acl
acl
+ capture-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ copy
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- tcam-entries number
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ copy
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- tcam-entries number
+ cpm-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ rate-limit
+ policer reference
+ system-cpu-policer reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- distributed-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
- last-match string
- matched-packets number
- system-cpu-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- tcam-entries number
- last-clear string
+ statistics-per-entry boolean
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ rate-limit
+ policer reference
+ system-cpu-policer reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- distributed-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
- last-match string
- matched-packets number
- system-cpu-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- tcam-entries number
- last-clear string
+ statistics-per-entry boolean
+ mac-filter
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ rate-limit
+ policer reference
+ system-cpu-policer reference
+ drop
+ log boolean
+ description string
+ match
+ destination-mac
+ address string
+ mask string
+ ethertype (string | keyword)
+ source-mac
+ address string
+ mask string
+ vlan
+ outermost-vlan-id
+ none
+ operator keyword
+ range
+ end number
+ start number
+ value number
- statistics
- distributed-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
- last-match string
- matched-packets number
- system-cpu-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- tcam-entries number
- last-clear string
+ statistics-per-entry boolean
- datapath-programming
- forwarding-complex slot-id number complex-id number
- last-completed-timestamp string
- programming-complete boolean
+ egress-mac-filtering boolean
+ ipv4-filter name string
+ description string
+ entry sequence-id number
+ action
+ accept
+ forwarding-class (keyword | reference)
+ log boolean
+ rate-limit reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- aggregate
- in-last-match string
- in-matched-packets number
- out-last-match string
- out-matched-packets number
- last-clear string
- per-interface
- subinterface name string
- in-last-match string
- in-matched-packets number
- last-clear string
- out-last-match string
- out-matched-packets number
- tcam-entries
- forwarding-complex complex-identifier string
- input-total number
- output-total number
- single-instance number
- last-clear string
+ statistics-per-entry boolean
+ subinterface-specific keyword
+ ipv6-filter name string
+ description string
+ entry sequence-id number
+ action
+ accept
+ forwarding-class (keyword | reference)
+ log boolean
+ rate-limit reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- aggregate
- in-last-match string
- in-matched-packets number
- out-last-match string
- out-matched-packets number
- last-clear string
- per-interface
- subinterface name string
- in-last-match string
- in-matched-packets number
- last-clear string
- out-last-match string
- out-matched-packets number
- tcam-entries
- forwarding-complex complex-identifier string
- input-total number
- output-total number
- single-instance number
- last-clear string
+ statistics-per-entry boolean
+ subinterface-specific keyword
+ mac-filter name string
+ description string
+ entry sequence-id number
+ action
+ accept
+ forwarding-class (keyword | reference)
+ log boolean
+ rate-limit reference
+ drop
+ log boolean
+ description string
+ match
+ destination-mac
+ address string
+ mask string
+ ethertype (string | keyword)
+ source-mac
+ address string
+ mask string
+ vlan
+ outermost-vlan-id
+ none
+ operator keyword
+ range
+ end number
+ start number
+ value number
- statistics
- aggregate
- in-last-match string
- in-matched-packets number
- out-last-match string
- out-matched-packets number
- last-clear string
- per-interface
- subinterface name string
- in-last-match string
- in-matched-packets number
- last-clear string
- out-last-match string
- out-matched-packets number
- tcam-entries
- forwarding-complex complex-identifier string
- input-total number
- output-total number
- single-instance number
- last-clear string
+ statistics-per-entry boolean
+ subinterface-specific keyword
+ policers
+ policer name string
+ entry-specific boolean
+ max-burst number
+ peak-rate number
- statistics
- aggregate
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
+ system-cpu-policer name string
+ entry-specific boolean
+ max-packet-burst number
+ peak-packet-rate number
- statistics
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
+ system-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- last-clear string
- last-match string
- matched-packets number
- tcam-entries number
- last-clear string
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ dscp-set (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- last-clear string
- last-match string
- matched-packets number
- tcam-entries number
- last-clear string
+ tcam-profile keyword
acl Descriptions
acl
capture-filter
Description | Top level container for capture filters | |
Context | acl capture-filter | |
Tree | capture-filter | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
ipv4-filter
Description | Top level container for capture IPv4 filters | |
Context | acl capture-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
entry sequence-id number
Description | List of filter rules. | |
Context | acl capture-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl capture-filter ipv4-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
action
Description | Container for the actions to be applied to packets matching the capture filter entry. | |
Context | acl capture-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl capture-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
copy
Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
Context | acl capture-filter ipv4-filter entry sequence-id number action copy | |
Tree | copy | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl capture-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl capture-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
value (number | keyword)
Description | A destination port number | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl capture-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
value (number | keyword)
Description | A source port number | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl capture-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
ipv6-filter
Description | Top level container for capture IPv6 filters | |
Context | acl capture-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
entry sequence-id number
Description | List of filter rules. | |
Context | acl capture-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl capture-filter ipv6-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
action
Description | Container for the actions to be applied to packets matching the capture filter entry. | |
Context | acl capture-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl capture-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
copy
Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
Context | acl capture-filter ipv6-filter entry sequence-id number action copy | |
Tree | copy | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl capture-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl capture-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
