acl
acl
+ capture-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ copy
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- tcam-entries number
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ copy
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- tcam-entries number
+ cpm-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ rate-limit
+ distributed-policer reference
+ system-cpu-policer reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- distributed-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
- last-match string
- matched-packets number
- system-cpu-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- tcam-entries number
- last-clear string
+ statistics-per-entry boolean
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ rate-limit
+ distributed-policer reference
+ system-cpu-policer reference
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- distributed-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
- last-match string
- matched-packets number
- system-cpu-policer
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- tcam-entries number
- last-clear string
+ statistics-per-entry boolean
+ ipv4-filter name string
+ description string
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- aggregate
- in-last-match string
- in-matched-packets number
- out-last-match string
- out-matched-packets number
- last-clear string
- per-interface
- subinterface name string
- in-last-match string
- in-matched-packets number
- last-clear string
- out-last-match string
- out-matched-packets number
- tcam-entries
- linecard slot number
- input-total number
- output-total number
- single-instance number
- last-clear string
- statistics
+ statistics-per-entry boolean
+ subinterface-specific keyword
+ ipv6-filter name string
+ description string
+ entry sequence-id number
+ action
+ accept
+ log boolean
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- aggregate
- in-last-match string
- in-matched-packets number
- out-last-match string
- out-matched-packets number
- last-clear string
- per-interface
- subinterface name string
- in-last-match string
- in-matched-packets number
- last-clear string
- out-last-match string
- out-matched-packets number
- tcam-entries
- linecard slot number
- input-total number
- output-total number
- single-instance number
- last-clear string
- statistics
+ statistics-per-entry boolean
+ subinterface-specific keyword
+ policers
+ policer name string
+ entry-specific boolean
+ max-burst number
+ peak-rate number
- statistics
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
+ system-cpu-policer name string
+ entry-specific boolean
+ max-packet-burst number
+ peak-packet-rate number
- statistics
- conforming-octets number
- conforming-packets number
- exceeding-octets number
- exceeding-packets number
- last-clear string
+ system-filter
+ ipv4-filter
+ entry sequence-id number
+ action
+ accept
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ first-fragment boolean
+ fragment boolean
+ icmp
+ code number
+ type (number | keyword)
+ protocol (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- last-clear string
- last-match string
- matched-packets number
- tcam-entries number
- last-clear string
+ ipv6-filter
+ entry sequence-id number
+ action
+ accept
+ drop
+ log boolean
+ description string
+ match
+ destination-ip
+ address string
+ mask string
+ prefix string
+ destination-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ icmp6
+ code number
+ type (number | keyword)
+ next-header (number | keyword)
+ source-ip
+ address string
+ mask string
+ prefix string
+ source-port
+ operator keyword
+ range
+ end (number | keyword)
+ start (number | keyword)
+ value (number | keyword)
+ tcp-flags string
- statistics
- last-clear string
- last-match string
- matched-packets number
- tcam-entries number
- last-clear string
+ tcam-profile keyword
acl Descriptions
acl
capture-filter
Description | Top level container for capture filters | |
Context | acl capture-filter | |
Tree | capture-filter | |
Configurable | True |
ipv4-filter
Description | Top level container for capture IPv4 filters | |
Context | acl capture-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl capture-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl capture-filter ipv4-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the capture filter entry. | |
Context | acl capture-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl capture-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
copy
Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
Context | acl capture-filter ipv4-filter entry sequence-id number action copy | |
Tree | copy | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl capture-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl capture-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl capture-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl capture-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl capture-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl capture-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl capture-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
ipv6-filter
Description | Top level container for capture IPv6 filters | |
Context | acl capture-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl capture-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl capture-filter ipv6-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the capture filter entry. | |
Context | acl capture-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl capture-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
copy
Description | Create a copy of matching packets extract them to the CPM and deliver them to the designated veth interface | |
Context | acl capture-filter ipv6-filter entry sequence-id number action copy | |
Tree | copy | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl capture-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl capture-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl capture-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl capture-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl capture-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl capture-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl capture-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl capture-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
cpm-filter
