acl
acl
+  capture-filter
   +  ipv4-filter
      +  entry sequence-id number 
         +  action
            +  accept
            +  copy
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  first-fragment boolean
            +  fragment boolean
            +  icmp
               +  code number
               +  type (number | keyword)
            +  protocol (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  tcam-entries number
   +  ipv6-filter
      +  entry sequence-id number 
         +  action
            +  accept
            +  copy
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  icmp6
               +  code number
               +  type (number | keyword)
            +  next-header (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  tcam-entries number
+  cpm-filter
   +  ipv4-filter
      +  entry sequence-id number 
         +  action
            +  accept
               +  log boolean
               +  rate-limit
                  +  distributed-policer reference
                  +  system-cpu-policer reference
            +  drop
               +  log boolean
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  first-fragment boolean
            +  fragment boolean
            +  icmp
               +  code number
               +  type (number | keyword)
            +  protocol (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  statistics
            -  distributed-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
            -  last-clear string
            -  last-match string
            -  matched-packets number
            -  system-cpu-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
         -  tcam-entries number
      -  last-clear string
      +  statistics-per-entry boolean
   +  ipv6-filter
      +  entry sequence-id number 
         +  action
            +  accept
               +  log boolean
               +  rate-limit
                  +  distributed-policer reference
                  +  system-cpu-policer reference
            +  drop
               +  log boolean
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  icmp6
               +  code number
               +  type (number | keyword)
            +  next-header (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  statistics
            -  distributed-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
            -  last-clear string
            -  last-match string
            -  matched-packets number
            -  system-cpu-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
         -  tcam-entries number
      -  last-clear string
      +  statistics-per-entry boolean
   +  mac-filter
      +  entry sequence-id number 
         +  action
            +  accept
               +  log boolean
               +  rate-limit
                  +  distributed-policer reference
                  +  system-cpu-policer reference
            +  drop
               +  log boolean
         +  description string
         +  match
            +  destination-mac
               +  address string
               +  mask string
            +  ethertype (string | keyword)
            +  source-mac
               +  address string
               +  mask string
            +  vlan
               +  outermost-vlan-id
                  +  none 
                  +  operator keyword
                  +  range
                     +  end number
                     +  start number
                  +  value number
         -  statistics
            -  distributed-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
            -  last-clear string
            -  last-match string
            -  matched-packets number
            -  system-cpu-policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
         -  tcam-entries number
      -  last-clear string
      +  statistics-per-entry boolean
+  egress-mac-filtering boolean
+  ipv4-filter name string 
   +  description string
   +  entry sequence-id number 
      +  action
         +  accept
            +  log boolean
         +  drop
            +  log boolean
      +  description string
      +  match
         +  destination-ip
            +  address string
            +  mask string
            +  prefix string
         +  destination-port
            +  operator keyword
            +  range
               +  end (number | keyword)
               +  start (number | keyword)
            +  value (number | keyword)
         +  dscp-set (number | keyword)
         +  first-fragment boolean
         +  fragment boolean
         +  icmp
            +  code number
            +  type (number | keyword)
         +  protocol (number | keyword)
         +  source-ip
            +  address string
            +  mask string
            +  prefix string
         +  source-port
            +  operator keyword
            +  range
               +  end (number | keyword)
               +  start (number | keyword)
            +  value (number | keyword)
         +  tcp-flags string
      -  statistics
         -  aggregate
            -  in-last-match string
            -  in-matched-packets number
            -  out-last-match string
            -  out-matched-packets number
         -  last-clear string
         -  per-interface
            -  subinterface name string 
               -  in-last-match string
               -  in-matched-packets number
               -  last-clear string
               -  out-last-match string
               -  out-matched-packets number
      -  tcam-entries
         -  linecard slot number 
            -  input-total number
            -  output-total number
            -  single-instance number
   -  last-clear string
   +  statistics-per-entry boolean
   +  subinterface-specific keyword
+  ipv6-filter name string 
   +  description string
   +  entry sequence-id number 
      +  action
         +  accept
            +  log boolean
         +  drop
            +  log boolean
      +  description string
      +  match
         +  destination-ip
            +  address string
            +  mask string
            +  prefix string
         +  destination-port
            +  operator keyword
            +  range
               +  end (number | keyword)
               +  start (number | keyword)
            +  value (number | keyword)
         +  dscp-set (number | keyword)
         +  icmp6
            +  code number
            +  type (number | keyword)
         +  next-header (number | keyword)
         +  source-ip
            +  address string
            +  mask string
            +  prefix string
         +  source-port
            +  operator keyword
            +  range
               +  end (number | keyword)
               +  start (number | keyword)
            +  value (number | keyword)
         +  tcp-flags string
      -  statistics
         -  aggregate
            -  in-last-match string
            -  in-matched-packets number
            -  out-last-match string
            -  out-matched-packets number
         -  last-clear string
         -  per-interface
            -  subinterface name string 
               -  in-last-match string
               -  in-matched-packets number
               -  last-clear string
               -  out-last-match string
               -  out-matched-packets number
      -  tcam-entries
         -  linecard slot number 
            -  input-total number
            -  output-total number
            -  single-instance number
   -  last-clear string
   +  statistics-per-entry boolean
   +  subinterface-specific keyword
+  mac-filter name string 
   +  description string
   +  entry sequence-id number 
      +  action
         +  accept
            +  log boolean
         +  drop
            +  log boolean
      +  description string
      +  match
         +  destination-mac
            +  address string
            +  mask string
         +  ethertype (string | keyword)
         +  source-mac
            +  address string
            +  mask string
         +  vlan
            +  outermost-vlan-id
               +  none 
               +  operator keyword
               +  range
                  +  end number