value (number | keyword)
Description | A destination port number | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl capture-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
value (number | keyword)
Description | A source port number | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl capture-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
cpm-filter
Description | Top level container for CPM filters | |
Context | acl cpm-filter | |
Tree | cpm-filter | |
Configurable | True | |
Platforms | Supported on all platforms |
ipv4-filter
Description | Top level container for CPM IPv4 filters | |
Context | acl cpm-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True | |
Platforms | Supported on all platforms |
entry sequence-id number
Description | List of filter rules. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl cpm-filter ipv4-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms |
action
Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit
Description | Rate-limit accepted packets | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit | |
Tree | rate-limit | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
policer reference
Description | Reference to a policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit policer reference | |
Tree | policer | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
system-cpu-policer reference
Description | Reference to a system-cpu-policer. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
Tree | system-cpu-policer | |
Reference | acl policers system-cpu-policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A destination port number | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True | |
Platforms | Supported on all platforms |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True | |
Platforms | Supported on all platforms |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True | |
Platforms | Supported on all platforms |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A source port number | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms |
statistics
Description | Statistics container for packets matching the CPM-filter entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms |
distributed-policer
Description | Distributed policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer | |
Tree | distributed-policer | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
system-cpu-policer
Description | System CPU policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer | |
Tree | system-cpu-policer | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv4-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
statistics-per-entry boolean
Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
Context | acl cpm-filter ipv4-filter statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
ipv6-filter
Description | Top level container for CPM IPv6 filters | |
Context | acl cpm-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True | |
Platforms | Supported on all platforms |
entry sequence-id number
Description | List of filter rules. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl cpm-filter ipv6-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms |
action
Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit
Description | Rate-limit accepted packets | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit | |
Tree | rate-limit | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
policer reference
Description | Reference to a policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit policer reference | |
Tree | policer | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
system-cpu-policer reference
Description | Reference to a system-cpu-policer. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
Tree | system-cpu-policer | |
Reference | acl policers system-cpu-policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A destination port number | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True | |
Platforms | Supported on all platforms |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A source port number | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms |
statistics
Description | Statistics container for packets matching the CPM-filter entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms |
distributed-policer
Description | Distributed policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer | |
Tree | distributed-policer | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
system-cpu-policer
Description | System CPU policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer | |
Tree | system-cpu-policer | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv6-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
statistics-per-entry boolean
Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
Context | acl cpm-filter ipv6-filter statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mac-filter
Description | Top level container for CPM MAC filter | |
Context | acl cpm-filter mac-filter | |
Tree | mac-filter | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
entry sequence-id number
Description | List of filter rules. | |
Context | acl cpm-filter mac-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl cpm-filter mac-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
action
Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
Context | acl cpm-filter mac-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl cpm-filter mac-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter mac-filter entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit
Description | Rate-limit accepted packets | |
Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit | |
Tree | rate-limit | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
policer reference
Description | Reference to a policer | |
Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit policer reference | |
Tree | policer | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
system-cpu-policer reference
Description | Reference to a system-cpu-policer. | |
Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
Tree | system-cpu-policer | |
Reference | acl policers system-cpu-policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl cpm-filter mac-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl cpm-filter mac-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl cpm-filter mac-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
match
Description | Container for the conditions that determine whether an Ethernet frame matches this entry | |
Context | acl cpm-filter mac-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
destination-mac
Description | Ethernet frame matching criteria based on destination MAC address | |
Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac | |
Tree | destination-mac | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
address string
Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals this MAC address. | |
Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
mask string
Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals the configured MAC address. | |
Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
ethertype (string | keyword)
Description | An Ethernet frame matches this condition if its ethertype value (after 802.1Q VLAN tags) matches the specified value | |
Context | acl cpm-filter mac-filter entry sequence-id number match ethertype (string | keyword) | |
Tree | ethertype | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
source-mac
