Switch CLI Reference Guide

ACL Commands

ip access-list extend
Command Objective

This command creates IP ACLs and enters the IP Access-list configuration mode.

The no form of the command deletes the IP access-list.

Syntax

ip access-list extended <string(31)>

no ip access-list extended <string(31)>

Parameter Description
  • <string(31)> - Configures the extended access-list name.

ModeGlobal Configuration Mode
mac access-list extend
Command Objective

This command creates mac ACLs and enters the mac Access-list configuration mode.

The no form of the command deletes the mac access-list.

Syntax

mac access-list extended <string(31)>

no mac access-list extended <string(31)>

Parameter Description
  • <string(31)> - Configures the access-list name.
ModeGlobal Configuration Mode
permit- ip/ospf/pim/protocol type
Command Objective

This command allows traffic for a particular protocol packet if the conditions defined in the permit statement are matched.

Syntax

permit { ip | ospf | pim | <short (1-255)>} { any| host <src-ip- address>|<src-ip-address> <mask>} { any|host <dest-ip- address>|<dest-ip-address> <mask> } ace-priority <integer (1- 2147483647)> [ dscp <short (0-63)>]

Parameter Description
  • ip| ospf|pim|<protocol-type (1-255)> - Type of protocol for the packet. It can also be a protocol number.
  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
deny- ip/ospf/pim/protocol type
Command Objective

This command denies traffic for a particular protocol packet if the conditions defined in the deny statement are matched.

Syntax

deny { ip | ospf | pim | <short (1-255)>} { any| host <src-ip- address>|<src-ip-address> <mask> } { any|host <dest-ip- address>|<dest-ip-address> <mask> } ace-priority <integer (1- 2147483647)> [ dscp <short (0-63)>]

Parameter Description
  • ip| ospf|pim|<protocol-type (1-255)> - Type of protocol for the packet. It can also be a protocol number.
  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
permit tcp
Command Objective

This command specifies the TCP packets to be forwarded based on the associated parameters.

Syntax

permit tcp { any| host <src-ip-address>|<src-ip-address>

<mask>} [eq <short (1-65535)>] { any|host <dest-ip- address>|<dest-ip-address> <mask> } [eq <short (1-65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <short (0-63)>]

Parameter Description
  • tcp - Transport Control Protocol.

  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or
    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)> - Port Number.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> -

  • Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack - TCP ACK bit to be checked against the packet.

  • rst | non_rst - TCP RST bit to be checked against the packet.

  • psh | non_psh - TCP PSH bit to be checked against the packet.

  • urg | non_urg - TCP URG bit to be checked against the packet.

  • syn | non_syn - TCP SYN bit to be checked against the packet.

  • fin | non_fin - TCP FIN bit to be checked against the packet.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
deny tcp
Command Objective

This command specifies the TCP packets to be rejected based on the associated parameters.

Syntax

deny tcp { any| host <src-ip-address>|<src-ip-address> <mask>} [eq <short (1-65535)>] { any|host <dest-ip-address>|<dest-ip- address> <mask> } [eq <short (1-65535)>] ace-priority <integer (1-2147483647)> [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <short (0-63)>]

Parameter Description
  • tcp - Transport Control Protocol.
  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)> - Port Number.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack - TCP ACK bit to be checked against the packet.

  • rst | non_rst - TCP RST bit to be checked against the packet.

  • psh | non_psh - TCP PSH bit to be checked against the packet.

  • urg | non_urg - TCP URG bit to be checked against the packet.

  • syn | non_syn - TCP SYN bit to be checked against the packet.

  • fin | non_fin - TCP FIN bit to be checked against the packet.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
permit udp
Command Objective

This command specifies the UDP packets to be forwarded based on the associated parameters.

Syntax

permit udp { any| host <src-ip-address>|<src-ip-address>

<mask> } [eq <short (1-65535)> ] { any|host <dest-ip- address>|<dest-ip-address> <mask> } [ eq <short (1-65535)> ] ace-priority <integer (1-2147483647)> [ dscp <short (0-63)>]

Parameter Description
  • udp - User Datagram Protocol.

  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)> - Port Number.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
deny udp
Command Objective

This command specifies the UDP packets to be rejected based on the associated parameters.

Syntax

deny udp { any| host <src-ip-address>|<src-ip-address>

<mask> } [eq <short (1-65535)> ] { any|host <dest-ip- address>|<dest-ip-address> <mask> } [ eq <short (1-65535)> ] ace-priority <integer (1-2147483647)> [ dscp <short (0-63)>]

Parameter Description
  • udp - User Datagram Protocol.

