ACL Commands

This chapter contains the following sections:

deny (MAC)

To set deny conditions (conditions are also known as access control entries [ACEs]) for a MAC-based ACL, use the deny MAC Access-List Configuration mode command.

To remove a MAC-based ACE, use the no sequence command.

Syntax

deny {any | source source-wildcard} {any | destination destination-wildcard} [vlan vlan-id] [cos cos cos-wildcard] [ethtype value] [disable-port]

no sequence value

Parameters

any—Any source or destination MAC address of the packet.

source—Source MAC address of the packet.

source-wildcard—Wildcard bits to be applied to the source MAC address.

destination—Destination MAC address of the packet.

destination-wildcard—Wildcard bits to be applied to the destination MAC address.

vlan vlan-id—(Optional) Specifies the VLAN ID of the packet. (Range: 1 to 4094)

cos cos—(Optional) Specifies the CoS value of the packet. (Range: 0 to 7)

cos-wildcard—(Optional) Wildcard bits to be applied to the CoS value.

ethtype value—(Optional) Specifies the Ethernet type in hexadecimal format of the packet.

disable-port—(Optional) Disables the Ethernet interface if the condition is matched.

Default Configuration

No MAC-based ACE is defined.

Command Mode

MAC Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any

deny (IP)

To set deny conditions for an IPv4-based ACL, use the deny IP Access-List Configuration mode command.

To remove an IPv4-based ACE, use the no sequence command.

Syntax

[sequence value] deny protocol {any | source source-wildcard } {any | destination destination-wildcard} [dscp number | precedence number] [disable-port]

[sequence value] deny icmp {any | source source-wildcard} {any | destination destination-wildcard } [any | icmp-type] [any | icmp-code] [dscp number | precedence number] [disable-port]

[sequence value] deny tcp {any | {source source-wildcard} {any | source-port/port-range } }{any | destination destination-wildcard} {any | destination-port/port-range} [dscp number | precedence number ] [match-all list-of-flags] [disable-port]

[sequence value] deny udp {any | source source-wildcard} {any | source-port/port-range} {any | destination destination-wildcard} {any | destination-port/port-range} [dscp number | precedence number] [disable-port]

no sequence value

Parameters

sequence value—(Optional) Specifies the sequence number of the IPv4-based ACL. The acceptable range is from 1 to 2147483547. If not specified, the switch provides a number starting from 1 in ascending order.

protocol—The name or the number of an IP protocol. Available protocol names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and isis. To match any protocol, use the ip keyword. (Range: 0 to 255)

source—Source IP address of the packet.

source-wildcard—Wildcard bits to be applied to the source IP address.

source-port/port range—UDP or TCP source port. Predefined port names are defined in the destination-port/port-range parameter. (Range: 0 to 65535)

destination—Destination IP address of the packet.

destination-wildcard—Wildcard bits to be applied to the destination IP address.

destination-port/port range—UDP or TCP destination port. You can enter a range of ports by using hyphen, such as 20 - 21. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135), non500-isakmp (4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (35), who (513), or xdmcp (177). (Range: 0 to 65535)

dscp number—(Optional) Specifies the DSCP value.

precedence number—(Optional) Specifies the IP precedence value.

disable-port—(Optional) The Ethernet interface is disabled if the condition is matched.

icmp-type—(Optional) The ICMP message type for filtering ICMP packets. Enter a number or one of these values: echo-reply, destination-unreachable, source-quench, redirect, alternate-host-address, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobile-registration-request, mobile-registration-reply, domain-name-request, domain-name-reply, skip, or photuris. (Range: 0 to 255)

icmp-code—(Optional) ICMP message code for filtering ICMP packets. (Range: 0 to 255)

match-all list-of-flags—(Optional) Specifies a list of TCP flags that should occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string, such as +fin-ack.

Default Configuration

No IPv4-based ACE is defined.