Description | Ethernet frame matching criteria based on source MAC address | |
Context | acl cpm-filter mac-filter entry sequence-id number match source-mac | |
Tree | source-mac | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
address string
Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals this MAC address. | |
Context | acl cpm-filter mac-filter entry sequence-id number match source-mac address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
mask string
Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals the configured MAC address. | |
Context | acl cpm-filter mac-filter entry sequence-id number match source-mac mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
vlan
Description | Ethernet frame matching criteria based on VLAN tags | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan | |
Tree | vlan | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
outermost-vlan-id
Description | Ethernet frame matching criteria based on the outermost VLAN ID found before the subinterface-defining VLAN tag (if any) is removed. | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id | |
Tree | outermost-vlan-id | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
none
Description | When configured, only untagged frames are matched. | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id none | |
Tree | none | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
range
Description | Container used to specify a contiguous range of VLAN IDs. Matched values include the start and end values. | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
end number
Description | The ending VLAN ID to include in the range | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range end number | |
Tree | end | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
start number
Description | The starting VLAN ID to include in the range | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range start number | |
Tree | start | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
value number
Description | A VLAN ID number A value of zero is used to match priority-tagged 802.1Q frames. | |
Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id value number | |
Tree | value | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
statistics
Description | Statistics container for packets matching the CPM-filter entry | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
distributed-policer
Description | Distributed policer stats for traffic matching the entry. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer | |
Tree | distributed-policer | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
system-cpu-policer
Description | System CPU policer stats for traffic matching the entry. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer | |
Tree | system-cpu-policer | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl cpm-filter mac-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter mac-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
statistics-per-entry boolean
Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
Context | acl cpm-filter mac-filter statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
datapath-programming
Description | Container to represent the progress of ACL datapath programming | |
Context | acl datapath-programming | |
Tree | datapath-programming | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
forwarding-complex slot-id number complex-id number
Description | List of forwarding complexes that are currently installed and online | |
Context | acl datapath-programming forwarding-complex slot-id number complex-id number | |
Tree | forwarding-complex | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
slot-id number
Description | The slot id | |
Context | acl datapath-programming forwarding-complex slot-id number complex-id number | |
Range | 1 to 8 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
complex-id number
Description | The complex id | |
Context | acl datapath-programming forwarding-complex slot-id number complex-id number | |
Range | 0 to 1 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
last-completed-timestamp string
Description | The date and time when the forwarding complex last completed all datapath programming related to prior ACL configuration changes. | |
Context | acl datapath-programming forwarding-complex slot-id number complex-id number last-completed-timestamp string | |
Tree | last-completed-timestamp | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
programming-complete boolean
Description | Reads false when there are still pending entries to program from prior configuration transactions Reads true when all datapath programming related to all prior ACL configuration changes is complete | |
Context | acl datapath-programming forwarding-complex slot-id number complex-id number programming-complete boolean | |
Tree | programming-complete | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
egress-mac-filtering boolean
Description | Must be set to true in order to apply any MAC ACLs to any subinterface in the egress traffic direction. Internally this sets the following limits: Remember that the number of ACL instances per ACL policy is greater than one if subinterface-specific is set to input-and-output or output-only. A setting of true is blocked if the number of IPv4 ACL instances applied to egress traffic is already greater than 32, or if the number of IPv6 ACL instances applied to egress traffic is already greater than 32. | |
Context | acl egress-mac-filtering boolean | |
Tree | egress-mac-filtering | |
Default | false | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
ipv4-filter name string
Description | List of IPv4 filter policies | |
Context | acl ipv4-filter name string | |
Tree | ipv4-filter | |
Configurable | True | |
Platforms | Supported on all platforms |
name string
Description | Name of the IPv4 filter policy. | |
Context | acl ipv4-filter name string | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
description string
Description | Description string for the IPv4 filter policy | |
Context | acl ipv4-filter name string description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
entry sequence-id number
Description | List of filter rules. | |
Context | acl ipv4-filter name string entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl ipv4-filter name string entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms |
action
Description | Container for the actions to be applied to packets matching the filter entry. | |
Context | acl ipv4-filter name string entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl ipv4-filter name string entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms |
forwarding-class (keyword | reference)
Description | The QoS forwarding class to which the packet is mapped | |
Context | acl ipv4-filter name string entry sequence-id number action accept forwarding-class (keyword | reference) | |
Tree | forwarding-class | |
Options |
| |
Reference | qos forwarding-classes forwarding-class name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 IXR-D1 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl ipv4-filter name string entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit reference
Description | Reference to a policer | |
Context | acl ipv4-filter name string entry sequence-id number action accept rate-limit reference | |
