acl

acl
+  acl-filter name string type keyword 
   +  description string
   +  entry sequence-id number 
      +  action
         +  accept
            +  forwarding-class reference
            +  rate-limit
               +  policer reference
               +  system-cpu-policer reference
         +  copy
         +  drop
         +  log boolean
      +  description string
      -  last-clear string
      +  match
         +  ipv4
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  dscp-set (number | keyword)
            +  first-fragment boolean
            +  fragment boolean
            +  icmp
               +  code number
               +  type (number | keyword)
            +  protocol (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
         +  ipv6
            +  destination-ip
               +  address string
               +  mask string
               +  prefix string
            +  dscp-set (number | keyword)
            +  icmp6
               +  code number
               +  type (number | keyword)
            +  next-header (number | keyword)
            +  source-ip
               +  address string
               +  mask string
               +  prefix string
         +  l2
            +  destination-mac
               +  address string
               +  mask string
            +  ethertype (string | keyword)
            +  source-mac
               +  address string
               +  mask string
            +  vlan
               +  outermost-vlan-id
                  +  none 
                  +  operator keyword
                  +  range
                     +  end number
                     +  start number
                  +  value number
         +  transport
            +  destination-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  source-port
               +  operator keyword
               +  range
                  +  end (number | keyword)
                  +  start (number | keyword)
               +  value (number | keyword)
            +  tcp-flags string
      -  statistics
         -  incomplete boolean
         -  last-clear string
         -  last-match string
         -  matched-packets number
         -  policer
            -  conforming-octets number
            -  conforming-packets number
            -  exceeding-octets number
            -  exceeding-packets number
         -  system-cpu-policer
            -  conforming-octets number
            -  conforming-packets number
            -  exceeding-octets number
            -  exceeding-packets number
      -  tcam-entries
         -  forwarding-complex complex-identifier string 
            -  input-total number
            -  output-total number
            -  single-instance number
   -  last-clear string
   +  statistics-per-entry boolean
   +  subinterface-specific keyword
-  datapath-programming
   -  forwarding-complex slot-id number complex-id number 
      -  last-completed-timestamp string
      -  programming-complete boolean
+  egress-mac-filtering boolean
+  interface interface-id string 
   +  input
      +  acl-filter name reference type reference 
         -  entry sequence-id reference 
            -  policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
            -  statistics
               -  incomplete boolean
               -  last-clear string
               -  last-match string
               -  matched-packets number
      -  statistics
         -  last-clear string
         -  policer
            -  conforming-octets number
            -  conforming-packets number
            -  exceeding-octets number
            -  exceeding-packets number
   +  interface-ref
      +  interface reference
      +  subinterface reference
   +  output
      +  acl-filter name reference type reference 
         -  entry sequence-id reference 
            -  policer
               -  conforming-octets number
               -  conforming-packets number
               -  exceeding-octets number
               -  exceeding-packets number
            -  statistics
               -  incomplete boolean
               -  last-clear string
               -  last-match string
               -  matched-packets number
      -  statistics
         -  last-clear string
         -  policer
            -  conforming-octets number
            -  conforming-packets number
            -  exceeding-octets number
            -  exceeding-packets number
+  policers
   +  policer name string 
      +  entry-specific boolean
      +  max-burst number
      +  peak-rate number
      +  scope keyword
      -  statistics
         -  aggregate
            -  conforming-octets number
            -  conforming-packets number
            -  exceeding-octets number
            -  exceeding-packets number
            -  last-clear string
   +  system-cpu-policer name string 
      +  entry-specific boolean
      +  max-packet-burst number
      +  peak-packet-rate number
      -  statistics
         -  conforming-octets number
         -  conforming-packets number
         -  exceeding-octets number
         -  exceeding-packets number
         -  last-clear string
+  tcam-profile keyword

acl Descriptions

acl


	Description	Top level container for configuration and operational state related to access control lists (ACLs)
	Context	acl
	Tree	acl
	Configurable	True
	Platforms	Supported on all platforms

acl-filter name string type keyword


	Description	List of filter types such as IPv4, IPv6 and MAC depending on the platform's capabilities.
	Context	acl acl-filter name string type keyword
	Tree	acl-filter
	Configurable	True
	Platforms	Supported on all platforms

name string


	Description	ACL Filter policy name
	Context	acl acl-filter name string type keyword
	Configurable	True
	Platforms	Supported on all platforms

type keyword


	Description	Defines the type of ACL filter: ipv4: IPv4 ACL filter ipv6: IPv6 ACL filter mac: MAC ACL filter
	Context	acl acl-filter name string type keyword
	Options	ipv4 ipv6 mac
	Configurable	True
	Platforms	Supported on all platforms

description string


	Description	Description string for the filter policy
	Context	acl acl-filter name string type keyword description string
	Tree	description
	String Length	1 to 255
	Configurable	True
	Platforms	Supported on all platforms

entry sequence-id number


	Description	List of ACL entries comprising an ACL Filter
	Context	acl acl-filter name string type keyword entry sequence-id number
	Tree	entry
	Configurable	True
	Platforms	Supported on all platforms

sequence-id number


	Description	A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries
	Context	acl acl-filter name string type keyword entry sequence-id number
	Range	0 to 65535
	Configurable	True
	Platforms	Supported on all platforms

action


	Description	Container for the actions to be applied to packets matching the filter entry.
	Context	acl acl-filter name string type keyword entry sequence-id number action
	Tree	action
	Configurable	True
	Platforms	Supported on all platforms

accept


	Description	Accept matching packets and forward them towards their normal destination
	Context	acl acl-filter name string type keyword entry sequence-id number action accept
	Tree	accept
	Configurable	True
	Platforms	Supported on all platforms

forwarding-class reference


	Description	The QoS forwarding class to which the packet is mapped
	Context	acl acl-filter name string type keyword entry sequence-id number action accept forwarding-class reference
	Tree	forwarding-class
	Reference	qos forwarding-classes forwarding-class name string
	Configurable	True
	Platforms	Supported on all platforms except 7220 IXR-D1