Command Mode

IP Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

The number of TCP or UDP ranges that can be defined in ACLs is limited. You can define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for UDP.

If a range of ports is used for a source port in ACE, it is not counted again if it is also used for a source port in another ACE.

If a range of ports is used for a destination port in ACE, it is not counted again if it is also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a destination port.

Example

switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)# deny ip 172.212.0.0/0.0.255.255 any

deny (IPv6)

To set deny conditions for an IPv6-based ACL, use the deny IPv6 Access-List Configuration mode command.

To remove an IPv6-based ACE, use the no sequence command.

Syntax

[sequence value] deny protocol {any | source-prefix/length} {any | destination- prefix/length} [dscp number | precedence number] [disable-port]

[sequence value] deny icmp {any | source-prefix {any | source-prefix/length } {any | destination- prefix/length} {any | icmp-type} {any | icmp-code} [dscp number | precedence number] [disable-port]

[sequence value] deny tcp {any | source-prefix/length} {any | source-port/port-range} {any | destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [disable-port]

[sequence value] deny udp {any | source-prefix/length} {any | source-port/port-range} {any | destination- prefix/length} {any | destination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [disable-port]

no sequence value

Parameters

sequence value—(Optional) Specifies the sequence number of the IPv6-based ACL. The acceptable range is from 1 to 2147483547. If not specified, the switch provides a number starting from 1 in ascending order.

protocol—The name or the number of an IP protocol. Available protocol names are icmp (58), tcp (6), and udp (17). To match any protocol, use the ipv6 keyword. (Range: 0 to 255)

source-prefix/length—The source IPv6 network or class of networks about which to set permit conditions. This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.

source-port/port-range—The UDP or TCP source port. Predefined port names are defined in the destination-port/port-range parameter. (Range: 0 to 65535)

destination-prefix/length—The destination IPv6 network or class of networks about which to set permit conditions. This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.

destination-port/port-range—The UDP or TCP destination port. You can enter a range of ports by using a hyphen, such as 20 - 21. For TCP enter a number or one of these values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (37), who (513), or xdmcp (177). (Range: 0 to 65535)

dscp number—(Optional) Specifies the DSCP value. (Range: 0 to 63)

precedence number—(Optional) Specifies the IP precedence value.

disable-port—(Optional) Disables the Ethernet interface if the condition is matched.

icmp-type—(Optional) The ICMP message type for filtering ICMP packets. Enter a number or one of these values: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143), mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns (135), or nd-na (135). (Range: 0 to 255)

icmp-code—(Optional) The ICMP message code for filtering ICMP packets. (Range: 0 to 255)

match-all list-of-flags—(Optional) Specifies a list of TCP flags that should occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string, such as +fin-ack.

Default Configuration

No IPv6-based ACE is defined.

Command Mode

IPv6 Access-List Configuration mode

User Guidelines

The number of TCP/UDP ranges that can be defined in ACLs is limited. You can define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for UDP.

If a range of ports is used for a source port in ACE, it is not counted again if it is also used for a source port in another ACE.

If a range of ports is used for a destination port in ACE, it is not counted again if it is also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a destination port.

Example

switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-acl)# deny tcp 3001::2/64 any any 80

ip access-group in

To bind an IPv4-based ACL to an interface, use the ip access-group in Interface Configuration mode command.

To remove all IPv4-based ACLs from an interface, use the no form of this command.

Syntax

ip access-group acl-name in

no ip access-group in

Parameters

acl-name—Name of the IPv4-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv4-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi11
switchxxxxxx(config-if)# ip access-group v4acl1 in

ip access-list extended

To name an IPv4-based ACL and to enter the IPv4 Access-List Configuration mode, use the ip access-list extended Global Configuration mode command.

To remove an IPv4-based ACL, use the no form of this command.

Syntax

ip access-list extended acl-name

no ip access-list extended acl-name

Parameters

acl-name—Name of the IPv4-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv4-based ACL is configured.