Description | Top level container for CPM filters | |
Context | acl cpm-filter | |
Tree | cpm-filter | |
Configurable | True |
ipv4-filter
Description | Top level container for CPM IPv4 filters | |
Context | acl cpm-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl cpm-filter ipv4-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming linecard', 'action: accept', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
rate-limit
Description | Rate-limit accepted packets | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit | |
Tree | rate-limit | |
Configurable | True |
distributed-policer reference
Note: This command is available for the following platforms:
| ||
Description | Reference to a policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit distributed-policer reference | |
Tree | distributed-policer | |
Reference | ||
Configurable | True |
system-cpu-policer reference
Description | Reference to a system-cpu-policer. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
Tree | system-cpu-policer | |
Reference | acl policers system-cpu-policer name string | |
Configurable | True |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming linecard', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl cpm-filter ipv4-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Description | Statistics container for packets matching the CPM-filter entry | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
distributed-policer
Note: This command is available for the following platforms:
| ||
Description | Distributed policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer | |
Tree | distributed-policer | |
Configurable | False |
conforming-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False |
system-cpu-policer
Description | System CPU policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer | |
Tree | system-cpu-policer | |
Configurable | False |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv4-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl cpm-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv4-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
statistics-per-entry boolean
Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
Context | acl cpm-filter ipv4-filter statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True |
ipv6-filter
Description | Top level container for CPM IPv6 filters | |
Context | acl cpm-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl cpm-filter ipv6-filter entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the CPM filter entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming linecard', 'action: accept', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
rate-limit
Description | Rate-limit accepted packets | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit | |
Tree | rate-limit | |
Configurable | True |
distributed-policer reference
Note: This command is available for the following platforms:
| ||
Description | Reference to a policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit distributed-policer reference | |
Tree | distributed-policer | |
Reference | ||
Configurable | True |
system-cpu-policer reference
Description | Reference to a system-cpu-policer. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action accept rate-limit system-cpu-policer reference | |
Tree | system-cpu-policer | |
Reference | acl policers system-cpu-policer name string | |
Configurable | True |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming linecard', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl cpm-filter ipv6-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Description | Statistics container for packets matching the CPM-filter entry | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
distributed-policer
Note: This command is available for the following platforms:
| ||
Description | Distributed policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer | |
Tree | distributed-policer | |
Configurable | False |
conforming-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics distributed-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
last-match string
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces and all linecards. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False |
matched-packets number
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces and all linecards | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False |
system-cpu-policer
Description | System CPU policer stats for traffic matching the entry. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer | |
Tree | system-cpu-policer | |
Configurable | False |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl cpm-filter ipv6-filter entry sequence-id number statistics system-cpu-policer exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
tcam-entries number
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl cpm-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl cpm-filter ipv6-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
statistics-per-entry boolean
Description | Collect the following statistics per entry: the number of packets matching each entry, and the elapsed time since a packet last matched each entry | |
Context | acl cpm-filter ipv6-filter statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True |
ipv4-filter name string
Description | List of IPv4 filter policies | |
Context | acl ipv4-filter name string | |
Tree | ipv4-filter | |
Configurable | True |
name string
Description | Name of the IPv4 filter policy. | |
Context | acl ipv4-filter name string | |
String Length | 1 to 255 | |
Configurable | True |
description string
Description | Description string for the IPv4 filter policy | |
Context | acl ipv4-filter name string description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl ipv4-filter name string entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl ipv4-filter name string entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the filter entry. | |
Context | acl ipv4-filter name string entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl ipv4-filter name string entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming interface', 'action: accept', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl ipv4-filter name string entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl ipv4-filter name string entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming interface', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] This action combination is not supported on Trident3 platforms when the filter is applied as an output (egress traffic) filter; no logs will be generated. | |