rate-limit


	Description	Rate-limit accepted packets
	Context	acl acl-filter name string type keyword entry sequence-id number action accept rate-limit
	Tree	rate-limit
	Configurable	True
	Platforms	Supported on all platforms

policer reference


	Description	Reference to a policer
	Context	acl acl-filter name string type keyword entry sequence-id number action accept rate-limit policer reference
	Tree	policer
	Reference	acl policers policer name
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

system-cpu-policer reference


	Description	Reference to a system-cpu-policer.
	Context	acl acl-filter name string type keyword entry sequence-id number action accept rate-limit system-cpu-policer reference
	Tree	system-cpu-policer
	Reference	acl policers system-cpu-policer name
	Configurable	True
	Platforms	Supported on all platforms

copy


	Description	Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface
	Context	acl acl-filter name string type keyword entry sequence-id number action copy
	Tree	copy
	Configurable	True
	Platforms	Supported on all platforms

drop


	Description	Drop matching packets. Dropped IP packets do not result in sending ICMP messages back to the source
	Context	acl acl-filter name string type keyword entry sequence-id number action drop
	Tree	drop
	Configurable	True
	Platforms	Supported on all platforms

log boolean


	Description	When this is true, a log is created for each packet matching the entry For IP packets matched by an IP filter entry the log entry contains the following information:
	Context	acl acl-filter name string type keyword entry sequence-id number action log boolean
	Tree	log
	Default	false
	Configurable	True
	Platforms	Supported on all platforms

description string


	Description	Description string for the filter entry
	Context	acl acl-filter name string type keyword entry sequence-id number description string
	Tree	description
	String Length	1 to 255
	Configurable	True
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command performed by the user at this level
	Context	acl acl-filter name string type keyword entry sequence-id number last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

match


	Description	Container for the conditions that determine whether a packet matches this entry
	Context	acl acl-filter name string type keyword entry sequence-id number match
	Tree	match
	Configurable	True
	Platforms	Supported on all platforms

ipv4


	Description	Container for the common layer-3 IPv4 match criteria
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4
	Tree	ipv4
	Configurable	True
	Platforms	Supported on all platforms

destination-ip


	Description	Packet matching criteria based on destination IPv4 address
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 destination-ip
	Tree	destination-ip
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 destination-ip address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 destination-ip mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

prefix string


	Description	Match a packet if its destination IP address is within the specified IPv4 prefix.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 destination-ip prefix string
	Tree	prefix
	Configurable	True
	Platforms	Supported on all platforms

dscp-set (number | keyword)


	Description	A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 dscp-set (number \| keyword)
	Tree	dscp-set
	Range	0 to 63
	Options	CS0 LE CS1 AF11 AF12 AF13 CS2 AF21 AF22 AF23 CS3 AF31 AF32 AF33 CS4 AF41 AF42 AF43 CS5 EF CS6 CS7
	Configurable	True
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

first-fragment boolean


	Description	Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 first-fragment boolean
	Tree	first-fragment
	Configurable	True
	Platforms	Supported on all platforms

fragment boolean


	Description	Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 fragment boolean
	Tree	fragment
	Configurable	True
	Platforms	Supported on all platforms

icmp


	Description	A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 icmp
	Tree	icmp
	Configurable	True
	Platforms	Supported on all platforms

code number


	Description	Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 icmp code number
	Tree	code
	Configurable	True
	Platforms	Supported on all platforms

type (number | keyword)


	Description	Match a single ICMP type value.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 icmp type (number \| keyword)
	Tree	type
	Range	0 to 255
	Options	echo-reply ICMP Echo Reply dest-unreachable ICMP Destination Unreachable source-quench ICMP Source Quench redirect ICMP Redirect echo ICMP Echo router-advertise ICMP Router Advertisement router-solicit ICMP Router Solicitation time-exceeded ICMP Time Exceeded param-problem ICMP Parameter Problem timestamp ICMP Timestamp timestamp-reply ICMP Timestamp Reply
	Configurable	True
	Platforms	Supported on all platforms

protocol (number | keyword)


	Description	An IPv4 packet matches this condition if its IP protocol type field matches the specified value
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 protocol (number \| keyword)
	Tree	protocol
	Range	0 to 255
	Options	ipv6-hop IPv6 hop-by-hop option icmp Internet Control Message Protocol igmp Internet Group Management Protocol ggp Gateway-to-Gateway Protocol ipv4 IPv4 encapsulation st Stream Protocol tcp Transmission Control Protocol egp Exterior Gateway Protocol igp Interior Gateway Protocol udp User Datagram Protocol ipv6 IPv6 encapsulation idrp Inter-Domain Routing Protocol rsvp Resource Reservation Protocol gre Generic Routing Encapsulation esp IPSec Encapsulating Security Payload ah IPSec Authentication Header icmp6 IPSec Authentication Header no-next-hdr No Next Header for IPv6 ipv6-dest-opts Destination Options for IPv6 eigrp Cisco EIGRP ospf OSPFv2 and OSPFv3 pim Protocol Independent Multicast vrrp Virtual Router Redundancy Protocol l2tp Layer Two Tunneling Protocol sctp Stream Control Transmission Protocol mpls-in-ip MPLS Encapsulation inside IP rohc Robust Header Compression
	Configurable	True
	Platforms	Supported on all platforms

source-ip


	Description	Packet matching criteria based on source IPv4 address
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 source-ip
	Tree	source-ip
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 source-ip address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 source-ip mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

prefix string


	Description	Match a packet if its source IP address is within the specified IPv4 prefix.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv4 source-ip prefix string
	Tree	prefix
	Configurable	True
	Platforms	Supported on all platforms

ipv6


	Description	Container for the common layer-3 IPv6 match criteria
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6
	Tree	ipv6
	Configurable	True
	Platforms	Supported on all platforms

destination-ip


	Description	Packet matching criteria based on destination IPv6 address
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 destination-ip
	Tree	destination-ip
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 destination-ip address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 destination-ip mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

prefix string


	Description	Match a packet if its destination IP address is within the specified IPv6 prefix.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 destination-ip prefix string
	Tree	prefix
	Configurable	True
	Platforms	Supported on all platforms

dscp-set (number | keyword)