Command Mode

Global Configuration mode

User Guidelines

The IPv4-based ACEs for this IPv4-based ACL are defined in the permit (IP) and deny (IP) commands.

An IPv4-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based ACL, MAC-based ACL, or policy map cannot have the same name.

Example

switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)#

ipv6 access-group in

To bind an IPv6-based ACL to an interface, use the ipv6 access-group in Interface Configuration mode command.

To remove all IPv6-based ACLs from an interface, use the no form of this command.

Syntax

ipv6 access-group acl-name in

no ipv6 access-group in

Parameters

acl-name—Name of the IPv6-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv6-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi11
switchxxxxxx(config-if)# ipv6 access-group v6acl1 in

ipv6 access-list

To define an IPv6-based ACL and to enter the IPv6 Access-List Configuration mode, use the ipv6 access-list Global Configuration mode command.

To remove an IPv6-based ACL, use the no form of this command.

Syntax

ipv6 access-list acl-name

no ipv6 access-list acl-name

Parameters

acl-name—Name of the IPv6-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv6-based ACL is defined.

Command Mode

Global Configuration mode

User Guidelines

The IPv6-based ACEs for this IPv6-based ACL are defined in the permit (IPv6) and deny (IPv6) commands.

An IPv6-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based ACL, MAC-based ACL, or policy map cannot have the same name.

Each IPv6-based ACL has implicit permit icmp any any nd-ns any, permit icmp any any nd-na any, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.)

The IPv6 neighbor discovery process uses the IPv6 network layer service, therefore, by default, IPv6-based ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data link layer protocol; therefore, by default, IPv4-based ACLs implicitly allow ARP packets to be sent and received on an interface.

Example

switchxxxxxx(config)# ipv6 access-list test
switchxxxxxx(config-ipv6-acl)#

mac access-group in

To bind a MAC-based ACL to an interface, use the mac access-group in Interface Configuration mode command.

To remove all MAC-based ACLs from an interface, use the no form of this command.

Syntax

mac access-group acl-name in

no mac access-group in

Parameters

acl-name—Name of the MAC-based ACL. (Range: 1 to 32 characters)

Default Configuration

No MAC-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

witchxxxxxx(config)# interface gi11
witchxxxxxx(config-if)# mac access-group macac11 in

mac access-list extended

To define a Layer 2 ACL based on source MAC address filtering and to enter the MAC Access-List Configuration mode, use the mac access-list extended Global Configuration mode command.

To remove a MAC-based ACL, use the no form of this command.

Syntax

mac access-list extended acl-name

no mac access-list extended acl-name

Parameters

acl-name—Name of the MAC-based ACL. (Range: 1 to 32 characters)

Default Configuration

No MAC-based ACL is defined.

Command Mode

Global Configuration mode

User Guidelines

The MAC-based ACEs for this MAC-based ACL are defined in the permit (MAC) and deny (MAC) commands.

A MAC-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based ACL, MAC-based ACL, or policy map cannot have the same name.

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any

no sequence

To remove a permit or deny ACE for an IPv4-based ACL, an IPv6-based ACL, or a MAC-based ACL, use the no sequence command in the IP Access-List Configuration mode, in the IPv6 Access-List Configuration mode, or in the MAC Access-List Configuration mode.

Syntax

no sequence value

Parameters

value—Sequence name of the ACL. The acceptable range is from 1 to 2147483547.

Command Mode

IP Access-List Configuration mode, IPv6 Access-List Configuration mode, and MAC Access-List Configuration mode

Example

switchxxxxxx(config)# mac access-list extended macac11
switchxxxxxx(config-mac-acl)# show access-list
MAC access list macac11
....sequence 1 permit any any
switchxxxxxx(config-mac-acl)# no sequence 1

permit (IP)

To set permit conditions for an IPv4-based ACL, use the permit IP Access-List Configuration mode command.

To remove an IPv4-based ACE, use the no sequence command.