Tree | rate-limit | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl ipv4-filter name string entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl ipv4-filter name string entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl ipv4-filter name string entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl ipv4-filter name string entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A destination port number | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl ipv4-filter name string entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl ipv4-filter name string entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True | |
Platforms | Supported on all platforms |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl ipv4-filter name string entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True | |
Platforms | Supported on all platforms |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True | |
Platforms | Supported on all platforms |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl ipv4-filter name string entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv4-filter name string entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A source port number | |
Context | acl ipv4-filter name string entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl ipv4-filter name string entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms |
statistics
Description | Container for per-entry statistics | |
Context | acl ipv4-filter name string entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms |
aggregate
Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate | |
Tree | aggregate | |
Configurable | False | |
Platforms | Supported on all platforms |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv4-filter name string entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
per-interface
Description | Container for per-entry statistics on a per subinterface basis. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface | |
Tree | per-interface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
subinterface name string
Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Tree | subinterface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
name string
Description | Reference to a subinterface. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
tcam-entries
Description | Information about the TCAM entries used to implement the ACL entry | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms |
forwarding-complex complex-identifier string
Description | List of forwarding complexes in the system | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Tree | forwarding-complex | |
Configurable | False | |
Platforms | Supported on all platforms |
complex-identifier string
Description | A forwarding complex in the format (slot-number,complex-number). | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Configurable | False | |
Platforms | Supported on all platforms |
input-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this complex then input-total=0. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string input-total number | |
Tree | input-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
output-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this complex then output-total=0. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string output-total number | |
Tree | output-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
single-instance number
Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this complex. It captures the effect of TCAM entry expansion to deal with L4 port or VLAN ranges, for example. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string single-instance number | |
Tree | single-instance | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl ipv4-filter name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
statistics-per-entry boolean
Description | Collect statistics for each entry of the ACL. If this is set to false no hardware resources are allocated to collecting statistics for this ACL policy. The exact set of statistics depend on the subinterface-specific mode | |
Context | acl ipv4-filter name string statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
subinterface-specific keyword
Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
Context | acl ipv4-filter name string subinterface-specific keyword | |
Tree | subinterface-specific | |
Default | disabled | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
ipv6-filter name string
Description | List of IPv6 filter policies | |
Context | acl ipv6-filter name string | |
Tree | ipv6-filter | |
Configurable | True | |
Platforms | Supported on all platforms |
name string
Description | Name of the IPv6 filter policy. | |
Context | acl ipv6-filter name string | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
description string
Description | Description string for the IPv6 filter policy | |
Context | acl ipv6-filter name string description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
entry sequence-id number
Description | List of filter rules. | |
Context | acl ipv6-filter name string entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | Supported on all platforms |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries. | |
Context | acl ipv6-filter name string entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | Supported on all platforms |
action
Description | Container for the actions to be applied to packets matching the filter entry. | |
Context | acl ipv6-filter name string entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | Supported on all platforms |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl ipv6-filter name string entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | Supported on all platforms |
forwarding-class (keyword | reference)
Description | The QoS forwarding class to which the packet is mapped | |
Context | acl ipv6-filter name string entry sequence-id number action accept forwarding-class (keyword | reference) | |
Tree | forwarding-class | |
Options |
| |
Reference | qos forwarding-classes forwarding-class name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 IXR-D1 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl ipv6-filter name string entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit reference
Description | Reference to a policer | |
Context | acl ipv6-filter name string entry sequence-id number action accept rate-limit reference | |
Tree | rate-limit | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl ipv6-filter name string entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | Supported on all platforms |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl ipv6-filter name string entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl ipv6-filter name string entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl ipv6-filter name string entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A destination port number | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl ipv6-filter name string entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True | |
Platforms | Supported on all platforms |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True | |
Platforms | Supported on all platforms |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl ipv6-filter name string entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | Supported on all platforms |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | Supported on all platforms |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | Supported on all platforms |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | Supported on all platforms |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | Supported on all platforms |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv6-filter name string entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | Supported on all platforms |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
