Access control list (ACL) management
action
The command specifies the action that should be applied for the traffic meeting this requirements.
The use of a negative form (no) of the command removes an assigned action.
Syntax
action <ACT>
no action
Parameters
<ACT> – allocated action:
- permit – traffic transfer is permitted;
- deny – traffic transfer is denied.
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# action permitdescription
The command is used to change a description of configured access control list.
The use of a negative form (no) of the command removes a specified description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – access control list description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-ACL
Example
esr(config-acl)# description "Drop SSH traffic"enable
The command enables a rule.
The use of a negative form (no) of the command enables a rule.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Rule is disabled
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# enableip access-list extended
The command is used to create an access control list and to switch to the list configuration mode.
The use of a negative form (no) of the command removes a specified access control list.
Syntax
[no] ip access-list extended <NAME>
Parameters
<NAME> – access control list name, set by the string of up to 31 characters.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip access-list extended acl-ssh-drop
esr(config-acl)#match cos
The command sets 802.1p priority value for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match cos <COS>
no match cos
Parameters
<COS> – priority 802.1p value, takes values of [0..7].
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match cos 2match destination-address
The command sets destination IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match destination-address { <ADDR> <MASK> | any }no match destination-address
Parameters
<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.
When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match destination-address 10.10.10.0 255.255.255.0match destination-mac
The command sets destination MAC addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match destination-mac <ADDR> <WILDCARD>
no match destination-mac
Parameters
<ADDR> – receiver MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF];
<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match destination-mac A8:F9:4B:AA:00:41 00:00:00:00:00:FFmatch destination-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command removes the assignment.
Syntax
match destination-port {<PORT> | any}no match destination-port
Parameters
<PORT> – number of destination TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Default value
any
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match destination-port 22match dscp
The command sets DSCP code value for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match dscp <DSCP>
no match dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match dscp 55match ip-precedence
The command sets IP Precedence code value for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match ip-precedence <IPP>
no match ip-precedence
Parameters
<IPP> – IP Precedence code value, takes values in the range of [0..7].
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match ip-precedence 5match protocol
The command sets name of IP for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match protocol <TYPE>
no match protocol
match protocol-id <ID>
no match protocol-id
Parameters
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols.
<ID> – IP identification number, takes values of [0x00-0xFF].
When specifying the 'any' value, the rule will work for any protocols.
Default value
any
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match protocol tcpmatch source-address
The command sets source IP addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match source-address { <ADDR> <MASK> | any }no match source-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.
When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match source-address 10.100.100.0 255.255.255.0match source-mac
The command sets source MAC addresses for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match source-mac <ADDR> <WILDCARD>
no match source-mac
Parameters
<ADDR> – source MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].
<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match source-mac A8:F9:4B:AA:00:40 00:00:00:FF:FF:FFmatch source-port
The command sets the number of source TCP/UDP port for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match source-port { <PORT> | any }no match source-port
Parameters
<PORT> – number of source TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Default value
any
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match source-port anymatch vlan
The command sets VLAN ID value for which the rule should work.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match vlan <VID>
no match vlan
Parameters
<VID> – VLAN ID, takes values of [1..4094].
Required privilege level
10
Command mode
CONFIG-ACL-RULE
Example
esr(config-acl-rule)# match vlan 100
rule
The command creates a rule and switches to CONFIG-ACL-RULE configuration mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..4094].
Required privilege level
10
Command mode
CONFIG-ACL
Example
esr(config-acl)# rule 10
esr(config-acl-rule)#service-acl input
The command binds a specified access control list to a configured interface to filtrate incoming traffic.
The use of a negative form (no) of the command removes the binding of access control list to this interface.
Syntax
service-acl input <NAME>
no service-acl input
Parameters
<NAME> – access control list name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-PORT-CHANNEL
Example
esr(config-if-gi)# service-acl input acl-ssh-dropshow ip access-list
The command displays access control lists.
Syntax
show ip access-list [ <NAME> [ <ORDER> ] ]
Parameters
<NAME> – access control list name, set by the string of up to 31 characters;
<ORDER> – rule number, takes values of [1..4096]. When specifying a rule number, only the given rules information will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip access-list
Name Description
-------------------------------- -----------------------------------------------
acl-telnet-drop --
acl-ssh-drop Drop SSH traffic
esr# show ip access-list acl-ssh-drop
Index: 1
Matching pattern:
Protocol: TCP(6)
Source MAC address: any
Source IP address: any
Source port: any
Destination MAC address: any
Destination IP address: any
Destination port: 22
Action: Deny
Status: Enabled
--------------------------------------------------------------------------------
Index: 2
Matching pattern:
Protocol: any
Source MAC address: any
Source IP address: any
Destination MAC address: any
Destination IP address: any
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------