  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • eq <short (1-65535)> - Port Number.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
permit icmp
Command Objective

This command specifies the ICMP packets to be forwarded based on the IP address and the associated parameters.

Syntax

permit icmp { any| host <src-ip-address>|<src-ip-address>

<mask>} { any|host <dest-ip-address>|<dest-ip-address>

<mask> } [type <short (0-255)>] [code <short (0-255)>] ace- priority <integer (1-2147483647)> [dscp <integer (0-63)>]

Parameter Description
  • icmp - Internet Control Message Protocol.

  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • type <short (0-255)> - message type

  • code <short (0-255)> - message code

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
deny icmp
Command Objective

This command specifies the ICMP packets to be rejected based on the IP address and associated parameters.

Syntax

deny icmp { any| host <src-ip-address>|<src-ip-address>

<mask>} { any|host <dest-ip-address>|<dest-ip-address>

<mask> } [type <short (0-255)>] [code <short (0-255)>] ace- priority <integer (1-2147483647)> [dscp <integer (0-63)>]

Parameter Description
  • icmp - Internet Control Message Protocol.

  • any| host <src-ip-address>|<src-ip-address> <mask> - Source IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is from and the network mask to use with the source address.

  • any|host <dest-ip-address>|<dest-ip-address> <mask> - Destination IP address can be

    • ‘any’ or

    • the dotted decimal address or

    • the IP Address of the network or the host that the packet is destined for and the network mask to use with the destination address

  • type <short (0-255)> - message type

  • code <short (0-255)> - message code

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV4 ACL Extended Access List Configuration Mode
no ace-priority
Command Objective

Delete an ace entry.

Syntax

no ace-priority <integer (1-2147483647)>

Parameter Description
  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
ModeIPV4 ACL Extended Access List Configuration Mode
no ace-priority
Command Objective

Delete an ace entry.

Syntax

no ace-priority <integer (1-2147483647)>

Parameter Description
  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.
ModeIPV4 ACL Extended Access List Configuration Mode
permit ipv6
Command Objective

This command specifies IPv6 packets to be forwarded based on protocol and associated parameters.

Syntax

permit ipv6 {any | host <ip6_addr> <integer(0-128)> } { any | host <ip6_addr> <integer(0-128)> } ace-priority <integer (1- 2147483647)> [dscp <short(0-63)>]

Parameter Description
  • ipv6 - IPv6 protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
deny ipv6
Command Objective

This command specifies IPv6 packets to be forwarded based on protocol and associated parameters.

Syntax

deny ipv6 {any | host <ip6_addr> <integer(0-128)> } { any | host <ip6_addr> <integer(0-128)> } ace-priority <integer (1- 2147483647)> [dscp <short(0-63)>]

Parameter Description
  • ipv6 – IPv6 protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
permit tcp
Command Objective

This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax

permit tcp {any | host <ip6_addr> <short(0-128)>}[eq <short (1-65535)>] {any | host <ip6_addr> <short(0-128)>} [eq <short (1-65535)>] {ace-priority <integer (1- 2147483647)>} [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <short (0-63)>]

Parameter Description
  • tcp - Transport Control Protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host

  • eq <short (1-65535)> - Port Number.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack - TCP ACK bit to be checked against the packet.

  • rst | non_rst - TCP RST bit to be checked against the packet.

  • psh | non_psh - TCP PSH bit to be checked against the packet.

  • urg | non_urg - TCP URG bit to be checked against the packet.

  • syn | non_syn - TCP SYN bit to be checked against the packet.

  • fin | non_fin - TCP FIN bit to be checked against the packet.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
deny tcp
Command Objective

This command specifies the IPv6 TCP packets to be forwarded based on the associated parameters.

Syntax

deny tcp {any | host <ip6_addr> <short(0-128)>}[eq <short (1-65535)>] {any | host <ip6_addr> <short(0-128)>} [eq <short (1-65535)>] {ace-priority <integer (1-2147483647)>} [{ack | non_ack}] [{rst | non_rst}] [{psh | non_psh}] [{urg | non_urg}] [{syn | non_syn}] [{fin | non_fin}] [dscp <short (0-63)>]

Parameter Description
  • tcp - Transport Control Protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host

  • eq <short (1-65535)> - Port Number.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ack | non_ack - TCP ACK bit to be checked against the packet.

  • rst | non_rst - TCP RST bit to be checked against the packet.

  • psh | non_psh - TCP PSH bit to be checked against the packet.

  • urg | non_urg - TCP URG bit to be checked against the packet.