value (number | keyword)
Description | A source port number | |
Context | acl ipv6-filter name string entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl ipv6-filter name string entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | Supported on all platforms |
statistics
Description | Container for per-entry statistics | |
Context | acl ipv6-filter name string entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms |
aggregate
Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate | |
Tree | aggregate | |
Configurable | False | |
Platforms | Supported on all platforms |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv6-filter name string entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
per-interface
Description | Container for per-entry statistics on a per subinterface basis. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface | |
Tree | per-interface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
subinterface name string
Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Tree | subinterface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
name string
Description | Reference to a subinterface. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
tcam-entries
Description | Information about the TCAM entries used to implement the ACL entry | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | Supported on all platforms |
forwarding-complex complex-identifier string
Description | List of forwarding complexes in the system | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Tree | forwarding-complex | |
Configurable | False | |
Platforms | Supported on all platforms |
complex-identifier string
Description | A forwarding complex in the format (slot-number,complex-number). | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Configurable | False | |
Platforms | Supported on all platforms |
input-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this complex then input-total=0. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string input-total number | |
Tree | input-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
output-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this complex then output-total=0. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string output-total number | |
Tree | output-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
single-instance number
Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this complex. It captures the effect of TCAM entry expansion to deal with L4 port or VLAN ranges, for example. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string single-instance number | |
Tree | single-instance | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl ipv6-filter name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
statistics-per-entry boolean
Description | Collect statistics for each entry of the ACL. If this is set to false no hardware resources are allocated to collecting statistics for this ACL policy. The exact set of statistics depend on the subinterface-specific mode | |
Context | acl ipv6-filter name string statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
subinterface-specific keyword
Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
Context | acl ipv6-filter name string subinterface-specific keyword | |
Tree | subinterface-specific | |
Default | disabled | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
mac-filter name string
Description | List of MAC ACL policies | |
Context | acl mac-filter name string | |
Tree | mac-filter | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
name string
Description | Name of the MAC ACL policy. | |
Context | acl mac-filter name string | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
description string
Description | Description string for the MAC ACL policy | |
Context | acl mac-filter name string description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
entry sequence-id number
Description | List of filter rules. | |
Context | acl mac-filter name string entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl mac-filter name string entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
action
Description | Container for the actions to be applied to packets matching the filter entry. | |
Context | acl mac-filter name string entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl mac-filter name string entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
forwarding-class (keyword | reference)
Description | The QoS forwarding class to which the packet is mapped | |
Context | acl mac-filter name string entry sequence-id number action accept forwarding-class (keyword | reference) | |
Tree | forwarding-class | |
Options |
| |
Reference | qos forwarding-classes forwarding-class name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 IXR-D1 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl mac-filter name string entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
rate-limit reference
Description | Reference to a policer | |
Context | acl mac-filter name string entry sequence-id number action accept rate-limit reference | |
Tree | rate-limit | |
Reference | acl policers policer name string | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
drop
Description | Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source | |
Context | acl mac-filter name string entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
log boolean
Description | When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information: For Ethernet packets matched by a MAC filter entry the log entry contains the folllowing information: | |
Context | acl mac-filter name string entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
description string
Description | Description string for the filter entry | |
Context | acl mac-filter name string entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
match
Description | Container for the conditions that determine whether an Ethernet frame matches this entry | |
Context | acl mac-filter name string entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
destination-mac
Description | Ethernet frame matching criteria based on destination MAC address | |
Context | acl mac-filter name string entry sequence-id number match destination-mac | |
Tree | destination-mac | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
address string
Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals this MAC address. | |
Context | acl mac-filter name string entry sequence-id number match destination-mac address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
mask string
Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals the configured MAC address. | |
Context | acl mac-filter name string entry sequence-id number match destination-mac mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
ethertype (string | keyword)
Description | An Ethernet frame matches this condition if its ethertype value (after 802.1Q VLAN tags) matches the specified value | |
Context | acl mac-filter name string entry sequence-id number match ethertype (string | keyword) | |
Tree | ethertype | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
source-mac
Description | Ethernet frame matching criteria based on source MAC address | |
Context | acl mac-filter name string entry sequence-id number match source-mac | |
Tree | source-mac | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
address string
Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals this MAC address. | |
Context | acl mac-filter name string entry sequence-id number match source-mac address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
mask string
Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals the configured MAC address. | |
Context | acl mac-filter name string entry sequence-id number match source-mac mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
vlan
Description | Ethernet frame matching criteria based on VLAN tags | |
Context | acl mac-filter name string entry sequence-id number match vlan | |
Tree | vlan | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
outermost-vlan-id
Description | Ethernet frame matching criteria based on the outermost VLAN ID found before the subinterface-defining VLAN tag (if any) is removed. | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id | |
Tree | outermost-vlan-id | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
none
Description | When configured, only untagged frames are matched. | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id none | |
Tree | none | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
range
Description | Container used to specify a contiguous range of VLAN IDs. Matched values include the start and end values. | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
end number
Description | The ending VLAN ID to include in the range | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range end number | |
Tree | end | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
start number
Description | The starting VLAN ID to include in the range | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range start number | |
Tree | start | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
value number
Description | A VLAN ID number A value of zero is used to match priority-tagged 802.1Q frames. | |
Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id value number | |
Tree | value | |
Range | 0 to 4095 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
statistics
Description | Container for per-entry statistics | |
Context | acl mac-filter name string entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
aggregate
Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl mac-filter name string entry sequence-id number statistics aggregate | |
Tree | aggregate | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl mac-filter name string entry sequence-id number statistics aggregate in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl mac-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl mac-filter name string entry sequence-id number statistics aggregate out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl mac-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl mac-filter name string entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
per-interface
Description | Container for per-entry statistics on a per subinterface basis. | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface | |
Tree | per-interface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
subinterface name string
Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Tree | subinterface | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
name string
Description | Reference to a subinterface. | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
in-matched-packets number
Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
out-matched-packets number
Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
tcam-entries
Description | Information about the TCAM entries used to implement the ACL entry | |
Context | acl mac-filter name string entry sequence-id number tcam-entries | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
forwarding-complex complex-identifier string
Description | List of forwarding complexes in the system | |
Context | acl mac-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Tree | forwarding-complex | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
complex-identifier string
Description | A forwarding complex in the format (slot-number,complex-number). | |
Context | acl mac-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
input-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this complex then input-total=0. | |
Context | acl mac-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string input-total number | |
Tree | input-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
output-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this complex then output-total=0. | |
Context | acl mac-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string output-total number | |
Tree | output-total | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
single-instance number
Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this complex. It captures the effect of TCAM entry expansion to deal with L4 port or VLAN ranges, for example. | |
Context | acl mac-filter name string entry sequence-id number tcam-entries forwarding-complex complex-identifier string single-instance number | |
Tree | single-instance | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl mac-filter name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
statistics-per-entry boolean
Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
Context | acl mac-filter name string statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
subinterface-specific keyword
Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
Context | acl mac-filter name string subinterface-specific keyword | |
Tree | subinterface-specific | |
Default | disabled | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D4, 7220 IXR-D3, 7220 IXR-D5 |
policers
Description | Container for policer definitions used by ACL entries | |
Context | acl policers | |
Tree | policers | |
Configurable | True | |
Platforms | Supported on all platforms |
policer name string
Description | List of policer templates used in subintreface and CPM Filter ACL. | |
Context | acl policers policer name string | |
Tree | policer | |
Configurable | True | |
Platforms | Supported on all platforms except 7220 |
name string
entry-specific boolean
Description | If set to false, one policer instance is created from this template and it is shared by all entries of in the same ACL filter that refer to this policer. If set to true, multiple policer instances are created from this template, one for each ACL filter entry that refers to the policer template. | |
Context | acl policers policer name string entry-specific boolean | |
Tree | entry-specific | |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |
max-burst number
peak-rate number
statistics
Description | Container for linecard policer statistics. | |
Context | acl policers policer name string statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
aggregate
Description | None of these statistics are populated if the policer is configured as entry-specific=true. If entry-specific=false and subinterface-specific=true, this is sum of all the entries and all the policer templates instantiated for all subintrefaces. If entry-specific=false and subinterface-specific=false, this is sum of all the entries using this policer template. | |
Context | acl policers policer name string statistics aggregate | |
Tree | aggregate | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers policer name string statistics aggregate conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl policers policer name string statistics aggregate conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers policer name string statistics aggregate exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl policers policer name string statistics aggregate exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