Context | acl ipv4-filter name string entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl ipv4-filter name string entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl ipv4-filter name string entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl ipv4-filter name string entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
first-fragment boolean
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl ipv4-filter name string entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True |
fragment boolean
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl ipv4-filter name string entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True |
icmp
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True |
code number
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMP type value. | |
Context | acl ipv4-filter name string entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
protocol (number | keyword)
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl ipv4-filter name string entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv4 address | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl ipv4-filter name string entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv4-filter name string entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv4-filter name string entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv4-filter name string entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl ipv4-filter name string entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl ipv4-filter name string entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Description | Container for per-entry statistics | |
Context | acl ipv4-filter name string entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
aggregate
Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate | |
Tree | aggregate | |
Configurable | False |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False |
in-matched-packets number
Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False |
out-matched-packets number
Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv4-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv4-filter name string entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
per-interface
Description | Container for per-entry statistics on a per interface basis. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface | |
Tree | per-interface | |
Configurable | False |
subinterface name string
Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Tree | subinterface | |
Configurable | False |
name string
Description | Reference to a subinterface. | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Configurable | False |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False |
in-matched-packets number
Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False |
out-matched-packets number
Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv4-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False |
tcam-entries
Description | Information about the TCAM entries used to implement the ACL entry | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries | |
Tree | tcam-entries | |
Configurable | False |
linecard slot number
Description | List of linecards in the system | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number | |
Tree | linecard | |
Configurable | False |
slot number
Description | Slot identifier | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number | |
Range | 1 to 10 | |
Configurable | False |
input-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this slot then input-total=0. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number input-total number | |
Tree | input-total | |
Configurable | False |
output-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this slot then output-total=0. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number output-total number | |
Tree | output-total | |
Configurable | False |
single-instance number
Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this slot. It captures the effect of TCAM entry expansion to deal with port ranges, for example. | |
Context | acl ipv4-filter name string entry sequence-id number tcam-entries linecard slot number single-instance number | |
Tree | single-instance | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl ipv4-filter name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
statistics
Description | Enter the statistics context | |
Context | acl ipv4-filter name string statistics | |
Tree | statistics | |
Configurable | False |
statistics-per-entry boolean
Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
Context | acl ipv4-filter name string statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True |
subinterface-specific keyword
Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
Context | acl ipv4-filter name string subinterface-specific keyword | |
Tree | subinterface-specific | |
Default | disabled | |
Options |
| |
Configurable | True |
ipv6-filter name string
Description | List of IPv6 filter policies | |
Context | acl ipv6-filter name string | |
Tree | ipv6-filter | |
Configurable | True |
name string
Description | Name of the IPv6 filter policy. | |
Context | acl ipv6-filter name string | |
String Length | 1 to 255 | |
Configurable | True |
description string
Description | Description string for the IPv6 filter policy | |
Context | acl ipv6-filter name string description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
entry sequence-id number
Description | List of filter rules. | |
Context | acl ipv6-filter name string entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries. | |
Context | acl ipv6-filter name string entry sequence-id number | |
Range | 1 to 65535 | |
Configurable | True |
action
Description | Container for the actions to be applied to packets matching the filter entry. | |
Context | acl ipv6-filter name string entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Description | Accept matching packets and forward them towards their normal destination | |
Context | acl ipv6-filter name string entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming interface', 'action: accept', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl ipv6-filter name string entry sequence-id number action accept log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