	Description	A list of DSCP values to be matched for incoming packets. An OR match should be performed, such that a packet must match one of the values defined in this list. If the field is left empty then any DSCP value matches.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 dscp-set (number \| keyword)
	Tree	dscp-set
	Range	0 to 63
	Options	CS0 LE CS1 AF11 AF12 AF13 CS2 AF21 AF22 AF23 CS3 AF31 AF32 AF33 CS4 AF41 AF42 AF43 CS5 EF CS6 CS7
	Configurable	True
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

icmp6


	Description	A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 icmp6
	Tree	icmp6
	Configurable	True
	Platforms	Supported on all platforms

code number


	Description	Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 icmp6 code number
	Tree	code
	Configurable	True
	Platforms	Supported on all platforms

type (number | keyword)


	Description	Match a single ICMPv6 type value
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 icmp6 type (number \| keyword)
	Tree	type
	Range	0 to 255
	Options	dest-unreachable ICMPv6 Destination Unreachable packet-too-big ICMPv6 Packet Too Big time-exceeded ICMPv6 Time Exceeded param-problem Parameter Problem echo-request ICMPv6 Echo Request echo-reply ICMPv6 Echo Reply mld-query Multicast Listener Discovery Query mld-report Multicast Listener Discovery Report mld-done Multicast Listener Discovery Done router-solicit ICMPv6 Router Solicitation router-advertise ICMPv6 Router Advertisement neighbor-solicit ICMPv6 Neighbor Solicitation neighbor-advertise ICMPv6 Neighbor Advertisement redirect ICMPv6 Redirect router-renumber ICMPv6 Router Renumbering node-info-query ICMPv6 Node Information Query node-info-response ICMPv6 Node Information Response mld-v2 Multicast Listener Discovery Version 2 mcast-rtr-adv Multicast Router Advertisement mcast-rtr-solicit Multicast Router Solicitation mcast-rtr-term Multicast Router Termination
	Configurable	True
	Platforms	Supported on all platforms

next-header (number | keyword)


	Description	An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 next-header (number \| keyword)
	Tree	next-header
	Range	0 to 255
	Options	ipv6-hop IPv6 hop-by-hop option icmp Internet Control Message Protocol igmp Internet Group Management Protocol ggp Gateway-to-Gateway Protocol ipv4 IPv4 encapsulation st Stream Protocol tcp Transmission Control Protocol egp Exterior Gateway Protocol igp Interior Gateway Protocol udp User Datagram Protocol ipv6 IPv6 encapsulation idrp Inter-Domain Routing Protocol rsvp Resource Reservation Protocol gre Generic Routing Encapsulation esp IPSec Encapsulating Security Payload ah IPSec Authentication Header icmp6 IPSec Authentication Header no-next-hdr No Next Header for IPv6 ipv6-dest-opts Destination Options for IPv6 eigrp Cisco EIGRP ospf OSPFv2 and OSPFv3 pim Protocol Independent Multicast vrrp Virtual Router Redundancy Protocol l2tp Layer Two Tunneling Protocol sctp Stream Control Transmission Protocol mpls-in-ip MPLS Encapsulation inside IP rohc Robust Header Compression
	Configurable	True
	Platforms	Supported on all platforms

source-ip


	Description	Packet matching criteria based on source IPv6 address
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 source-ip
	Tree	source-ip
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 source-ip address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 source-ip mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

prefix string


	Description	Match a packet if its source IP address is within the specified IPv6 prefix.
	Context	acl acl-filter name string type keyword entry sequence-id number match ipv6 source-ip prefix string
	Tree	prefix
	Configurable	True
	Platforms	Supported on all platforms

l2


	Description	Container for the common layer-2 match criteria
	Context	acl acl-filter name string type keyword entry sequence-id number match l2
	Tree	l2
	Configurable	True
	Platforms	Supported on all platforms

destination-mac


	Description	Ethernet frame matching criteria based on destination MAC address
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 destination-mac
	Tree	destination-mac
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match an Ethernet frame if its destination MAC address logically anded with the mask equals this MAC address.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 destination-mac address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match an Ethernet frame if its destination MAC address logically anded with the mask equals the configured MAC address.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 destination-mac mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

ethertype (string | keyword)


	Description	An Ethernet frame matches this condition if its ethertype value (after 802.1Q VLAN tags) matches the specified value
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 ethertype (string \| keyword)
	Tree	ethertype
	Options	ipv4 Internet Protocol version 4. Ethertype 0x0800. arp Address Resolution Protocol. Ethertype 0x0806. ipv6 Internet Protocol version 6. Ethertype 0x86DD. flow-control Ethernet flow control PAUSE frames. Ethertype 0x8808 lacp LACP. Ethertype 0x8809. mpls-unicast MPLS unicast. Ethertype 0x8847. mpls-multicast MPLS multicast. Ethertype 0x8848. pppoe-discovery PPPoE discovery. Ethertype 0x8863. pppoe-session PPPoE session. Ethertype 0x8864. 8021x-authentication 802.1x authentication (EAP). Ethertype 0x888E. lldp Link Layer Discovery Protocol. Ethertype 0x88CC. macsec IEEE 802.1AE MAC security. Ethertype 0x88E5. pbb Provider Backbone Bridging. Ethertype 0x88E7. ptp Precision Time Protocol. Ethertype 0x88F7. eth-oam IEEE 802.1ag CFM and ITU-T Y.1731 OAM. Ethertype 0x8902. fcoe Fibre Channel over Ethernet. Ethertype 0x8906. fcoe-initialization Fibre Channel over Ethernet Initialization Protocol. Ethertype 0x8914. roce RDMA over Converged Ethernet. Ethertype 0x8915.
	Configurable	True
	Platforms	Supported on all platforms

source-mac


	Description	Ethernet frame matching criteria based on source MAC address
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 source-mac
	Tree	source-mac
	Configurable	True
	Platforms	Supported on all platforms

