-val> [ <cos-bitmask> ][vlanid <vid-value> [ <vid-mask> ][ethertype <protocol> [ <protocol-mask> ]]]] no {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [cos <cos-val> [ <cos-bitmask> ][vlanid <vid-value> [ <vid-mask> ][ethertype <protocol> [ <protocol-mask> ]]]] {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [ethertype <protocol> [ <protocol-mask> ]] no {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [ethertype <protocol> [ <protocol-mask> ]] {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [vlanid <vid-value> [ <vid-mask> ][ethertype <protocol> [ <protocol-mask> ]]] no {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [vlanid <vid-value> [ <vid-mask> ][ethertype <protocol> [ <protocol-mask> ]]] {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [untagged-eth2 [ethertype <protocol> [protocol-mask]]] no {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [untagged-eth2 [ethertype <protocol> [protocol-mask]]] {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [untagged-802-3] no {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [untagged-802-3] {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [tagged-eth2 [cos <cos-val> [ <cos-bitmask> ]] [vlanId <vid-value> [ <vid-mask> ]] [ethertype <protocol> [ <protocol-mask> ]]] no {deny|permit} {any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [tagged-eth2 [cos <cos-val> [ <cos-bitmask> ]] [vlanId <vid-value> [ <vid-mask> ]] [ethertype <protocol> [ <protocol-mask> ]]] {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [tagged-802-3 [cos <cos-val> [ <cos-bitmask> ]] [vlanId <vid-value> [ <vid-mask> ]]] no {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }} {any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }} [tagged-802-3 [cos <cos-val> [ <cos-bitmask> ]] [vlanId <vid-value> [ <vid-mask> ]]] Functions: Define an extended name MAC ACL rule. The no command deletes this extended name IP access rule.
Parameters:

  • any-source-mac: any source of the MAC address.
  • any-destination-mac: any destination of the MAC address.
  • host-smac, smac: source MAC address.
  • smac-mask: mask (reverse mask) of the source MAC address.
  • host-dmac, dmas: destination MAC address.
  • dmac-mask: mask (reverse mask) of the destination MAC address.
  • untagged-eth2: untagged Ethernet II packet format.
  • tagged-eth2: tagged Ethernet II packet format.
  • untagged-802-3: untagged Ethernet 802.3 packet format.
  • tagged-802-3: tagged Ethernet 802.3 packet format.
  • cos-val: cos value. The valid range is from 0 to 7.
  • cos-bitmask: cos mask. The valid range is from 0 to 7. Reverse mask and mask bit is consecutive.
  • vid-value: VLAN number. The valid range is from 1 to 4094.
  • vid-bitmask: VLAN mask. The valid range is from 0 to 4095. Reverse mask and mask bit?are consecutive.
  • protocol: specific Ethernet protocol number. The valid range is from 1536 to 65535.
  • protocol-bitmask: protocol mask. The valid range is from 0 to 65535. Reverse mask and mask bit?are consecutive.
  • Note: ?Mask bit is consecutive? means the effective bit must be after the first bit on the left. For example: the reverse mask format of one byte is: 00001111b; mask format is 11110000; and 00010011 is not permitted.

Command mode: Name Extended MAC Access-list Configuration Mode
Default configuration: No access-list configured.
Usage guide: Defines an extended name MAC ACL rule.
Example: The forward source MAC address of 00-12-11-23-XX-XX of the 802.3 data packet is not permitted.

active500EM(config)#mac-access-list extended macExt
active500EM(config-mac-ext-nacl-macExt)#deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3
active500EM(config-mac-ext-nacl-macExt)#deny 00-12-11-23-00-00 00-00-00-00-ff-ff any tagged-802

 

9.1.25 permit | deny (mac-ip extended)