drop
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl ipv6-filter name string entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'incoming interface', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] This action combination is not supported on Trident3 platforms when the filter is applied as an output (egress traffic) filter; no logs will be generated. | |
Context | acl ipv6-filter name string entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Description | Description string for the filter entry | |
Context | acl ipv6-filter name string entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl ipv6-filter name string entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A destination port number | |
Context | acl ipv6-filter name string entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
icmp6
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True |
code number
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Description | Match a single ICMPv6 type value | |
Context | acl ipv6-filter name string entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
next-header (number | keyword)
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl ipv6-filter name string entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Description | Packet matching criteria based on source IPv6 address | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl ipv6-filter name string entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl ipv6-filter name string entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl ipv6-filter name string entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Description | The ending port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Description | The starting port number to include in the range | |
Context | acl ipv6-filter name string entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Description | A source port number | |
Context | acl ipv6-filter name string entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl ipv6-filter name string entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Description | Container for per-entry statistics | |
Context | acl ipv6-filter name string entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
aggregate
Description | Container for aggregated per-entry statistics. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate | |
Tree | aggregate | |
Configurable | False |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False |
in-matched-packets number
Description | The number of ingress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an input ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False |
out-matched-packets number
Description | The number of egress packets matching the entry since it was programmed or since the last clear, considering the mgmt0 subinterface and all subinterfaces of all linecard ports that use the ACL as an output ACL | |
Context | acl ipv6-filter name string entry sequence-id number statistics aggregate out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv6-filter name string entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
per-interface
Description | Container for per-entry statistics on a per interface basis. Not present if the entry is part of a filter with statistics-per-entry set to false. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface | |
Tree | per-interface | |
Configurable | False |
subinterface name string
Description | If subinterface-specific=disabled then this list is empty. If subinterface-specific=input-only then this is the list of subinterfaces that apply the ACL as an input ACL If subinterface-specific=output-only then this is the list of subinterfaces that apply the ACL as an output ACL. If subinterface-specific=input-and-output then this is the list of subinterfaces that apply the ACL as an input ACL or an output ACL. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Tree | subinterface | |
Configurable | False |
name string
Description | Reference to a subinterface. | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string | |
Configurable | False |
in-last-match string
Description | The elapsed time since an ingress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-last-match string | |
Tree | in-last-match | |
String Length | 20 to 32 | |
Configurable | False |
in-matched-packets number
Description | The number of ingress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to input-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string in-matched-packets number | |
Tree | in-matched-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level or a higher level | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
out-last-match string
Description | The elapsed time since an egress packet last matched the entry on this specific subinterface. Updated only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-last-match string | |
Tree | out-last-match | |
String Length | 20 to 32 | |
Configurable | False |
out-matched-packets number
Description | The number of egress packets matching the entry on this specific subinterface. Incremented only if subinterface-specific is set to output-only or input-and-output | |
Context | acl ipv6-filter name string entry sequence-id number statistics per-interface subinterface name string out-matched-packets number | |
Tree | out-matched-packets | |
Default | 0 | |
Configurable | False |
tcam-entries
Description | Information about the TCAM entries used to implement the ACL entry | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries | |
Tree | tcam-entries | |
Configurable | False |
linecard slot number
Description | List of linecards in the system | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number | |
Tree | linecard | |
Configurable | False |
slot number
Description | Slot identifier | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number | |
Range | 1 to 10 | |
Configurable | False |
input-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to ingress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then input-total=2. If the entry is not applied to ingress traffic on any subinterfaces of this slot then input-total=0. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number input-total number | |
Tree | input-total | |
Configurable | False |
output-total number