address string


	Description	Match an Ethernet frame if its source MAC address logically anded with the mask equals this MAC address.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 source-mac address string
	Tree	address
	Configurable	True
	Platforms	Supported on all platforms

mask string


	Description	Match an Ethernet frame if its source MAC address logically anded with the mask equals the configured MAC address.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 source-mac mask string
	Tree	mask
	Configurable	True
	Platforms	Supported on all platforms

vlan


	Description	Ethernet frame matching criteria based on VLAN tags
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan
	Tree	vlan
	Configurable	True
	Platforms	Supported on all platforms

outermost-vlan-id


	Description	Ethernet frame matching criteria based on the outermost VLAN ID found before the subinterface-defining VLAN tag (if any) is removed.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id
	Tree	outermost-vlan-id
	Configurable	True
	Platforms	Supported on all platforms

none


	Description	When configured, only untagged frames are matched.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id none
	Tree	none
	Configurable	True
	Platforms	Supported on all platforms

operator keyword


	Description	Comparison operator eq = equal ge = greater than or equal to le = less than or equal to
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id operator keyword
	Tree	operator
	Options	le Less than or equal. ge Greater than or equal. eq Equal to.
	Configurable	True
	Platforms	Supported on all platforms

range


	Description	Container used to specify a contiguous range of VLAN IDs. Matched values include the start and end values.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id range
	Tree	range
	Configurable	True
	Platforms	Supported on all platforms

end number


	Description	The ending VLAN ID to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id range end number
	Tree	end
	Range	0 to 4095
	Configurable	True
	Platforms	Supported on all platforms

start number


	Description	The starting VLAN ID to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id range start number
	Tree	start
	Range	0 to 4095
	Configurable	True
	Platforms	Supported on all platforms

value number


	Description	A VLAN ID number A value of zero is used to match priority-tagged 802.1Q frames.
	Context	acl acl-filter name string type keyword entry sequence-id number match l2 vlan outermost-vlan-id value number
	Tree	value
	Range	0 to 4095
	Configurable	True
	Platforms	Supported on all platforms

transport


	Description	Container for the common layer-4 transport match criteria
	Context	acl acl-filter name string type keyword entry sequence-id number match transport
	Tree	transport
	Configurable	True
	Platforms	Supported on all platforms

destination-port


	Description	A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly.
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port
	Tree	destination-port
	Configurable	True
	Platforms	Supported on all platforms

operator keyword


	Description	Comparison operator eq = equal ge = greater than or equal to le = less than or equal to
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port operator keyword
	Tree	operator
	Options	le Less than or equal. ge Greater than or equal. eq Equal to.
	Configurable	True
	Platforms	Supported on all platforms

range


	Description	Container used to specify a contiguous range of TCP/UDP port numbers
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port range
	Tree	range
	Configurable	True
	Platforms	Supported on all platforms

end (number | keyword)


	Description	The ending port number to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port range end (number \| keyword)
	Tree	end
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

start (number | keyword)


	Description	The starting port number to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port range start (number \| keyword)
	Tree	start
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

value (number | keyword)


	Description	A destination port number
	Context	acl acl-filter name string type keyword entry sequence-id number match transport destination-port value (number \| keyword)
	Tree	value
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

source-port


	Description	A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly.
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port
	Tree	source-port
	Configurable	True
	Platforms	Supported on all platforms

operator keyword


	Description	Comparison operator eq = equal ge = greater than or equal to le = less than or equal to
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port operator keyword
	Tree	operator
	Options	le Less than or equal. ge Greater than or equal. eq Equal to.
	Configurable	True
	Platforms	Supported on all platforms

range


	Description	Container used to specify a contiguous range of TCP/UDP port numbers
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port range
	Tree	range
	Configurable	True
	Platforms	Supported on all platforms

end (number | keyword)


	Description	The ending port number to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port range end (number \| keyword)
	Tree	end
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

start (number | keyword)


	Description	The starting port number to include in the range
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port range start (number \| keyword)
	Tree	start
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

value (number | keyword)