                  +  start number
               +  value number
      -  statistics
         -  aggregate
            -  in-last-match string
            -  in-matched-packets number
            -  out-last-match string
            -  out-matched-packets number
         -  last-clear string
         -  per-interface
            -  subinterface name string 
               -  in-last-match string
               -  in-matched-packets number
               -  last-clear string
               -  out-last-match string
               -  out-matched-packets number
      -  tcam-entries
         -  linecard slot number 
            -  input-total number
            -  output-total number
            -  single-instance number
   -  last-clear string
   +  statistics-per-entry boolean
   +  subinterface-specific keyword
+  policers
   +  policer name string 
      +  entry-specific boolean
      +  max-burst number
      +  peak-rate number
      -  statistics
         -  conforming-octets number
         -  conforming-packets number
         -  exceeding-octets number
         -  exceeding-packets number
         -  last-clear string
   +  system-cpu-policer name string 
      +  entry-specific boolean
      +  max-packet-burst number
      +  peak-packet-rate number
      -  statistics
         -  conforming-octets number
         -  conforming-packets number
         -  exceeding-octets number
         -  exceeding-packets number
         -  last-clear string
+  system-filter
   +  ipv4-filter
      +  entry sequence-id number 
         +  action
            +  accept
            +  drop
               +  log boolean
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  first-fragment boolean
            +  fragment boolean
            +  icmp
               +  code number
               +  type (number | keyword)
            +  protocol (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  statistics
            -  last-clear string
            -  last-match string
            -  matched-packets number
         -  tcam-entries number
      -  last-clear string
   +  ipv6-filter
      +  entry sequence-id number 
         +  action
            +  accept
            +  drop
               +  log boolean
         +  description string
         +  match
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  dscp-set (number | keyword)
            +  icmp6
               +  code number
               +  type (number | keyword)
            +  next-header (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
         -  statistics
            -  last-clear string
            -  last-match string
            -  matched-packets number
         -  tcam-entries number
      -  last-clear string
+  tcam-profile keyword
acl Descriptions
acl
capture-filter
| Description | Top level container for capture filters | |
| Context | acl capture-filter | |
| Tree | capture-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
ipv4-filter
| Description | Top level container for capture IPv4 filters | |
| Context | acl capture-filter ipv4-filter | |
| Tree | ipv4-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl capture-filter ipv4-filter entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the capture filter entry. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl capture-filter ipv4-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
copy
| Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
| Context | acl capture-filter ipv4-filter entry sequence-id number action copy | |
| Tree | copy | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl capture-filter ipv4-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv4 address | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
first-fragment boolean
| Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
| Tree | first-fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
fragment boolean
| Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match fragment boolean | |
| Tree | fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
icmp
| Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match icmp | |
| Tree | icmp | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match icmp code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMP type value. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
protocol (number | keyword)
| Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
| Tree | protocol | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv4 address | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl capture-filter ipv4-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
ipv6-filter
| Description | Top level container for capture IPv6 filters | |
| Context | acl capture-filter ipv6-filter | |
| Tree | ipv6-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl capture-filter ipv6-filter entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the capture filter entry. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl capture-filter ipv6-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
copy
| Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
| Context | acl capture-filter ipv6-filter entry sequence-id number action copy | |
| Tree | copy | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl capture-filter ipv6-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv6 address | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
icmp6
| Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 | |
| Tree | icmp6 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMPv6 type value | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
next-header (number | keyword)
| Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
| Tree | next-header | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv6 address | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl capture-filter ipv6-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
cpm-filter
| Description | Top level container for CPM filters | |
| Context | acl cpm-filter | |
| Tree | cpm-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
ipv4-filter
| Description | Top level container for CPM IPv4 filters | |
| Context | acl cpm-filter ipv4-filter | |
| Tree | ipv4-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
rate-limit
| Description | Rate-limit accepted packets | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit | |
| Tree | rate-limit | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
distributed-policer reference
| Description | Reference to a policer | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit distributed-policer reference | |
| Tree | distributed-policer | |
| Reference | acl policers policer name string | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
system-cpu-policer reference
| Description | Reference to a system-cpu-policer. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
| Tree | system-cpu-policer | |
| Reference | acl policers system-cpu-policer name string | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv4 address | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
first-fragment boolean
| Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
| Tree | first-fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
fragment boolean
| Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match fragment boolean | |
| Tree | fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
icmp
| Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp | |
| Tree | icmp | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMP type value. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
protocol (number | keyword)
| Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
| Tree | protocol | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv4 address | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
statistics
| Description | Statistics container for packets matching the CPM-filter entry | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
distributed-policer
| Description | Distributed policer stats for traffic matching the entry. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer | |
| Tree | distributed-policer | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-match string
| Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-match string | |
| Tree | last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
matched-packets number
| Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
| Tree | matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
system-cpu-policer
| Description | System CPU policer stats for traffic matching the entry. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer | |
| Tree | system-cpu-policer | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl cpm-filter ipv4-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter ipv4-filter last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
statistics-per-entry boolean
| Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
| Context | acl cpm-filter ipv4-filter statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
ipv6-filter
| Description | Top level container for CPM IPv6 filters | |
| Context | acl cpm-filter ipv6-filter | |
| Tree | ipv6-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
rate-limit
| Description | Rate-limit accepted packets | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit | |
| Tree | rate-limit | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
distributed-policer reference
| Description | Reference to a policer | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit distributed-policer reference | |
| Tree | distributed-policer | |
| Reference | acl policers policer name string | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
system-cpu-policer reference
| Description | Reference to a system-cpu-policer. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
| Tree | system-cpu-policer | |
| Reference | acl policers system-cpu-policer name string | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv6 address | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
icmp6
| Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 | |
| Tree | icmp6 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMPv6 type value | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
next-header (number | keyword)
| Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
| Tree | next-header | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv6 address | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
statistics
| Description | Statistics container for packets matching the CPM-filter entry | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
distributed-policer
| Description | Distributed policer stats for traffic matching the entry. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer | |
| Tree | distributed-policer | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-match string
| Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-match string | |
| Tree | last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
matched-packets number
| Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
| Tree | matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
system-cpu-policer
| Description | System CPU policer stats for traffic matching the entry. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer | |
| Tree | system-cpu-policer | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl cpm-filter ipv6-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter ipv6-filter last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
statistics-per-entry boolean
| Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
| Context | acl cpm-filter ipv6-filter statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mac-filter
| Description | Top level container for CPM MAC filter | |
| Context | acl cpm-filter mac-filter | |
| Tree | mac-filter | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl cpm-filter mac-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl cpm-filter mac-filter entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
action
| Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
| Context | acl cpm-filter mac-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl cpm-filter mac-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter mac-filter entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
rate-limit
| Description | Rate-limit accepted packets | |
| Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit | |
| Tree | rate-limit | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
distributed-policer reference
| Description | Reference to a policer | |
| Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit distributed-policer reference | |
| Tree | distributed-policer | |
| Reference | acl policers policer name string | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
system-cpu-policer reference
| Description | Reference to a system-cpu-policer. | |
| Context | acl cpm-filter mac-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
| Tree | system-cpu-policer | |
| Reference | acl policers system-cpu-policer name string | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl cpm-filter mac-filter entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl cpm-filter mac-filter entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
description string
| Description | Description string for the filter entry | |
| Context | acl cpm-filter mac-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
match
| Description | Container for the conditions that determine whether an Ethernet frame matches this entry | |
| Context | acl cpm-filter mac-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-mac
| Description | Ethernet frame matching criteria based on destination MAC address | |
| Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac | |
| Tree | destination-mac | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals this MAC address. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals the configured MAC address. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match destination-mac mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
ethertype (string | keyword)
| Description | An Ethernet frame matches this condition if its ethertype value (after 802.1Q VLAN tags) matches the specified value | |
| Context | acl cpm-filter mac-filter entry sequence-id number match ethertype (string | keyword) | |
| Tree | ethertype | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-mac
| Description | Ethernet frame matching criteria based on source MAC address | |
| Context | acl cpm-filter mac-filter entry sequence-id number match source-mac | |
| Tree | source-mac | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals this MAC address. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match source-mac address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals the configured MAC address. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match source-mac mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
vlan
| Description | Ethernet frame matching criteria based on VLAN tags | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan | |
| Tree | vlan | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
outermost-vlan-id
| Description | Ethernet frame matching criteria based on the outermost VLAN ID found before the subinterface-defining VLAN tag (if any) is removed. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id | |
| Tree | outermost-vlan-id | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
none
| Description | When configured, only untagged frames are matched. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id none | |
| Tree | none | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of VLAN IDs. Matched values include the start and end values. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end number
| Description | The ending VLAN ID to include in the range | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range end number | |
| Tree | end | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start number
| Description | The starting VLAN ID to include in the range | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id range start number | |
| Tree | start | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value number
| Description | A VLAN ID number A value of zero is used to match priority-tagged 802.1Q frames. | |