Syntax

[sequence value] permit protocol {any | source source-wildcard } {any | destination destination-wildcard } [dscp number | precedence number]

[sequence value] permit icmp {any | source source-wildcard } {any | destination destination-wildcard} [any | icmp-type] [any | icmp-code] [dscp number | precedence number]

[sequence value] permit tcp {any | source source-wildcard } {any | source-port/port-range} {any | destination destination-wildcard } {any | destination-port/port-range } [dscp number | precedence number ] [match-all list-of-flags]

[sequence value] permit udp {any | source source-wildcard } {any | source-port/port-range } {any | destination destination-wildcard } {any | destination-port/port-range } [dscp number | precedence number]

no sequence value

Parameters

sequence value—(Optional) Specifies the sequence number for the IPv4-based ACL. The acceptable range is from 1 to 2147483547. If not specified, the switch provides a number starting from 1 in ascending order.

protocol—The name or the number of an IP protocol. Available protocol names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and isis. To match any protocol, use the IP keyword. (Range: 0 to 255)

source—Source IP address of the packet.

source-wildcard—Wildcard bits to be applied to the source IP address.

source-port/port-range—(Optional) The UDP or TCP source port. Predefined port names are defined in the destination-port/port-range parameter. (Range: 0 to 65535)

destination—Destination IP address of the packet.

destination-wildcard—Wildcard bits to be applied to the destination IP address.

destination-port/port-range—(Optional) The UDP or TCP destination port. You can enter a range of ports by using hyphen such as 20 - 21. For TCP enter a number or one of these values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135), on500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (35), who (513), or xdmcp (177). (Range: 0 to 65535)

dscp number—(Optional) Specifies the DSCP value.

precedence number—(Optional) Specifies the IP precedence value.

icmp-type—(Optional) The ICMP message type for filtering ICMP packets. Enter a number or one of these values: echo-reply, destination-unreachable, source-quench, redirect, alternate-host-address, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobile-registration-request, mobile-registration-reply, domain-name-request, domain-name-reply, skip, or photuris. (Range: 0 to 255)

icmp-code—(Optional) The ICMP message code for filtering ICMP packets. (Range: 0 to 255)

match-all list-of-flags—(Optional) Specifies a list of TCP flags that should occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string, such as +fin-ack.

Default Configuration

No IPv4-based ACE is defined.

Command Mode

IP Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for UDP.

If a range of ports is used for a source port in an ACE, it is not counted again if it is also used for a source port in another ACE.

If a range of ports is used for a destination port in an ACE, it is not counted again if it is also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a destination port.

Example

switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)# permit ip 176.212.0.0 0.0.255.255 any

permit (IPv6)

To set permit conditions for an IPv6-based ACL, use the permit command in the IPv6 Access-List Configuration mode.

To remove an IPv6-based ACE, use the no sequence command.

Syntax

[sequence value] permit protocol {any | source-prefix/length } {any | destination- prefix/length } [dscp number | precedence number ]

[sequence value] permit icmp {any | {source-prefix/length } {any | destination- prefix/length } {any | icmp-type } {any | icmp-code } [dscp number | precedence number]

[sequence value] permit tcp {any | source-prefix/length } {any | source-port/port-range} {any | destination- prefix/length} {any | destination-port/port-range} [dscp number | precedence number ] [match-all list-of-flags]

[sequence value] permit udp {any | source-prefix/length } {any | source-port/port-range} {any | destination- prefix/length} {any | destination-port/port-range} [dscp number | precedence number ]

no sequence value

Parameters

sequence value—(Optional) The sequence number for the IPv6-based ACL. The acceptable range is from 1 to 2147483547. If not specified, the switch provides a number starting from 1 in ascending order.

protocol—The name or the number of an IP protocol. Available protocol names are icmp (58), tcp (6), and udp (17). To match any protocol, use the ipv6 keyword. (Range: 0 to 255)

source-prefix/length—The source IPv6 network or class of networks about which to set permit conditions. This argument must be in the form documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.