	Description	A source port number
	Context	acl acl-filter name string type keyword entry sequence-id number match transport source-port value (number \| keyword)
	Tree	value
	Range	0 to 65535
	Options	acap Application Configuration Access Protocol afp-tcp Apple Filing Protocol over TCP arns A Remote Network Server System asf-rmcp ASF Remote Management and Control Protocol & IPMI Remote Management Protocol ashare AppleShare IP Web Administration atalk-rm AppleTalk Routing Maintenance aurp AppleTalk Update-Based Routing Protocol auth Authentication Service bfd Bidirectional Forwarding Detection Single Hop bfd-echo BFD Echo bftp Background File Transfer Program bgmp Border Gateway Multicast Protocol bgp Border Gateway Protocol bootpc Bootstrap Protocol (BOOTP) Client and DHCP Client bootps Bootstrap Protocol (BOOTP) Server and DHCP Server ccso-ns CCSO Nameserver chargen Character Generator Protocol (CHARGEN) cisco-tdp Cisco Tag Distribution Protocol citadel Citadel clearcase ClearCase albd commerce Commerce Applications courier Remote Procedure Call daytime Daytime Protocol dhcpv6-client DHCPv6 Client dhcpv6-server DHCPv6 Server dhcp-failover DHCP Failover Protocol dicom Digital Imaging and Communications in Medicine discard Discard Protocol. Also Wake-on-LAN. dnsix DNSIX security protocol auditing domain Domain Name System dsp Display Support Protocol echo Echo Protocol epp Extensible Provisioning Protocol esro Efficient Short Remote Operations (ESRO) exec Remote Process Execution (Rexec) finger Finger protocol ftp File Transfer Protocol control ftp-data File Transfer Protocol data ftps FTPS (FTP over SSL/TLS) control ftps-data FTPS (FTP over SSL/TLS) data godi Group Domain Of Interpretation (GDOI) protocol gopher Gopher protocol gtp-c GTP control messages (GTP-C) gtp-prime GTP prime CDR logging protocol gtp-u GTP user data messages (GTP-U) ha-cluster Linux-HA high-availability heartbeat hostname NIC hostname server hp-alarm-mgr HP data alarm manager http Hypertext Transfer Protocol http-alt FileMaker Web Sharing (HTTP Alternate) http-mgmt http-mgmt http-rpc Remote procedure call over Hypertext Transfer Protocol https Hypertext Transfer Protocol over TLS/SSL ieee-mms-ssl IEEE Media Management System over SSL imap Internet Message Access Protocol (IMAP) imap3 Internet Message Access Protocol (IMAP), version 3 imaps Internet Message Access Protocol over TLS/SSL ipp Internet Printing Protocol ipsec Internet Protocol Security (IPSec) ipx Internetwork Packet Exchange (IPX) irc Internet Relay Chat (IRC) iris-beep IRIS (Internet Registry Information Service) over BEEP isakmp Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) isakmp-nat IPSec NAT Traversal iscsi iSCSI iso-tsap ISO Transport Service Access Point (TSAP) Class 0 protocol kerberos Kerberos authentication system kerberos-adm Kerberos administration klogin Kerberos login kpasswd Kerberos Change/Set password kshell Kerberos Remote shell l2tp Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) ldap Lightweight Directory Access Protocol (LDAP) ldaps Lightweight Directory Access Protocol over TLS/SSL (LDAPS) ldp Label Distribution Protocol lmp Link Management Protocol (LMP) login rlogin (TCP) or Who (UDP) lpd Line Printer Daemon lsp-ping MPLS LSP-echo mac-server-adm Mac OS X Server administration matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) type A matip-b Mapping of Airline Traffic over Internet Protocol (MATIP) type B micro-bfd BFD session over each LAG member link microsoft-ds Microsoft Directory Services mobile-ip Mobile IP Agent monitor Monitor mpp Message posting protocol (MPP) mssql-m Microsoft SQL Server database management system (MSSQL) monitor mssql-s Microsoft SQL Server database management system (MSSQL) server msdp Multicast Source Discovery Protocol ms-exchange MS Exchange Routing msp Message Send Protocol multihop-bfd Bidirectional Forwarding Detection Multi-Hop nas Netnews Administration System (NAS) ncp NetWare Core Protocol netrjs-1 NETRJS protocol netrjs-2 NETRJS protocol netrjs-3 NETRJS protocol netrjs-4 NETRJS protocol netbios-data NetBIOS Datagram Service netbios-ns NetBIOS Name Service netbios-ss NetBIOS Session Service netnews Netnews netwall netwall, for Emergency Broadcasts new-rwho new-rwho, new-who nfs Network File System (NFS) nntp Network News Transfer Protocol (NNTP) nntps Network News Transfer Protocol over TLS/SSL (NNTPS) ntp Network Time Protocol (NTP) odmr On-Demand Mail Relay (ODMR) olsr Optimized Link State Routing (OLSR) openvpn OpenVPN pim-auto-rp PIM Auto-RP pkix-timestamp PKIX Time Stamp Protocol (TSP) pop2 Post Office Protocol, version 2 (POP2) pop3 Post Office Protocol, version 3 (POP3) pop3s Post Office Protocol 3 over TLS/SSL (POP3S) pptp Point-to-Point Tunneling Protocol (PPTP) ptp-event Precision Time Protocol (PTP) event messages ptp-general Precision Time Protocol (PTP) general messages print-srv Network PostScript print server qmtp Quick Mail Transfer Protocol qotd Quote of the Day (QOTD) radius RADIUS authentication protocol radius-acct RADIUS accounting protocol remote-mail Remote Mail Checking Protocol remotefs Remotefs, RFS Server remotecmd SupportSoft Nexus Remote Command rip Routing Information Protocol rje Remote Job Entry rlp Resource Location Protocol rlzdb RLZ DBase rmc IBM RMC (Remote monitoring and Control) protocol rmonitor rmonitor, Remote Monitor rpc2portmap Rpc2portmap rsync rsync file synchronization protocol rtelnet Remote User Telnet Service (RTelnet) rtsp Real Time Streaming Protocol (RTSP) sgmp Simple Gateway Monitoring Protocol (SGMP) silc Secure Internet Live Conferencing (SILC) smux SNMP multiplexing protocol (SMUX) sna-gw IBM Systems Network Architecture (SNA) gateway access server snmp Simple Network Management Protocol (SNMP) snmp-trap SNMP Traps snpp Simple Network Paging Protocol (SNPP) smtp Simple Mail Transfer Protocol (SMTP) sql-svcs Structured Query Language (SQL) Services sql Structured Query Language (SQL) Service ssh Secure Shell Protocol submission Email message submission (SMTP) sunrpc Open Network Computing Remote Procedure Call (ONC RPC), also Sun RPC svcloc Service Location Protocol (SLP) syslog Syslog (UDP) and Remote Shell (TCP) systat Active Users (systat service) tacacs TACACS Login Host protocol talk Talk tcpmux TCP Port Service Multiplexer (TCPMUX) tcpnethaspsrv tcpnethaspsrv, Aladdin Knowledge Systems Hasp services tftp Trivial File Transfer Protocol (TFTP) time Time Protocol timed Timeserver ups Uninterruptible power supply (UPS) xdmcp X Display Manager Control Protocol (XDMCP) xns-ch Xerox Network Systems (XNS) Clearinghouse (Name Server) xns-mail Xerox Network Systems (XNS) Mail xns-time Xerox Network Systems (XNS) Time Protocol z3950 ANSI Z39.50
	Configurable	True
	Platforms	Supported on all platforms

tcp-flags string


	Description	A logical expression using the &, \| and ! logical operators and the TCP flag names: rst, syn and ack.
	Context	acl acl-filter name string type keyword entry sequence-id number match transport tcp-flags string
	Tree	tcp-flags
	Configurable	True
	Platforms	Supported on all platforms

statistics


	Description	Container for per-entry statistics
	Context	acl acl-filter name string type keyword entry sequence-id number statistics
	Tree	statistics
	Configurable	False
	Platforms	Supported on all platforms