Command: {deny|permit} {any-source-mac|{host-source-mac<host-smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host-dmac>}|{<dmac><dmac-mask>}} icmp{{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] no {deny|permit} {any-source-mac|{host-source-mac<host-smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host-dmac>}|{<dmac><dmac-mask>}} icmp{{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] {deny|permit} {any-source-mac|{host-source-mac<host-smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host-dmac>}|{<dmac><dmac-mask>}} igmp{{<source><source-wildcard>}|any-source| {host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] no {deny|permit} {any-source-mac|{host-source-mac<host-smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host-dmac>}|{<dmac><dmac-mask>}} igmp{{<source><source-wildcard>}|any-source| {host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] {deny|permit}{any-source-mac|{host-source-mac <host-smac> }| { <smac> <smac-mask> }}{any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }}tcp{{ <source> <source-wildcard> }|any-source| {host-source <source-host-ip> }}[s-port { <port1> | range <sPortMin> <sPortMax> }] {{ <destination> <destination-wildcard> } | any-destination| {host-destination <destination-host-ip> }} [d-port { <port3> | range <dPortMin> <dPortMax> }] [ack?fin?psh?rst?urg?syn] [precedence <precedence> ] [tos <tos> ][time-range <time-range-name> ] no {deny|permit}{any-source-mac|{host-source-mac <host-smac> }| { <smac> <smac-mask> }}{any-destination-mac|{host-destination-mac <host-dmac> }|{ <dmac> <dmac-mask> }}tcp{{ <source> <source-wildcard> }|any-source| {host-source <source-host-ip> }}[s-port { <port1> | range <sPortMin> <sPortMax> }] {{ <destination> <destination-wildcard> } | any-destination| {host-destination <destination-host-ip> }} [d-port { <port3> | range <dPortMin> <dPortMax> }] [ack?fin?psh?rst?urg?syn] [precedence <precedence> ] [tos <tos> ][time-range <time-range-name> ] {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }}{any-destination-mac|{host-destination-mac <host-dmac> }| { <dmac> <dmac-mask> }}udp{{ <source> <source-wildcard> }|any-source| {host-source <source-host-ip> }}[s-port{ <port1> | range <sPortMin> <sPortMax> }] {{ <destination> <destination-wildcard> }|any-destination| {host-destination <destination-host-ip> }} [d-port { <port3> | range <dPortMin> <dPortMax> }] [precedence <precedence> ] [tos <tos> ][time-range <time-range-name> ] no {deny|permit}{any-source-mac|{host-source-mac <host-smac> }|{ <smac> <smac-mask> }}{any-destination-mac|{host-destination-mac <host-dmac> }| { <dmac> <dmac-mask> }}udp{{ <source> <source-wildcard> }|any-source| {host-source <source-host-ip> }}[s-port{ <port1> | range <sPortMin> <sPortMax> }] {{ <destination> <destination-wildcard> }|any-destination| {host-destination <destination-host-ip> }} [d-port { <port3> | range <dPortMin> <dPortMax> }] [precedence <precedence> ] [tos <tos> ][time-range <time-range-name> ] {deny|permit}{any-source-mac|{host-source-mac<host-smac>}|{<smac> <smac-mask>}}{any-destination-mac|{host-destination-mac<host-dmac>}| {<dmac><dmac-mask>}}{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} {{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [precedence <precedence>] [tos <tos>][time-range<time-range-name>] no {deny|permit}{any-source-mac|{host-source-mac<host-smac>}|{<smac> <smac-mask>}}{any-destination-mac|{host-destination-mac<host-dmac>}| {<dmac><dmac-mask>}}{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} {{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [precedence <precedence>] [tos <tos>][time-range<time-range-name>] Functions: Define an extended name MAC-IP ACL rule. The no command deletes one extended numeric MAC-IP ACL access-list rule.
Parameters:

  • num: access-list serial number. The valid value is a decimal number from 3100 to 3199.
  • deny: if rules match, deny access.
  • permit: if rules match, permit access.
  • any-source-mac: any source MAC address.
  • any-destination-mac: any destination MAC address.
  • host-smac, smac: source MAC address.
  • smac-mask: mask (reverse mask) of the source MAC address.
  • host-dmac: dmas destination MAC address.
  • dmac-mask: mask (reverse mask) of the destination MAC address.
  • protocol: number of the protocol or IP protocol. It can be a key word: eigrp, gre, icmp, igmp, igrp, ip, ipinip, ospf, tcp, or udp, or an integer from 0 to 255 of the IP address list number. Use the key word ?ip? to match all internet protocols (including ICMP, TCP, and UDP) lists.
  • source-host-ip: source number of the source network or packet delivery source host. The valid values are numbers from the 32-bit binary system in dotted decimal notation format.
  • host: source host IP address or the network IP address.
  • source-wildcard: reverse of the source IP. The valid value includes numbers from the 32-bit binary system in decimal number format separated with decimals.
  • destination-host-ip: destination number of the destination network or host to which packets are delivered. The valid values include numbers from the 32-bit binary system in dotted decimal notation expression.
  • host: destination host address or network IP address.
  • destination-wildcard: destination mask. The valid value includes numbers from the 32-bit binary system in decimal number format separated with decimals.
  • s-port(optional): means the need to match the TCP/UDP source port.
  • port1(optional): value of the TCP/UDP source interface number. The interface number is an integer from 0 to 65535.
  • <sPortMin>: source port minimum boundary.
  • <sPortMax>: source port maximum boundary.
  • d-port(optional): means the need to match the TCP/UDP destination interface.
  • port3(optional): value of the TCP/UDP destination interface number. The interface number is an integer from 0 to 65535.
  • <dPortMin>: destination port minmum boundary.
  • <dPortMax>: destination port maximum boundary.
  • [ack] [fin] [psh] [rst] [urg] [syn]: (optional) only used for the TCP protocol. Multiple choices of the tag positions can be used. When the TCP data reports the configuration of the corresponding position, then initialization of the TCP data report is enabled to form a match when there is a connection.
  • precedence: (optional) packets can be filtered by priority. The valid value is a number from 0 to 7.
  • tos: (optional) packets can be filtered by service type. The valid value is a number from 0 to 15.
  • icmp-type: (optional) ICMP packets can be filtered by packet type. The valid value is a number from 0 to 255.
  • icmp-code: (optional) ICMP packets can be filtered by the packet code. The valid value is a number from 0 to 255.
  • igmp-type: (optional) ICMP packets can be filtered by IGMP packet name or packet type. The valid value is a number from 0 to 255.
  • <time-range-name>: time range name.

Command mode: Name extended MAC-IP access-list configuration mode
Default: No access-list configured.
Usage guide: Define an extended name MAC-IP ACL rule.
Example: Deny the passage of UDP packets with any source MAC address and destination MAC address, any source IP address and destination IP address, and source port 100 and destination port 40000.

active500EM(config)#mac-ip-access-list extended macIpExt
active500EM(Config-MacIp-Ext-Nacl-macIpExt)#deny any-source-mac any-destination-mac udp any-source s-port 100 any-destination d-port 40000

 

9.1.26 show access-lists

Command: show access-lists [<num>|<acl-name>] Function: Display the configuration ACL.
Parameters:

  • <acl-name>: specific ACL name character string.
  • <num>: specific ACL number.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: When not assigning ACL names, all ACL will be displayed. Used x times indicates the number of times ACL is used.
Example: Display the configuration ACL.

active500EM#show access-lists
access-list 10(used 0 time(s))
   access-list 10 deny any-source
access-list 100(used 1 time(s))
   access-list 100 deny ip any any-destination
   access-list 100 deny tcp any any-destination
access-list 1100(used 0 time(s))
   access-list 1100 permit any-source-mac any-destination-mac tagged-eth2 14 2 0800
access-list 3100(used 0 time(s))
   access-list 3100 deny any-source-mac any-destination-mac udp any-source s-port 100 any-destination d-port 40000
Displayed information Explanation
access-list 10(used 1 time(s)) number ACL10, 0 times to be used
access-list 10 deny any-source Deny any IP packets to pass
access-list 100(used 1 time(s)) number ACL10, 1 time to be used
access-list 100 deny ip any-source any-destination Deny an IP packet of any source IP address and destination address to pass
access-list 100 deny tcp any-source any-destination Deny a TCP packet of any source IP address and destination address to pass
access-list 1100 permit any-source-mac any-destination-mac tagged-eth2 14 2 0800 Permit tagged-eth2 with any source MAC address and any destination MAC address and the packets whose 15th and 16th byte is respectively 0x08 , 0x0 to pass
access-list 3100 permit any-source-mac any-destination-mac udp any-source s-port 100 any-destination d-port 40000 Deny the passage of UDP packets with any source MAC address and destination MAC address, any source IP address and destination IP address, and source port 100 and destination interface 40000