| Context | acl cpm-filter mac-filter entry sequence-id number match vlan outermost-vlan-id value number | |
| Tree | value | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics
| Description | Statistics container for packets matching the CPM-filter entry | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
distributed-policer
| Description | Distributed policer stats for traffic matching the entry. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer | |
| Tree | distributed-policer | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-match string
| Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics last-match string | |
| Tree | last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
matched-packets number
| Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics matched-packets number | |
| Tree | matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
system-cpu-policer
| Description | System CPU policer stats for traffic matching the entry. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer | |
| Tree | system-cpu-policer | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl cpm-filter mac-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl cpm-filter mac-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl cpm-filter mac-filter last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics-per-entry boolean
| Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
| Context | acl cpm-filter mac-filter statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
egress-mac-filtering boolean
| Description | Must be set to true in order to apply any MAC ACLs to any subinterface in the egress traffic direction. Internally this sets the following limits: Remember that the number of ACL instances per ACL policy is greater than one if subinterface-specific is set to input-and-output or output-only. A setting of true is blocked if the number of IPv4 ACL instances applied to egress traffic is already greater than 32, or if the number of IPv6 ACL instances applied to egress traffic is already greater than 32. | |
| Context | acl egress-mac-filtering boolean | |
| Tree | egress-mac-filtering | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
ipv4-filter name string
| Description | List of IPv4 filter policies | |
| Context | acl ipv4-filter name string | |
| Tree | ipv4-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
name string
| Description | Name of the IPv4 filter policy. | |
| Context | acl ipv4-filter name string | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the IPv4 filter policy | |
| Context | acl ipv4-filter name string description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl ipv4-filter name string entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl ipv4-filter name string entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the filter entry. | |
| Context | acl ipv4-filter name string entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl ipv4-filter name string entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl ipv4-filter name string entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl ipv4-filter name string entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: This action combination is not supported on Trident3 platforms when the filter is applied as an output (egress traffic) filter; no logs will be generated. | |
| Context | acl ipv4-filter name string entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl ipv4-filter name string entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl ipv4-filter name string entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv4 address | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl ipv4-filter name string entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl ipv4-filter name string entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
first-fragment boolean
| Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
| Context | acl ipv4-filter name string entry sequence-id number match first-fragment boolean | |
| Tree | first-fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
fragment boolean
| Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
| Context | acl ipv4-filter name string entry sequence-id number match fragment boolean | |
| Tree | fragment | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
icmp
| Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
| Context | acl ipv4-filter name string entry sequence-id number match icmp | |
| Tree | icmp | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
| Context | acl ipv4-filter name string entry sequence-id number match icmp code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMP type value. | |
| Context | acl ipv4-filter name string entry sequence-id number match icmp type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
protocol (number | keyword)
| Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
| Context | acl ipv4-filter name string entry sequence-id number match protocol (number | keyword) | |
| Tree | protocol | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv4 address | |
| Context | acl ipv4-filter name string entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl ipv4-filter name string entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl ipv4-filter name string entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
| Context | acl ipv4-filter name string entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl ipv4-filter name string entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl ipv4-filter name string entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
statistics
| Description | Container for per-entry statistics | |
| Context | acl ipv4-filter name string entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
aggregate
| Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl ipv4-filter name string entry sequence-id number statistics aggregate | |
| Tree | aggregate | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-matched-packets number
| Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-matched-packets number
| Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl ipv4-filter name string entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
per-interface
| Description | Container for per-entry statistics on a per interface basis. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface | |
| Tree | per-interface | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
subinterface name string
| Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Tree | subinterface | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
name string
| Description | Reference to a subinterface. | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-matched-packets number
| Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-matched-packets number
| Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
tcam-entries
| Description | Information about the TCAM entries used to implement the ACL entry | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
linecard slot number
| Description | List of linecards in the system | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Tree | linecard | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
slot number
| Description | Slot identifier | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Range | 1 to 10 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
input-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this slot then input-total=0. | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number input-total number | |
| Tree | input-total | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
output-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this slot then output-total=0. | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number output-total number | |
| Tree | output-total | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
single-instance number
| Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this slot. It captures the effect of TCAM entry expansion to deal with port ranges, for example. | |
| Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number single-instance number | |