incomplete boolean


	Description	Returns true when at least one linecard had insufficient stats resources to ensure an accurate set of values for the number of matched packets.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics incomplete boolean
	Tree	incomplete
	Configurable	False
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command performed by the user at this level or a higher level
	Context	acl acl-filter name string type keyword entry sequence-id number statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

last-match string


	Description	The elapsed time since a packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl acl-filter name string type keyword entry sequence-id number statistics last-match string
	Tree	last-match
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

matched-packets number


	Description	The number of packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl acl-filter name string type keyword entry sequence-id number statistics matched-packets number
	Tree	matched-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

policer


	Description	Policer stats for traffic matching the entry: Statistics for policer configured with scope=global and entry-specific=true, and acl configured with subinterface-specific=false.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics policer
	Tree	policer
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl acl-filter name string type keyword entry sequence-id number statistics policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl acl-filter name string type keyword entry sequence-id number statistics policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

system-cpu-policer


	Description	System CPU policer stats for traffic matching the entry: Statistics for system cpu policer configured with scope=global and entry-specific=true, and acl configured with subinterface-specific=false.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics system-cpu-policer
	Tree	system-cpu-policer
	Configurable	False
	Platforms	Supported on all platforms

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics system-cpu-policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl acl-filter name string type keyword entry sequence-id number statistics system-cpu-policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl acl-filter name string type keyword entry sequence-id number statistics system-cpu-policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl acl-filter name string type keyword entry sequence-id number statistics system-cpu-policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

tcam-entries


	Description	Information about the TCAM entries used to implement the ACL entry
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries
	Tree	tcam-entries
	Configurable	False
	Platforms	Supported on all platforms

forwarding-complex complex-identifier string


	Description	List of forwarding complexes in the system
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries forwarding-complex complex-identifier string
	Tree	forwarding-complex
	Configurable	False
	Platforms	Supported on all platforms

complex-identifier string


	Description	A forwarding complex in the format (slot-number,complex-number).
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries forwarding-complex complex-identifier string
	Configurable	False
	Platforms	Supported on all platforms

input-total number


	Description	The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this complex then input-total=0.
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries forwarding-complex complex-identifier string input-total number
	Tree	input-total
	Configurable	False
	Platforms	Supported on all platforms

output-total number


	Description	The number of TCAM entries required to implement this entry on all subinterfaces of this complex where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this complex then output-total=0.
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries forwarding-complex complex-identifier string output-total number
	Tree	output-total
	Configurable	False
	Platforms	Supported on all platforms

single-instance number


	Description	The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this complex. It captures the effect of TCAM entry expansion to deal with L4 port or VLAN ranges, for example.
	Context	acl acl-filter name string type keyword entry sequence-id number tcam-entries forwarding-complex complex-identifier string single-instance number
	Tree	single-instance
	Configurable	False
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command performed by the user at this level
	Context	acl acl-filter name string type keyword last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

statistics-per-entry boolean


	Description	Collect statistics for each entry of the ACL. If this is set to false no hardware resources are allocated to collecting statistics for this ACL policy. The exact set of statistics depend on the subinterface-specific mode
	Context	acl acl-filter name string type keyword statistics-per-entry boolean
	Tree	statistics-per-entry
	Configurable	True
	Platforms	Supported on all platforms

subinterface-specific keyword


	Description	Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter
	Context	acl acl-filter name string type keyword subinterface-specific keyword
	Tree	subinterface-specific
	Default	disabled
	Options	disabled input-only output-only input-and-output
	Configurable	True
	Platforms	Supported on all platforms

datapath-programming


	Description	Container to represent the progress of ACL datapath programming
	Context	acl datapath-programming
	Tree	datapath-programming
	Configurable	False
	Platforms	Supported on all platforms

forwarding-complex slot-id number complex-id number


	Description	List of forwarding complexes that are currently installed and online
	Context	acl datapath-programming forwarding-complex slot-id number complex-id number
	Tree	forwarding-complex
	Configurable	False
	Platforms	Supported on all platforms

slot-id number


	Description	The slot id
	Context	acl datapath-programming forwarding-complex slot-id number complex-id number
	Configurable	False
	Platforms	Supported on all platforms

complex-id number


	Description	The complex id
	Context	acl datapath-programming forwarding-complex slot-id number complex-id number
	Range	0 to 1
	Configurable	False
	Platforms	Supported on all platforms

last-completed-timestamp string


	Description	The date and time when the forwarding complex last completed all datapath programming related to prior ACL configuration changes.
	Context	acl datapath-programming forwarding-complex slot-id number complex-id number last-completed-timestamp string
	Tree	last-completed-timestamp
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

programming-complete boolean


	Description	Reads false when there are still pending entries to program from prior configuration transactions Reads true when all datapath programming related to all prior ACL configuration changes is complete
	Context	acl datapath-programming forwarding-complex slot-id number complex-id number programming-complete boolean
	Tree	programming-complete
	Configurable	False
	Platforms	Supported on all platforms

egress-mac-filtering boolean


	Description	Must be set to true in order to apply any MAC ACLs to any subinterface in the egress traffic direction. Internally this sets the following limits: Remember that the number of ACL instances per ACL policy is greater than one if subinterface-specific is set to input-and-output or output-only. A setting of true is blocked if the number of IPv4 ACL instances applied to egress traffic is already greater than 32, or if the number of IPv6 ACL instances applied to egress traffic is already greater than 32.
	Context	acl egress-mac-filtering boolean
	Tree	egress-mac-filtering
	Default	false
	Configurable	True
	Platforms	7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

interface interface-id string


	Description	List of interfaces and subinterfaces referencing ACL filters.
	Context	acl interface interface-id string
	Tree	interface
	Configurable	True
	Platforms	Supported on all platforms

interface-id string


	Description	Identifier for the interface or subinterface.
	Context	acl interface interface-id string
	Configurable	True
	Platforms	Supported on all platforms

input


	Description	Container for ACL filters that apply to ingress traffic on the subinterface
	Context	acl interface interface-id string input
	Tree	input
	Configurable	True
	Platforms	Supported on all platforms