  • syn | non_syn - TCP SYN bit to be checked against the packet.

  • fin | non_fin - TCP FIN bit to be checked against the packet.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
permit udp
Command Objective

This command specifies the IPv6 UDP packets to be forwarded based on the associated parameters.

Syntax

permit udp {any | host <ip6_addr> <short(0-128)>} [eq <short (1-65535)>] {any | host <ip6_addr> <short(0-128)>} [ eq <short (1-65535)> ] ace-priority <integer (1- 2147483647)> [dscp <short (0-63)>]

Parameter Description
  • udp - User Datagram Protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host

  • eq <short (1-65535)> - Port Number.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
deny udp
Command Objective

This command specifies the IPv6 UDP packets to be forwarded based on the associated parameters.

Syntax

deny udp {any | host <ip6_addr> <short(0-128)>} [eq <short (1-65535)>] {any | host <ip6_addr> <short(0-128)>} [ eq

<short (1-65535)> ] ace-priority <integer (1-2147483647)>

[dscp <short (0-63)>]

Parameter Description
  • udp - User Datagram Protocol.

  • any | host <ip6_addr> <integer(0-128)> - Source address of the host / any host

  • eq <short (1-65535)> - Port Number.

  • any | host <ip6_addr> <integer(0-128)> - Destination address of the host / any host.

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • dscp <short (0-63)> - Differentiated services code point provides the quality of service control.

ModeIPV6 ACL Extended Access List Configuration Mode
permit mac
Command Objective

This command specifies the packets to be forwarded based on the MAC address and the associated parameters, that is, this command allows non-IP traffic to be forwarded if the conditions are matched.

Syntax

permit { any | <src-mac-address > } { any | host

<mac_addr> } {ace-priority <integer (1-2147483647)>}

[ ethertype <integer (1-65535)> ] [ vlan <integer (1-4094)>] [ vlan-priority <short (0-7)> ]

Parameter Description
  • any | host <src-mac-address > - Source MAC address to be matched with the packet

  • any | host <dest-mac-address > - Destination MAC address to be matched with the packet

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ethertype <integer (1-65535)> - Specifies the non-IP protocol type to be filtered.

  • vlan <integer (1-4094)> - VLAN value to match against incoming packets.

  • vlan-priority <short (0-7)> - VLAN priority value to match against incoming packets.

ModeMAC ACL Extended Access List Configuration Mode
deny mac
Command Objective

This command specifies the packets to be rejected based on the MAC address and the associated parameters.

Syntax

deny { any | <src-mac-address > } { any | host

<mac_addr> } {ace-priority <integer (1-2147483647)>}

[ ethertype <integer (1536-65535)> ] [ vlan <integer (1-4094)>] [ vlan-priority <short (0-7)> ]

Parameter Description
  • any | host <src-mac-address > - Source MAC address to be matched with the packet

  • any | host <dest-mac-address > - Destination MAC address to be matched with the packet

  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

  • ethertype <integer (1536-65535)> - Specifies the non-IP protocol type to be filtered.

  • vlan <integer (1-4094)> - VLAN value to match against incoming packets.

  • vlan-priority <short (0-7)> - VLAN priority value to match against incoming packets.

ModeMAC ACL Extended Access List Configuration Mode
no ace-priority
Command Objective

Delete an ace entry.

Syntax

no ace-priority <integer (1-2147483647)>

Parameter Description
  • ace-priority <integer (1-2147483647)> - The priority of the filter is used to decide which filter rule is applicable when the packet matches with more than one filter rules.

ModeMAC ACL Extended Access List Configuration Mode
ip access-group
Command Objective

This command enables access control for the packets on the interface.

The no form of this command removes all access groups or the specified access group from the interface.

Syntax

ip access-group <string (31)> in

no ip access-group [<string(31)>] in

Parameter Description
  • <string(31)> - IP access control list name.

ModeInterface Configuration Mode
mac access-group
Command Objective

This command applies a MAC access control list (ACL) to a Layer 2 interface.

The no form of this command can be used to remove the MAC ACLs from the interface.

Syntax

mac access-group <string (31)> in

no mac access-group [<string(31)>] in

Parameter Description
  • <string(31)> - MAC access control list name.

ModeInterface Configuration Mode
show access-lists
Command Objective

This command displays the access lists configuration.

Syntax

show access-lists [{ip | mac | ipv6 } [<string(31)>] ]

Parameter Description
  • ip - IP Access List

  • mac - MAC Access List

  • ipv6 - IPv6 Access List

  • <string(31)> - Name of access list

ModePrivileged EXEC Mode

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.