| Tree | single-instance | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl ipv4-filter name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
statistics-per-entry boolean
| Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
| Context | acl ipv4-filter name string statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
subinterface-specific keyword
| Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
| Context | acl ipv4-filter name string subinterface-specific keyword | |
| Tree | subinterface-specific | |
| Default | disabled | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
ipv6-filter name string
| Description | List of IPv6 filter policies | |
| Context | acl ipv6-filter name string | |
| Tree | ipv6-filter | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
name string
| Description | Name of the IPv6 filter policy. | |
| Context | acl ipv6-filter name string | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the IPv6 filter policy | |
| Context | acl ipv6-filter name string description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl ipv6-filter name string entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries. | |
| Context | acl ipv6-filter name string entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
action
| Description | Container for the actions to be applied to packets matching the filter entry. | |
| Context | acl ipv6-filter name string entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl ipv6-filter name string entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl ipv6-filter name string entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl ipv6-filter name string entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: This action combination is not supported on Trident3 platforms when the filter is applied as an output (egress traffic) filter; no logs will be generated. | |
| Context | acl ipv6-filter name string entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
description string
| Description | Description string for the filter entry | |
| Context | acl ipv6-filter name string entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl ipv6-filter name string entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-ip
| Description | Packet matching criteria based on destination IPv6 address | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl ipv6-filter name string entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl ipv6-filter name string entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
icmp6
| Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
| Context | acl ipv6-filter name string entry sequence-id number match icmp6 | |
| Tree | icmp6 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
code number
| Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
| Context | acl ipv6-filter name string entry sequence-id number match icmp6 code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
type (number | keyword)
| Description | Match a single ICMPv6 type value | |
| Context | acl ipv6-filter name string entry sequence-id number match icmp6 type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
next-header (number | keyword)
| Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
| Context | acl ipv6-filter name string entry sequence-id number match next-header (number | keyword) | |
| Tree | next-header | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-ip
| Description | Packet matching criteria based on source IPv6 address | |
| Context | acl ipv6-filter name string entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl ipv6-filter name string entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl ipv6-filter name string entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
| Context | acl ipv6-filter name string entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
value (number | keyword)
| Description | A source port number | |
| Context | acl ipv6-filter name string entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl ipv6-filter name string entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
statistics
| Description | Container for per-entry statistics | |
| Context | acl ipv6-filter name string entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
aggregate
| Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl ipv6-filter name string entry sequence-id number statistics aggregate | |
| Tree | aggregate | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-matched-packets number
| Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-matched-packets number
| Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl ipv6-filter name string entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
per-interface
| Description | Container for per-entry statistics on a per interface basis. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface | |
| Tree | per-interface | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
subinterface name string
| Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Tree | subinterface | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
name string
| Description | Reference to a subinterface. | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
in-matched-packets number
| Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
out-matched-packets number
| Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
tcam-entries
| Description | Information about the TCAM entries used to implement the ACL entry | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
linecard slot number
| Description | List of linecards in the system | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Tree | linecard | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
slot number
| Description | Slot identifier | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Range | 1 to 10 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
input-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this slot then input-total=0. | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number input-total number | |
| Tree | input-total | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
output-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this slot then output-total=0. | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number output-total number | |
| Tree | output-total | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
single-instance number
| Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this slot. It captures the effect of TCAM entry expansion to deal with port ranges, for example. | |
| Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number single-instance number | |
| Tree | single-instance | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl ipv6-filter name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
statistics-per-entry boolean
| Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
| Context | acl ipv6-filter name string statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
subinterface-specific keyword
| Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
| Context | acl ipv6-filter name string subinterface-specific keyword | |
| Tree | subinterface-specific | |
| Default | disabled | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
mac-filter name string
| Description | List of MAC ACL policies | |
| Context | acl mac-filter name string | |
| Tree | mac-filter | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
name string
| Description | Name of the MAC ACL policy. | |
| Context | acl mac-filter name string | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
description string
| Description | Description string for the MAC ACL policy | |
| Context | acl mac-filter name string description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl mac-filter name string entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl mac-filter name string entry sequence-id number | |
| Range | 1 to 65535 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
action
| Description | Container for the actions to be applied to packets matching the filter entry. | |
| Context | acl mac-filter name string entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
accept