acl-filter name reference type reference


	Description	MAC, IPv4, IPv6 ACL filter(s) to be applied on this subinterface direction On 7220 and 7250 IXR platforms only a single MAC, IPv4 or IPv6 filter is supported.
	Context	acl interface interface-id string input acl-filter name reference type reference
	Tree	acl-filter
	Configurable	True
	Platforms	Supported on all platforms
	Max. Elements	4

name reference


	Description	Enter the name context
	Context	acl interface interface-id string input acl-filter name reference type reference
	Reference	acl acl-filter name
	Configurable	True
	Platforms	Supported on all platforms

type reference


	Description	Enter the type context
	Context	acl interface interface-id string input acl-filter name reference type reference
	Reference	acl acl-filter type
	Configurable	True
	Platforms	Supported on all platforms

entry sequence-id reference


	Description	ACL Filter statistics per entry and per subinterface
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference
	Tree	entry
	Configurable	False
	Platforms	Supported on all platforms

sequence-id reference


	Description	Reference to type entry ID key
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference
	Reference	acl acl-filter entry sequence-id
	Configurable	False
	Platforms	Supported on all platforms

policer


	Description	Policer stats for traffic matching the entry: Statistics under /acl/interfaces for policer configured with scope=subinterface and entry-specific=true, and acl configured with subinterface-specific=input-and-output.
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference policer
	Tree	policer
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

statistics


	Description	Container for per-entry statistics
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference statistics
	Tree	statistics
	Configurable	False
	Platforms	Supported on all platforms

incomplete boolean


	Description	Returns true when at least one linecard had insufficient stats resources to ensure an accurate set of values for the number of matched packets.
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference statistics incomplete boolean
	Tree	incomplete
	Configurable	False
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command performed by the user at this level or a higher level
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

last-match string


	Description	The elapsed time since a packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference statistics last-match string
	Tree	last-match
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

matched-packets number


	Description	The number of packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl interface interface-id string input acl-filter name reference type reference entry sequence-id reference statistics matched-packets number
	Tree	matched-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

statistics


	Description	Container for policer scope=subinterface and per-entry-statistics=false statistics
	Context	acl interface interface-id string input statistics
	Tree	statistics
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

last-clear string


	Description	Time of the last clear command performed by the user at this level
	Context	acl interface interface-id string input statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

policer


	Description	Policer stats for traffic matching one or multiple entries: List of ACL policer statistics of scope=subinterface and per-entry-statistics=false, and acl configured with subinterface-specific=false.
	Context	acl interface interface-id string input statistics policer
	Tree	policer
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string input statistics policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl interface interface-id string input statistics policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string input statistics policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl interface interface-id string input statistics policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

interface-ref


	Description	Reference to an interface or subinterface
	Context	acl interface interface-id string interface-ref
	Tree	interface-ref
	Configurable	True
	Platforms	Supported on all platforms

interface reference


	Description	Reference to a base interface, for example a port or LAG
	Context	acl interface interface-id string interface-ref interface reference
	Tree	interface
	Reference	interface name string
	Configurable	True
	Platforms	Supported on all platforms

subinterface reference


	Description	Reference to a subinterface This requires the base interface to be specified using the interface leaf in this container.
	Context	acl interface interface-id string interface-ref subinterface reference
	Tree	subinterface
	Reference	interface name string subinterface index number
	Configurable	True
	Platforms	Supported on all platforms

output


	Description	Container for ACL filters that apply to ingress traffic on the subinterface
	Context	acl interface interface-id string output
	Tree	output
	Configurable	True
	Platforms	Supported on all platforms

acl-filter name reference type reference


	Description	MAC, IPv4, IPv6 ACL filter(s) to be applied on this subinterface direction On 7220 and 7250 IXR platforms only a single MAC, IPv4 or IPv6 filter is supported.
	Context	acl interface interface-id string output acl-filter name reference type reference
	Tree	acl-filter
	Configurable	True
	Platforms	Supported on all platforms
	Max. Elements	4

name reference


	Description	Enter the name context
	Context	acl interface interface-id string output acl-filter name reference type reference
	Reference	acl acl-filter name
	Configurable	True
	Platforms	Supported on all platforms

type reference


	Description	Enter the type context
	Context	acl interface interface-id string output acl-filter name reference type reference
	Reference	acl acl-filter type
	Configurable	True
	Platforms	Supported on all platforms

entry sequence-id reference


	Description	ACL Filter statistics per entry and per subinterface
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference
	Tree	entry
	Configurable	False
	Platforms	Supported on all platforms

sequence-id reference


	Description	Reference to type entry ID key
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference
	Reference	acl acl-filter entry sequence-id
	Configurable	False
	Platforms	Supported on all platforms

policer


	Description	Policer stats for traffic matching the entry: Statistics under /acl/interfaces for policer configured with scope=subinterface and entry-specific=true, and acl configured with subinterface-specific=input-and-output.
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference policer
	Tree	policer
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

statistics


	Description	Container for per-entry statistics
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference statistics
	Tree	statistics
	Configurable	False
	Platforms	Supported on all platforms

incomplete boolean


	Description	Returns true when at least one linecard had insufficient stats resources to ensure an accurate set of values for the number of matched packets.
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference statistics incomplete boolean
	Tree	incomplete
	Configurable	False
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command performed by the user at this level or a higher level
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

last-match string


	Description	The elapsed time since a packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference statistics last-match string
	Tree	last-match
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

matched-packets number


	Description	The number of packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL
	Context	acl interface interface-id string output acl-filter name reference type reference entry sequence-id reference statistics matched-packets number
	Tree	matched-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

statistics


	Description	Container for policer scope=subinterface and per-entry-statistics=false statistics
	Context	acl interface interface-id string output statistics
	Tree	statistics
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

last-clear string


	Description	Time of the last clear command performed by the user at this level
	Context	acl interface interface-id string output statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

policer


	Description	Policer stats for traffic matching one or multiple entries: List of ACL policer statistics of scope=subinterface and per-entry-statistics=false, and acl configured with subinterface-specific=false.
	Context	acl interface interface-id string output statistics policer
	Tree	policer
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string output statistics policer conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl interface interface-id string output statistics policer conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl interface interface-id string output statistics policer exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl interface interface-id string output statistics policer exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