Description | The number of TCAM entries required to implement this entry on all subinterfaces of this slot where the filter is applied to egress traffic. For example, if a single-instance of the entry takes 2 TCAM entries and the filter is an output-only subinterface-specific filter and the filter is applied to 5 subinterfaces on output and to 5 subinterfaces on input then output-total=10. If the entry is not applied to egress traffic on any subinterfaces of this slot then output-total=0. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number output-total number | |
Tree | output-total | |
Configurable | False |
single-instance number
Description | The number of TCAM entries required to implement this entry if it is applied to only one subinterface and one traffic direction specific to this slot. This is non-zero even if the filter is not applied to any subinterfaces of this slot. It captures the effect of TCAM entry expansion to deal with port ranges, for example. | |
Context | acl ipv6-filter name string entry sequence-id number tcam-entries linecard slot number single-instance number | |
Tree | single-instance | |
Configurable | False |
last-clear string
Description | Time of the last clear command performed by the user at this level | |
Context | acl ipv6-filter name string last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
statistics
Description | Enter the statistics context | |
Context | acl ipv6-filter name string statistics | |
Tree | statistics | |
Configurable | False |
statistics-per-entry boolean
Description | Collect statistics for each entry of the ACL The exact set of statistics depend on the subinterface-specific mode | |
Context | acl ipv6-filter name string statistics-per-entry boolean | |
Tree | statistics-per-entry | |
Configurable | True |
subinterface-specific keyword
Description | Controls the instantiation of the filter when it is applied as an input or output ACL disabled: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance input-only: all subinterfaces on a single linecard that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter output-only: all subinterfaces on a single linecard that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter input-and-output: each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter | |
Context | acl ipv6-filter name string subinterface-specific keyword | |
Tree | subinterface-specific | |
Default | disabled | |
Options |
| |
Configurable | True |
policers
policer name string
Note: This command is available for the following platforms:
| ||
Description | List of hardware policer templates. For each policer in this list one or more policer instances are implemented in the linecards of the system. | |
Context | acl policers policer name string | |
Tree | policer | |
Configurable | True |
name string
entry-specific boolean
Note: This command is available for the following platforms:
| ||
Description | If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template. | |
Context | acl policers policer name string entry-specific boolean | |
Tree | entry-specific | |
Default | false | |
Configurable | True |
max-burst number
Note: This command is available for the following platforms:
| ||
Description | The MBS bucket depth in bytes | |
Context | acl policers policer name string max-burst number | |
Tree | max-burst | |
Range | 1 to 125000000 | |
Units | bytes | |
Configurable | True |
peak-rate number
Note: This command is available for the following platforms:
| ||
Description | The PIR rate in kbps (bucket empty/fill rate). | |
Context | acl policers policer name string peak-rate number | |
Tree | peak-rate | |
Range | 1 to 1000000 | |
Units | kbps | |
Configurable | True |
statistics
Note: This command is available for the following platforms:
| ||
Description | Container for linecard policer statistics None of these statistics are populated if the policer is configured as entry-specific=true. | |
Context | acl policers policer name string statistics | |
Tree | statistics | |
Configurable | False |
conforming-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers policer name string statistics conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl policers policer name string statistics conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Note: This command is available for the following platforms:
| ||
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers policer name string statistics exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl policers policer name string statistics exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Note: This command is available for the following platforms:
| ||
Description | Time of the last clear command that applied to these statistics | |
Context | acl policers policer name string statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
system-cpu-policer name string
Description | List of system CPU policer templates. For each policer in this list one or more policer instances are implemented in the XDP-CPM software and these policer instances process the aggregate of terminating traffic received from all linecards. | |
Context | acl policers system-cpu-policer name string | |
Tree | system-cpu-policer | |
Configurable | True |
name string
Description | User-defined name of the policer | |
Context | acl policers system-cpu-policer name string | |
String Length | 1 to 255 | |
Configurable | True |
entry-specific boolean
Description | If set to false, only one policer instance is created from this template and it is shared by all entries of all cpm-filter ACLs that refer to this policer. If set to true, multiple policer instances are created from this template, one for each cpm-filter entry that refers to the policer template. | |
Context | acl policers system-cpu-policer name string entry-specific boolean | |
Tree | entry-specific | |
Default | false | |
Configurable | True |
max-packet-burst number
Description | The maximum depth of the policer bucket in number of packets | |
Context | acl policers system-cpu-policer name string max-packet-burst number | |
Tree | max-packet-burst | |
Range | 16 to 4000000 | |
Default | 16 | |
Configurable | True |
peak-packet-rate number
Description | The maximum number of packets per second (bucket empty/fill rate) | |
Context | acl policers system-cpu-policer name string peak-packet-rate number | |
Tree | peak-packet-rate | |
Range | 1 to 4000000 | |