last-clear string
Description | Time of the last clear command that applied to these statistics | |
Context | acl policers policer name string statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except 7220 |
system-cpu-policer name string
Description | List of system CPU policer templates. For each policer in this list one or more policer instances are implemented in the XDP-CPM software and these policer instances process the aggregate of terminating traffic received from all linecards. | |
Context | acl policers system-cpu-policer name string | |
Tree | system-cpu-policer | |
Configurable | True | |
Platforms | Supported on all platforms |
name string
Description | User-defined name of the policer | |
Context | acl policers system-cpu-policer name string | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | Supported on all platforms |
entry-specific boolean
Description | If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template. | |
Context | acl policers system-cpu-policer name string entry-specific boolean | |
Tree | entry-specific | |
Default | false | |
Configurable | True | |
Platforms | Supported on all platforms |
max-packet-burst number
Description | The maximum depth of the policer bucket in number of packets | |
Context | acl policers system-cpu-policer name string max-packet-burst number | |
Tree | max-packet-burst | |
Range | 16 to 4000000 | |
Default | 16 | |
Configurable | True | |
Platforms | Supported on all platforms |
peak-packet-rate number
Description | The maximum number of packets per second (bucket empty/fill rate) | |
Context | acl policers system-cpu-policer name string peak-packet-rate number | |
Tree | peak-packet-rate | |
Range | 1 to 4000000 | |
Configurable | True | |
Platforms | Supported on all platforms |
statistics
Description | Container for system CPU policer statistics None of these statistics are populated if the policer is configured as entry-specific=true. | |
Context | acl policers system-cpu-policer name string statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers system-cpu-policer name string statistics conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl policers system-cpu-policer name string statistics conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers system-cpu-policer name string statistics exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl policers system-cpu-policer name string statistics exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False | |
Platforms | Supported on all platforms |
last-clear string
Description | Time of the last clear command that applied to these statistics | |
Context | acl policers system-cpu-policer name string statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms |
system-filter
Description | Top level container for System filters | |
Context | acl system-filter | |
Tree | system-filter | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
ipv4-filter
Description | Top level container for System IPv4 filters | |
Context | acl system-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
entry sequence-id number
Description | List of filter rules. | |
Context | acl system-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl system-filter ipv4-filter entry sequence-id number | |
Range | 1 to 256 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
action
Description | Container for the actions to be applied to packets matching the System filter entry. | |
Context | acl system-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
accept
Description | Accept matching packets | |
Context | acl system-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl system-filter ipv4-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
Context | acl system-filter ipv4-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
description string
Description | Description string for the filter entry | |
Context | acl system-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl system-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
value (number | keyword)
Description | A destination port number | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl system-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl system-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl system-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl system-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
value (number | keyword)
Description | A source port number | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl system-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
statistics
Description | Statistics container for packets matching the system-filter entry | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl system-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv4-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
ipv6-filter
Description | Top level container for System IPv6 filters | |
Context | acl system-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
entry sequence-id number
Description | List of filter rules. | |
Context | acl system-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl system-filter ipv6-filter entry sequence-id number | |
Range | 1 to 128 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
action
Description | Container for the actions to be applied to packets matching the System filter entry. | |
Context | acl system-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
accept
Description | Accept matching packets | |
Context | acl system-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl system-filter ipv6-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
Context | acl system-filter ipv6-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
description string
Description | Description string for the filter entry | |
Context | acl system-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl system-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
value (number | keyword)
Description | A destination port number | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
dscp-set (number | keyword)
Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
Context | acl system-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
Tree | dscp-set | |
Range | 0 to 63 | |
Options |
| |
Configurable | True | |
Platforms | 7250 IXR-6, 7220 IXR-D3L, 7220 IXR-D2, 7250 IXR-10, 7220 IXR-D2L, 7250 IXR-10e, 7220 IXR-D1, 7220 IXR-D3, 7220 IXR-D4, 7250 IXR-6e, 7220 IXR-D5 |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl system-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
value (number | keyword)
Description | A source port number | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl system-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
statistics
Description | Statistics container for packets matching the system-filter entry | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | Supported on all platforms except fp5-c |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl system-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv6-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False | |
Platforms | 7220 IXR-D3L, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D1, 7220 IXR-D3 |
tcam-profile keyword
Description | Specify the TCAM resource management profile | |
Context | acl tcam-profile keyword | |
Tree | tcam-profile | |
Options |
| |
Configurable | True | |
Platforms | Supported on all platforms except fp5-c |