policers


	Description	Container for policer definitions used by ACL entries
	Context	acl policers
	Tree	policers
	Configurable	True
	Platforms	Supported on all platforms

policer name string


	Description	List of policer templates used in subintreface and CPM Filter ACL.
	Context	acl policers policer name string
	Tree	policer
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

name string


	Description	User-defined name of the policer
	Context	acl policers policer name string
	String Length	1 to 255
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

entry-specific boolean


	Description	Controls the instantiation of the policer between filter entries false: one policer instance is created from this template and it is shared by all entries of in the same ACL filter that refer to this policer true: multiple policer instances are created from this template, one for each ACL filter entry that refers to this policer
	Context	acl policers policer name string entry-specific boolean
	Tree	entry-specific
	Default	false
	Configurable	True
	Platforms	Supported on all platforms

max-burst number


	Description	The MBS bucket depth in bytes
	Context	acl policers policer name string max-burst number
	Tree	max-burst
	Range	1 to 125000000
	Units	bytes
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

peak-rate number


	Description	The PIR rate in kbps (bucket empty/fill rate).
	Context	acl policers policer name string peak-rate number
	Tree	peak-rate
	Range	1 to 800000000
	Units	kbps
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

scope keyword


	Description	Controls the instantiation of the policer between subinterfaces global: policer is instantiated per direction and shared between ACL, requires filter subinterface-specific disabled subinterface: policer is instantiated per subinterface and per direction, requires filter subinterface-specific input-and-ouput
	Context	acl policers policer name string scope keyword
	Tree	scope
	Default	global
	Options	global subinterface
	Configurable	True
	Platforms	7220 IXR-D1, 7220 IXR-D2, 7220 IXR-D2L, 7220 IXR-D3, 7220 IXR-D3L, 7220 IXR-D4, 7220 IXR-D5

statistics


	Description	Container for linecard policer statistics.
	Context	acl policers policer name string statistics
	Tree	statistics
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

aggregate


	Description	None of these statistics are populated if the policer is configured as entry-specific=true. If entry-specific=false and subinterface-specific=true, this is sum of all the entries and all the policer templates instantiated for all subintrefaces. If entry-specific=false and subinterface-specific=false, this is sum of all the entries using this policer template.
	Context	acl policers policer name string statistics aggregate
	Tree	aggregate
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl policers policer name string statistics aggregate conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl policers policer name string statistics aggregate conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl policers policer name string statistics aggregate exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl policers policer name string statistics aggregate exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

last-clear string


	Description	Time of the last clear command that applied to these statistics
	Context	acl policers policer name string statistics aggregate last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	7220 IXR-D4, 7220 IXR-D5, 7250 IXR-10, 7250 IXR-10e, 7250 IXR-6, 7250 IXR-6e

system-cpu-policer name string


	Description	List of system CPU policer templates. For each policer in this list one or more policer instances are implemented in the XDP-CPM software and these policer instances process the aggregate of terminating traffic received from all linecards.
	Context	acl policers system-cpu-policer name string
	Tree	system-cpu-policer
	Configurable	True
	Platforms	Supported on all platforms

name string


	Description	User-defined name of the policer
	Context	acl policers system-cpu-policer name string
	String Length	1 to 255
	Configurable	True
	Platforms	Supported on all platforms

entry-specific boolean


	Description	If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template.
	Context	acl policers system-cpu-policer name string entry-specific boolean
	Tree	entry-specific
	Default	false
	Configurable	True
	Platforms	Supported on all platforms

max-packet-burst number


	Description	The maximum depth of the policer bucket in number of packets
	Context	acl policers system-cpu-policer name string max-packet-burst number
	Tree	max-packet-burst
	Range	16 to 4000000
	Default	16
	Configurable	True
	Platforms	Supported on all platforms

peak-packet-rate number


	Description	The maximum number of packets per second (bucket empty/fill rate)
	Context	acl policers system-cpu-policer name string peak-packet-rate number
	Tree	peak-packet-rate
	Range	1 to 4000000
	Configurable	True
	Platforms	Supported on all platforms

statistics


	Description	Container for system CPU policer statistics None of these statistics are populated if the policer is configured as entry-specific=true.
	Context	acl policers system-cpu-policer name string statistics
	Tree	statistics
	Configurable	False
	Platforms	Supported on all platforms

conforming-octets number


	Description	The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl policers system-cpu-policer name string statistics conforming-octets number
	Tree	conforming-octets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

conforming-packets number


	Description	The number of packets (actually Ethernet frames) that were considered conforming by the policer
	Context	acl policers system-cpu-policer name string statistics conforming-packets number
	Tree	conforming-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

exceeding-octets number


	Description	The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet.
	Context	acl policers system-cpu-policer name string statistics exceeding-octets number
	Tree	exceeding-octets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

exceeding-packets number


	Description	The number of packets (actually Ethernet frames) that were considered exceeding by the policer
	Context	acl policers system-cpu-policer name string statistics exceeding-packets number
	Tree	exceeding-packets
	Default	0
	Configurable	False
	Platforms	Supported on all platforms

last-clear string


	Description	Time of the last clear command that applied to these statistics
	Context	acl policers system-cpu-policer name string statistics last-clear string
	Tree	last-clear
	String Length	20 to 32
	Configurable	False
	Platforms	Supported on all platforms

tcam-profile keyword


	Description	Specify the TCAM resource management profile
	Context	acl tcam-profile keyword
	Tree	tcam-profile
	Options	default Default allocation that provides twice as many resources to ingress ACLs as egress ACLs ipv4-egress-scaled Alternate allocation that provides more resources to IPv4 egress ACLs than any other application acl-mfc-ipv4-only Alternate allocation that provides maximum entries for IPv4 ACLs and IPv4 MFC policies and provides no space for MAC ACLs, IPv6 ACLs or IPv6 MFC policies
	Configurable	True
	Platforms	7220 IXR-D4, 7220 IXR-D5