Configurable | True |
statistics
Description | Container for system CPU policer statistics None of these statistics are populated if the policer is configured as entry-specific=true. | |
Context | acl policers system-cpu-policer name string statistics | |
Tree | statistics | |
Configurable | False |
conforming-octets number
Description | The number of bytes that were considered conforming by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers system-cpu-policer name string statistics conforming-octets number | |
Tree | conforming-octets | |
Default | 0 | |
Configurable | False |
conforming-packets number
Description | The number of packets (actually Ethernet frames) that were considered conforming by the policer | |
Context | acl policers system-cpu-policer name string statistics conforming-packets number | |
Tree | conforming-packets | |
Default | 0 | |
Configurable | False |
exceeding-octets number
Description | The number of bytes that were considered exceeding by the policer. The byte count includes 18 bytes of Ethernet overhead for every IP packet. | |
Context | acl policers system-cpu-policer name string statistics exceeding-octets number | |
Tree | exceeding-octets | |
Default | 0 | |
Configurable | False |
exceeding-packets number
Description | The number of packets (actually Ethernet frames) that were considered exceeding by the policer | |
Context | acl policers system-cpu-policer name string statistics exceeding-packets number | |
Tree | exceeding-packets | |
Default | 0 | |
Configurable | False |
last-clear string
Description | Time of the last clear command that applied to these statistics | |
Context | acl policers system-cpu-policer name string statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
system-filter
Note: This command is available for the following platforms:
| ||
Description | Top level container for System filters | |
Context | acl system-filter | |
Tree | system-filter | |
Configurable | True |
ipv4-filter
Note: This command is available for the following platforms:
| ||
Description | Top level container for System IPv4 filters | |
Context | acl system-filter ipv4-filter | |
Tree | ipv4-filter | |
Configurable | True |
entry sequence-id number
Note: This command is available for the following platforms:
| ||
Description | List of filter rules. | |
Context | acl system-filter ipv4-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Note: This command is available for the following platforms:
| ||
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl system-filter ipv4-filter entry sequence-id number | |
Range | 1 to 256 | |
Configurable | True |
action
Note: This command is available for the following platforms:
| ||
Description | Container for the actions to be applied to packets matching the System filter entry. | |
Context | acl system-filter ipv4-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Note: This command is available for the following platforms:
| ||
Description | Accept matching packets | |
Context | acl system-filter ipv4-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
drop
Note: This command is available for the following platforms:
| ||
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl system-filter ipv4-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl system-filter ipv4-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Note: This command is available for the following platforms:
| ||
Description | Description string for the filter entry | |
Context | acl system-filter ipv4-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Note: This command is available for the following platforms:
| ||
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl system-filter ipv4-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Note: This command is available for the following platforms:
| ||
Description | Packet matching criteria based on destination IPv4 address | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address is within the specified IPv4 prefix. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Note: This command is available for the following platforms:
| ||
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Note: This command is available for the following platforms:
| ||
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The ending port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The starting port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | A destination port number | |
Context | acl system-filter ipv4-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
first-fragment boolean
Note: This command is available for the following platforms:
| ||
Description | Match the first fragment of an IPv4 datagram A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1. It is not valid to configure this leaf without configuring a match value for the fragment leaf. | |
Context | acl system-filter ipv4-filter entry sequence-id number match first-fragment boolean | |
Tree | first-fragment | |
Configurable | True |
fragment boolean
Note: This command is available for the following platforms:
| ||
Description | Match an IPv4 fragment A packet matches the true condition if the IPv4 header indicates that the fragment-offset is zero and and the more-fragments bit is 1 or if the IPv4 header indicates that the fragment-offset is greater than 0. A packet matches the false condition if it is unfragmented. | |
Context | acl system-filter ipv4-filter entry sequence-id number match fragment boolean | |
Tree | fragment | |
Configurable | True |
icmp
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its ICMP type and code matches one of the specified combinations The rule should also have a condition that the IP protocol equals 1 (ICMP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp | |
Tree | icmp | |
Configurable | True |
code number
Note: This command is available for the following platforms:
| ||
Description | Match if the ICMP code value is any value in the list Requires ICMP type to be specified because codes are type dependent. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | Match a single ICMP type value. | |
Context | acl system-filter ipv4-filter entry sequence-id number match icmp type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
protocol (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | An IPv4 packet matches this condition if its IP protocol type field matches the specified value | |