source-port/port-range—The UDP or TCP source port. Predefined port names are defined in the destination-port/port-range parameter. (Range: 0 to 65535)

destination-prefix/length—The destination IPv6 network or class of networks about which to set permit conditions. This argument must be in the form documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.

destination-port/port-range—The UDP or TCP destination port. You can enter a range of ports by using a hyphen, such as 20 - 21. For TCP enter a number or one of these values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135), non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (35), who (513), or xdmcp (177). (Range: 0 to 65535)

dscp number—(Optional) Specifies the DSCP value. (Range: 0 to 63)

precedence number—(Optional) Specifies the IP precedence value.

icmp-type—(Optional) The ICMP message type for filtering ICMP packets. Enter a number or one of these values: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143), mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns (135), or nd-na (135). (Range: 0 to 255)

icmp-code—(Optional) The ICMP message code for filtering ICMP packets. (Range: 0 to 255)

match-all list-of-flag—(Optional) Specifies a list of TCP flags that should occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string, such as +fin-ack.

Default Configuration

No IPv6-based ACE is defined.

Command Mode

Ipv6 Access-List Configuration mode

User Guidelines

The number of TCP/UDP ranges that can be defined in ACLs is limited. You can define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for UDP.

If a range of ports is used for a source port in ACE, it is not counted again if it is also used for a source port in another ACE.

If a range of ports is used for a destination port in ACE, it is not counted again if it is also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a destination port.

Example

This example defines an IPv6-based ACL by the server name and enters an IPv6-based ACE for TCP packets:

switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-acl)# permit tcp 3001::2/64 any any 80

permit (MAC)

To set permit conditions for a MAC-based ACL, use the permit command in the MAC Access-List Configuration mode.

To remove a MAC-based ACE, use the no sequence command.

Syntax

[sequence value] permit {any | source source-wildcard} {any | destination destination-wildcard} [any | vlan vlan-id] [cos cos cos-wildcard] [ethtype value]

no sequence value

Parameters

sequence value—(Optional) Specifies the sequence number for the MAC-based ACL. The acceptable range is from 1 to 2147483547. If not specified, the switch provides a number starting from 1 in ascending order.

source—Source MAC address of the packet.

source-wildcard—Wildcard bits to be applied to the source MAC address.

destination—Destination MAC address of the packet.

destination-wildcard—Wildcard bits to be applied to the destination MAC address.

vlan vlan-id—(Optional) Specifies the VLAN ID of the packet. (Range: 1 to 4094)

cos—(Optional) The CoS value of the packet. (Range: 0 to 7)

cos-wildcard—(Optional) Wildcard bits to be applied to the CoS.

ethtype value—(Optional) Specifies the Ethernet type in hexadecimal format of the packet. (Range: 1501 to 65535)

Default Configuration

No MAC-based ACE is defined.

Command Mode

MAC Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any

show access-lists

To display the ACLs for a specific class defined on the switch, use the show access-lists Privileged EXEC mode command.

Syntax

show {ip | ipv6 | mac} access-lists [acl-name]

Parameters

ip | ipv6 | mac—Specifies the ACL type.

acl-name—(Optional) Name of the ACL. (Range: 1 to 32 characters)

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show ip access-lists

show access-lists

To display all ACLs configured on the switch, use the show access-lists Privileged EXEC mode command.

Syntax

show access-lists

Parameters

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show access-lists
MAC access list macacl1
    sequence 1 permit any any cos 7 5
IPv6 access list v6acl1
    sequence 1 permit ipv6 abcd::/64 aacc::/64

show access-lists utilization

To display the utilization of the access-list group, use the show access-lists utilization Privileged EXEC mode command.

Syntax

show access-lists utilization

Parameters

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show access-lists utilization 
Max TCAM entries: 1408
In used: 0