 

9.1.27 show access-group

Command: show access-group [in | out] [interface [ethernet] IFNAME] Functions: Display the ACL bind status on the port.
Parameters:

  • in: inbound packets.
  • out: outbound packets.
  • IFNAME: port name.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: When not assigning interface names, all ACL tied to the port will be displayed.
Example: Display the ACL bind status on the port.

active500EM#show access-group
interface name: Ethernet 1/0/1
  IP Ingress access-list used is 100, traffic-statistics Disable.
interface name: Ethernet1/0/2
  IP Ingress access-list used is 1, packet(s) number is 11110.
Displayed information Explanation
interface name: Ethernet 1/0/1 Connection on port Ethernet1/0/1
IP Ingress access-list used is 100 Number 100 numeric expansion ACL connected to the ingress of port Ethernet1/0/1
packet(s) number is 11110 Number of packets matching this ACL rule

 

9.1.28 show firewall

Command: show firewall
Function: Displays the configuration information of the packet filtering functions.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Displays the configuration information of the packet filtering functions.
Example: Display the configuration information of the packet filtering functions.

active500EM#show firewall
Firewall status: Enable.
Firewall default rule: Permit
Displayed information Explanation
fire wall is enable Packet filtering function enabled
the default action of firewall is permit Default packet filtering function is permit

 

9.1.29 show ipv6 access-lists

Command: show ipv6 access-lists [<num>|<acl-name>] Function: Show the configured IPv6 access control list.
Parameter:

  • <num>: specific access control list number. The valid range is 500 to 699. 500 to 599 is the value for the standard IPv6 ACL number. 600 to 699 is the value for the extended IPv6 ACL number.
  • <acl-name>: character string name of a specific access control list. The valid length is from 1 to 16.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: When no access control list is specified, all the access control lists will be displayed.
Example: Show the configured IPv6 access control list.

active500EM#show ipv6 access-lists
ipv6 access-list 500(used 1 time(s))
   ipv6 access-list 500 deny any-source
ipv6 access-list 510(used 1 time(s))
   ipv6 access-list 510 deny ip any-source any-destination
   ipv6 access-list 510 deny tcp any-source any-destination
ipv6 access-list 520(used 1 time(s))
   ipv6 access-list 520 permit ip any-source any-destination

 

9.1.30 show time-range

Command: show time-range <word>
Function: Display configuration information of time ranges.
Parameters:

  • <word>: assigned name of the time-range needed to be displayed.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: When no time-range names are used, all time-ranges will be displayed.
Example: Display configuration information of time ranges.

active500EM#show time-range
time-range timer1 (inactive, used 0 times)
     absolute-periodic Saturday 0:0:0 to Sunday 23:59:59
time-range timer2 (inactive, used 0 times)
     absolute-periodic Monday 0:0:0 to Friday 23:59:59

 

9.1.31 time-range

Command: time-range <time-range-name>
no time-range <time-range-name>
Function: Create the name of the time-range as time range name. Enter the time-range mode.
Parameters:

  • time-range-name: time range name must start with a letter and the length cannot exceed 16 characters long.

Command mode: Global Mode
Default: No time-range configuration.
Usage guide: Creates the name of the time-range as time range name. Enter the time-range mode.
Example: Create a time-range named admin-timer.

active500EM(config)#time-range admin-timer

 


Return to Controller Wired CLI Table of Contents