Context | acl system-filter ipv4-filter entry sequence-id number match protocol (number | keyword) | |
Tree | protocol | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Note: This command is available for the following platforms:
| ||
Description | Packet matching criteria based on source IPv4 address | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address is within the specified IPv4 prefix. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Note: This command is available for the following platforms:
| ||
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Note: This command is available for the following platforms:
| ||
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The ending port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The starting port number to include in the range | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | A source port number | |
Context | acl system-filter ipv4-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Note: This command is available for the following platforms:
| ||
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl system-filter ipv4-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Note: This command is available for the following platforms:
| ||
Description | Statistics container for packets matching the system-filter entry | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
last-clear string
Note: This command is available for the following platforms:
| ||
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
last-match string
Note: This command is available for the following platforms:
| ||
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False |
matched-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
Context | acl system-filter ipv4-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False |
tcam-entries number
Note: This command is available for the following platforms:
| ||
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl system-filter ipv4-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
last-clear string
Note: This command is available for the following platforms:
| ||
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv4-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
ipv6-filter
Note: This command is available for the following platforms:
| ||
Description | Top level container for System IPv6 filters | |
Context | acl system-filter ipv6-filter | |
Tree | ipv6-filter | |
Configurable | True |
entry sequence-id number
Note: This command is available for the following platforms:
| ||
Description | List of filter rules. | |
Context | acl system-filter ipv6-filter entry sequence-id number | |
Tree | entry | |
Configurable | True |
sequence-id number
Note: This command is available for the following platforms:
| ||
Description | A number to indicate the relative evaluation order of the different entries; lower numbered entries are evaluated before higher numbered entries | |
Context | acl system-filter ipv6-filter entry sequence-id number | |
Range | 1 to 128 | |
Configurable | True |
action
Note: This command is available for the following platforms:
| ||
Description | Container for the actions to be applied to packets matching the System filter entry. | |
Context | acl system-filter ipv6-filter entry sequence-id number action | |
Tree | action | |
Configurable | True |
accept
Note: This command is available for the following platforms:
| ||
Description | Accept matching packets | |
Context | acl system-filter ipv6-filter entry sequence-id number action accept | |
Tree | accept | |
Configurable | True |
drop
Note: This command is available for the following platforms:
| ||
Description | Drop matching packets without sending any ICMP messages back to the source | |
Context | acl system-filter ipv6-filter entry sequence-id number action drop | |
Tree | drop | |
Configurable | True |
log boolean
Note: This command is available for the following platforms:
| ||
Description | When this is true, a log is created for each packet matching the entry The log entry contains the following information: ['timestamp', 'filter name', 'filter entry sequence-id', 'action: drop', 'IP protocol', 'packet-length', 'source-IP', 'source-port (TCP/UDP packets)', 'dest-IP', 'dest-port (TCP/UDP packets)', 'icmp-type (ICMP packets)', 'icmp-code (ICMP packets)'] | |
Context | acl system-filter ipv6-filter entry sequence-id number action drop log boolean | |
Tree | log | |
Default | false | |
Configurable | True |
description string
Note: This command is available for the following platforms:
| ||
Description | Description string for the filter entry | |
Context | acl system-filter ipv6-filter entry sequence-id number description string | |
Tree | description | |
String Length | 1 to 255 | |
Configurable | True |
match
Note: This command is available for the following platforms:
| ||
Description | Container for the conditions that determine whether a packet matches this entry | |
Context | acl system-filter ipv6-filter entry sequence-id number match | |
Tree | match | |
Configurable | True |
destination-ip
Note: This command is available for the following platforms:
| ||
Description | Packet matching criteria based on destination IPv6 address | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip | |
Tree | destination-ip | |
Configurable | True |
address string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip address string | |
Tree | address | |
Configurable | True |
mask string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its destination IP address is within the specified IPv6 prefix. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-ip prefix string | |
Tree | prefix | |
Configurable | True |
destination-port
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its destination TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port | |
Tree | destination-port | |
Configurable | True |
operator keyword
Note: This command is available for the following platforms:
| ||
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Note: This command is available for the following platforms:
| ||
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The ending port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The starting port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | A destination port number | |
Context | acl system-filter ipv6-filter entry sequence-id number match destination-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
icmp6