| Description | Accept matching packets and forward them towards their normal destination | |
| Context | acl mac-filter name string entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl mac-filter name string entry sequence-id number action accept log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7250 IXR-10, 7250 IXR-6 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl mac-filter name string entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: This action combination is not supported on Trident3 platforms when the filter is applied as an output (egress traffic) filter; no logs will be generated. | |
| Context | acl mac-filter name string entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
description string
| Description | Description string for the filter entry | |
| Context | acl mac-filter name string entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
match
| Description | Container for the conditions that determine whether an Ethernet frame matches this entry | |
| Context | acl mac-filter name string entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-mac
| Description | Ethernet frame matching criteria based on destination MAC address | |
| Context | acl mac-filter name string entry sequence-id number match destination-mac | |
| Tree | destination-mac | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals this MAC address. | |
| Context | acl mac-filter name string entry sequence-id number match destination-mac address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match an Ethernet frame if its destination MAC address logically anded with the mask equals the configured MAC address. | |
| Context | acl mac-filter name string entry sequence-id number match destination-mac mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
ethertype (string | keyword)
| Description | An Ethernet frame matches this condition if its ethertype value (after 802.1Q VLAN tags) matches the specified value | |
| Context | acl mac-filter name string entry sequence-id number match ethertype (string | keyword) | |
| Tree | ethertype | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-mac
| Description | Ethernet frame matching criteria based on source MAC address | |
| Context | acl mac-filter name string entry sequence-id number match source-mac | |
| Tree | source-mac | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals this MAC address. | |
| Context | acl mac-filter name string entry sequence-id number match source-mac address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match an Ethernet frame if its source MAC address logically anded with the mask equals the configured MAC address. | |
| Context | acl mac-filter name string entry sequence-id number match source-mac mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
vlan
| Description | Ethernet frame matching criteria based on VLAN tags | |
| Context | acl mac-filter name string entry sequence-id number match vlan | |
| Tree | vlan | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
outermost-vlan-id
| Description | Ethernet frame matching criteria based on the outermost VLAN ID found before the subinterface-defining VLAN tag (if any) is removed. | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id | |
| Tree | outermost-vlan-id | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
none
| Description | When configured, only untagged frames are matched. | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id none | |
| Tree | none | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of VLAN IDs. Matched values include the start and end values. | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end number
| Description | The ending VLAN ID to include in the range | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range end number | |
| Tree | end | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start number
| Description | The starting VLAN ID to include in the range | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id range start number | |
| Tree | start | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value number
| Description | A VLAN ID number A value of zero is used to match priority-tagged 802.1Q frames. | |
| Context | acl mac-filter name string entry sequence-id number match vlan outermost-vlan-id value number | |
| Tree | value | |
| Range | 0 to 4095 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics
| Description | Container for per-entry statistics | |
| Context | acl mac-filter name string entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
aggregate
| Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl mac-filter name string entry sequence-id number statistics aggregate | |
| Tree | aggregate | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl mac-filter name string entry sequence-id number statistics aggregate in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
in-matched-packets number
| Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
| Context | acl mac-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl mac-filter name string entry sequence-id number statistics aggregate out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
out-matched-packets number
| Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
| Context | acl mac-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl mac-filter name string entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
per-interface
| Description | Container for per-entry statistics on a per interface basis. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface | |
| Tree | per-interface | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
subinterface name string
| Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Tree | subinterface | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
name string
| Description | Reference to a subinterface. | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
in-last-match string
| Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
| Tree | in-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
in-matched-packets number
| Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
| Tree | in-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level or a higher level | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
out-last-match string
| Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
| Tree | out-last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
out-matched-packets number
| Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
| Context | acl mac-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
| Tree | out-matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcam-entries
| Description | Information about the TCAM entries used to implement the ACL entry | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
linecard slot number
| Description | List of linecards in the system | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Tree | linecard | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
slot number
| Description | Slot identifier | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries linecard slot number | |
| Range | 1 to 10 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
input-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this slot then input-total=0. | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries linecard slot number input-total number | |
| Tree | input-total | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
output-total number
| Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this slot then output-total=0. | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries linecard slot number output-total number | |
| Tree | output-total | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
single-instance number
| Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this slot. It captures the effect of TCAM entry expansion to deal with port ranges, for example. | |
| Context | acl mac-filter name string entry sequence-id number tcam-entries linecard slot number single-instance number | |
| Tree | single-instance | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl mac-filter name string last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics-per-entry boolean
| Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
| Context | acl mac-filter name string statistics-per-entry boolean | |
| Tree | statistics-per-entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
subinterface-specific keyword
| Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
| Context | acl mac-filter name string subinterface-specific keyword | |
| Tree | subinterface-specific | |
| Default | disabled | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
policers
| Description | Container for policer definitions used by ACL entries | |
| Context | acl policers | |
| Tree | policers | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
policer name string
| Description | List of hardware policer templates. For each policer in this list one or more policer instances are implemented in the linecards of the system. | |
| Context | acl policers policer name string | |
| Tree | policer | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
name string
entry-specific boolean
| Description | If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template. | |
| Context | acl policers policer name string entry-specific boolean | |
| Tree | entry-specific | |
| Default | false | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
max-burst number
peak-rate number
statistics
| Description | Container for linecard policer statistics None of these statistics are populated if the policer is configured as entry-specific=true. | |
| Context | acl policers policer name string statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl policers policer name string statistics conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl policers policer name string statistics conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl policers policer name string statistics exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl policers policer name string statistics exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command that applied to these statistics | |
| Context | acl policers policer name string statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
system-cpu-policer name string
| Description | List of system CPU policer templates. For each policer in this list one or more policer instances are implemented in the XDP-CPM software and these policer instances process the aggregate of terminating traffic received from all linecards. | |
| Context | acl policers system-cpu-policer name string | |
| Tree | system-cpu-policer | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
name string
| Description | User-defined name of the policer | |
| Context | acl policers system-cpu-policer name string | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
entry-specific boolean
| Description | If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template. | |
| Context | acl policers system-cpu-policer name string entry-specific boolean | |
| Tree | entry-specific | |
| Default | false | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
max-packet-burst number
| Description | The maximum depth of the policer bucket in number of packets | |
| Context | acl policers system-cpu-policer name string max-packet-burst number | |
| Tree | max-packet-burst | |
| Range | 16 to 4000000 | |
| Default | 16 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
peak-packet-rate number
| Description | The maximum number of packets per second (bucket empty/fill rate) | |
| Context | acl policers system-cpu-policer name string peak-packet-rate number | |
| Tree | peak-packet-rate | |
| Range | 1 to 4000000 | |
| Configurable | True | |
| Platforms | Supported on all platforms | 
statistics
| Description | Container for system CPU policer statistics None of these statistics are populated if the policer is configured as entry-specific=true. | |
| Context | acl policers system-cpu-policer name string statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-octets number
| Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl policers system-cpu-policer name string statistics conforming-octets number | |
| Tree | conforming-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
conforming-packets number
| Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
| Context | acl policers system-cpu-policer name string statistics conforming-packets number | |
| Tree | conforming-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-octets number
| Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
| Context | acl policers system-cpu-policer name string statistics exceeding-octets number | |
| Tree | exceeding-octets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
exceeding-packets number
| Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
| Context | acl policers system-cpu-policer name string statistics exceeding-packets number | |
| Tree | exceeding-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
last-clear string
| Description | Time of the last clear command that applied to these statistics | |
| Context | acl policers system-cpu-policer name string statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | Supported on all platforms | 
system-filter
| Description | Top level container for System filters | |
| Context | acl system-filter | |
| Tree | system-filter | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
ipv4-filter
| Description | Top level container for System IPv4 filters | |
| Context | acl system-filter ipv4-filter | |
| Tree | ipv4-filter | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl system-filter ipv4-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl system-filter ipv4-filter entry sequence-id number | |
| Range | 1 to 256 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
action
| Description | Container for the actions to be applied to packets matching the System filter entry. | |
| Context | acl system-filter ipv4-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
accept
| Description | Accept matching packets | |
| Context | acl system-filter ipv4-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl system-filter ipv4-filter entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl system-filter ipv4-filter entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
description string
| Description | Description string for the filter entry | |
| Context | acl system-filter ipv4-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl system-filter ipv4-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-ip
| Description | Packet matching criteria based on destination IPv4 address | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl system-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
first-fragment boolean
| Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
| Tree | first-fragment | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
fragment boolean
| Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match fragment boolean | |
| Tree | fragment | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
icmp
| Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match icmp | |
| Tree | icmp | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
code number
| Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match icmp code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
type (number | keyword)
| Description | Match a single ICMP type value. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
protocol (number | keyword)
| Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
| Context | acl system-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
| Tree | protocol | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-ip
| Description | Packet matching criteria based on source IPv4 address | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value (number | keyword)
| Description | A source port number | |
| Context | acl system-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl system-filter ipv4-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics
| Description | Statistics container for packets matching the system-filter entry | |
| Context | acl system-filter ipv4-filter entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl system-filter ipv4-filter entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-match string
| Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
| Context | acl system-filter ipv4-filter entry sequence-id number statistics last-match string | |
| Tree | last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
matched-packets number
| Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
| Context | acl system-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
| Tree | matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl system-filter ipv4-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl system-filter ipv4-filter last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
ipv6-filter
| Description | Top level container for System IPv6 filters | |
| Context | acl system-filter ipv6-filter | |
| Tree | ipv6-filter | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
entry sequence-id number
| Description | List of filter rules. | |
| Context | acl system-filter ipv6-filter entry sequence-id number | |
| Tree | entry | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
sequence-id number
| Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
| Context | acl system-filter ipv6-filter entry sequence-id number | |
| Range | 1 to 128 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
action
| Description | Container for the actions to be applied to packets matching the System filter entry. | |
| Context | acl system-filter ipv6-filter entry sequence-id number action | |
| Tree | action | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
accept
| Description | Accept matching packets | |
| Context | acl system-filter ipv6-filter entry sequence-id number action accept | |
| Tree | accept | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
drop
| Description | Drop matching packets without sending any ICMP messages back to the source | |
| Context | acl system-filter ipv6-filter entry sequence-id number action drop | |
| Tree | drop | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
log boolean
| Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: | |
| Context | acl system-filter ipv6-filter entry sequence-id number action drop log boolean | |
| Tree | log | |
| Default | false | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
description string
| Description | Description string for the filter entry | |
| Context | acl system-filter ipv6-filter entry sequence-id number description string | |
| Tree | description | |
| String Length | 1 to 255 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
match
| Description | Container for the conditions that determine whether a packet matches this entry | |
| Context | acl system-filter ipv6-filter entry sequence-id number match | |
| Tree | match | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-ip
| Description | Packet matching criteria based on destination IPv6 address | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip | |
| Tree | destination-ip | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
prefix string
| Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
destination-port
| Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port | |
| Tree | destination-port | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value (number | keyword)
| Description | A destination port number | |
| Context | acl system-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
dscp-set (number | keyword)
| Description | A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match dscp-set (number | keyword) | |
| Tree | dscp-set | |
| Range | 0 to 63 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7250 IXR-10, 7250 IXR-6, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
icmp6
| Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 | |
| Tree | icmp6 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
code number
| Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 code number | |
| Tree | code | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
type (number | keyword)
| Description | Match a single ICMPv6 type value | |
| Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
| Tree | type | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
next-header (number | keyword)
| Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
| Context | acl system-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
| Tree | next-header | |
| Range | 0 to 255 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-ip
| Description | Packet matching criteria based on source IPv6 address | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-ip | |
| Tree | source-ip | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
address string
| Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-ip address string | |
| Tree | address | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
mask string
| Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-ip mask string | |
| Tree | mask | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
prefix string
| Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
| Tree | prefix | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
source-port
| Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port | |
| Tree | source-port | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
operator keyword
| Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
| Tree | operator | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
range
| Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port range | |
| Tree | range | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
end (number | keyword)
| Description | The ending port number to include in the range | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
| Tree | end | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
start (number | keyword)
| Description | The starting port number to include in the range | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
| Tree | start | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
value (number | keyword)
| Description | A source port number | |
| Context | acl system-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
| Tree | value | |
| Range | 0 to 65535 | |
| Options | 
 | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcp-flags string
| Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
| Context | acl system-filter ipv6-filter entry sequence-id number match tcp-flags string | |
| Tree | tcp-flags | |
| Configurable | True | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
statistics
| Description | Statistics container for packets matching the system-filter entry | |
| Context | acl system-filter ipv6-filter entry sequence-id number statistics | |
| Tree | statistics | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl system-filter ipv6-filter entry sequence-id number statistics last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-match string
| Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
| Context | acl system-filter ipv6-filter entry sequence-id number statistics last-match string | |
| Tree | last-match | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
matched-packets number
| Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
| Context | acl system-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
| Tree | matched-packets | |
| Default | 0 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcam-entries number
| Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
| Context | acl system-filter ipv6-filter entry sequence-id number tcam-entries number | |
| Tree | tcam-entries | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
last-clear string
| Description | Time of the last clear command performed by the user at this level | |
| Context | acl system-filter ipv6-filter last-clear string | |
| Tree | last-clear | |
| String Length | 20 to 32 | |
| Configurable | False | |
| Platforms | 7220 IXR-D2L, 7220 IXR-D2, 7220 IXR-D3L, 7220 IXR-D1, 7220 IXR-D3 | 
tcam-profile keyword
| Description | Specify the TCAM resource management profile | |
| Context | acl tcam-profile keyword | |
| Tree | tcam-profile | |
| Options | 
 | |
| Configurable | True | |
| Platforms | Supported on all platforms |