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its ICMPv6 type and code matches one of the specified combinations The rule should also have a condition that the next-header value equals 58 (ICMPv6) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 | |
Tree | icmp6 | |
Configurable | True |
code number
Note: This command is available for the following platforms:
| ||
Description | Match if the ICMPv6 code value is any value in the list Requires ICMPv6 type to be specified because codes are type dependent. | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 code number | |
Tree | code | |
Configurable | True |
type (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | Match a single ICMPv6 type value | |
Context | acl system-filter ipv6-filter entry sequence-id number match icmp6 type (number | keyword) | |
Tree | type | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
next-header (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | An IPv6 packet matches this condition if its first next-header field (in the IPv6 fixed header) contains the specified value | |
Context | acl system-filter ipv6-filter entry sequence-id number match next-header (number | keyword) | |
Tree | next-header | |
Range | 0 to 255 | |
Options |
| |
Configurable | True |
source-ip
Note: This command is available for the following platforms:
| ||
Description | Packet matching criteria based on source IPv6 address | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip | |
Tree | source-ip | |
Configurable | True |
address string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address logically anded with the inverse of the mask equals this IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip address string | |
Tree | address | |
Configurable | True |
mask string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address logically anded with the inverse of this mask equals the configured IP address. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip mask string | |
Tree | mask | |
Configurable | True |
prefix string
Note: This command is available for the following platforms:
| ||
Description | Match a packet if its source IP address is within the specified IPv6 prefix. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-ip prefix string | |
Tree | prefix | |
Configurable | True |
source-port
Note: This command is available for the following platforms:
| ||
Description | A packet matches this condition if its source TCP or UDP port number matches the value or range that is specified The rule should also have a condition that the IP protocol equals 6 (TCP) or 17 (UDP) in order for this to be interpreted correctly. | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port | |
Tree | source-port | |
Configurable | True |
operator keyword
Note: This command is available for the following platforms:
| ||
Description | Comparison operator eq = equal ge = greater than or equal to le = less than or equal to | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port operator keyword | |
Tree | operator | |
Options |
| |
Configurable | True |
range
Note: This command is available for the following platforms:
| ||
Description | Container used to specify a contiguous range of TCP/UDP port numbers | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range | |
Tree | range | |
Configurable | True |
end (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The ending port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range end (number | keyword) | |
Tree | end | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
start (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | The starting port number to include in the range | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port range start (number | keyword) | |
Tree | start | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
value (number | keyword)
Note: This command is available for the following platforms:
| ||
Description | A source port number | |
Context | acl system-filter ipv6-filter entry sequence-id number match source-port value (number | keyword) | |
Tree | value | |
Range | 0 to 65535 | |
Options |
| |
Configurable | True |
tcp-flags string
Note: This command is available for the following platforms:
| ||
Description | A logical expression using the &, | and ! logical operators and the TCP flag names: rst, syn and ack. | |
Context | acl system-filter ipv6-filter entry sequence-id number match tcp-flags string | |
Tree | tcp-flags | |
Configurable | True |
statistics
Note: This command is available for the following platforms:
| ||
Description | Statistics container for packets matching the system-filter entry | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics | |
Tree | statistics | |
Configurable | False |
last-clear string
Note: This command is available for the following platforms:
| ||
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
last-match string
Note: This command is available for the following platforms:
| ||
Description | The elapsed time since a packet last matched the entry, considering all subinterfaces. | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics last-match string | |
Tree | last-match | |
String Length | 20 to 32 | |
Configurable | False |
matched-packets number
Note: This command is available for the following platforms:
| ||
Description | The number of packets matching the entry since it was programmed or since the last clear, summed across all subinterfaces | |
Context | acl system-filter ipv6-filter entry sequence-id number statistics matched-packets number | |
Tree | matched-packets | |
Default | 0 | |
Configurable | False |
tcam-entries number
Note: This command is available for the following platforms:
| ||
Description | The number of TCAM entries required to implement a single instance of this filter rule. | |
Context | acl system-filter ipv6-filter entry sequence-id number tcam-entries number | |
Tree | tcam-entries | |
Configurable | False |
last-clear string
Note: This command is available for the following platforms:
| ||
Description | Time of the last clear command performed by the user at this level | |
Context | acl system-filter ipv6-filter last-clear string | |
Tree | last-clear | |
String Length | 20 to 32 | |
Configurable | False |
tcam-profile keyword
Description | Specify the TCAM resource management profile | |
Context | acl tcam-profile keyword | |
Tree | tcam-profile | |
Options |
| |
Configurable | True |