action

The command specifies the action that should be applied for the traffic meeting this requirements.

The use of a negative form (no) of the command removes an assigned action.

Syntax
action <ACT>
no action
Parameters

<ACT> – allocated action:

  • permit – traffic transfer is permitted;
  • deny – traffic transfer is denied.
Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# action permit
CODE

description

The command is used to change a description of configured access control list.

The use of a negative form (no) of the command removes a specified description.

Syntax
description <DESCRIPTION>
no description
Parameters

<DESCRIPTION> – access control list description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-ACL

Example
esr(config-acl)# description "Drop SSH traffic"
CODE

enable

The command enables a rule.

The use of a negative form (no) of the command enables a rule.

Syntax
[no] enable
Parameters

The command does not contain parameters.

Default value

Rule is disabled

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# enable
CODE

ip access-list extended

The command is used to create an access control list and to switch to the list configuration mode.

The use of a negative form (no) of the command removes a specified access control list.

Syntax
[no] ip access-list extended <NAME>
Parameters

<NAME> – access control list name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG

Example
esr(config)# ip access-list extended acl-ssh-drop
esr(config-acl)#
CODE

match cos

The command sets 802.1p priority value for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match cos <COS>
no match cos
Parameters

<COS>  – priority 802.1p value, takes values of [0..7].

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match cos 2
CODE

match destination-address

The command sets destination IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match destination-address { <ADDR> <MASK> | any }
no match destination-address
Parameters

<ADDR> – receiver IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.

When specifying the 'any' value, the rule will be triggered for any source IP address.

Default value

any

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match destination-address 10.10.10.0 255.255.255.0
CODE

match destination-mac

The command sets destination MAC addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match destination-mac <ADDR> <WILDCARD>
no match destination-mac
Parameters

<ADDR> – receiver MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF];

<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match destination-mac A8:F9:4B:AA:00:41 00:00:00:00:00:FF
CODE

match destination-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command removes the assignment.

Syntax
match destination-port {<PORT> | any}
no match destination-port
Parameters

<PORT> – number of destination TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Default value

any

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match destination-port 22
CODE

match dscp

The command sets DSCP code value for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match dscp <DSCP>
no match dscp
Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match dscp 55
CODE

match ip-precedence

The command sets IP Precedence code value for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match ip-precedence <IPP>
no match ip-precedence
Parameters

<IPP> – IP Precedence code value, takes values in the range of [0..7].

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match ip-precedence 5
CODE

match protocol

The command sets name of IP for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match protocol <TYPE>
no match protocol
match protocol-id <ID>
no match protocol-id
Parameters

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols.

<ID> – IP identification number, takes values of [0x00-0xFF].

When specifying the 'any' value, the rule will work for any protocols.

Default value

any

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match protocol tcp
CODE

match source-address

The command sets source IP addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match source-address { <ADDR> <MASK> | any }
no match source-address
Parameters

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching.

When specifying the 'any' value, the rule will be triggered for any source IP address.

Default value

any

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match source-address 10.100.100.0 255.255.255.0
CODE

match source-mac

The command sets source MAC addresses for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match source-mac <ADDR> <WILDCARD>
no match source-mac
Parameters

<ADDR> – source MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].

<WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match source-mac A8:F9:4B:AA:00:40 00:00:00:FF:FF:FF
CODE

match source-port

The command sets the number of source TCP/UDP port for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match source-port { <PORT> | any }
no match source-port
Parameters

<PORT> – number of source TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

Default value

any

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match source-port any
CODE

match vlan

The command sets VLAN ID value for which the rule should work.

The use of a negative form (no) of the command cancels the assignment.

Syntax
match vlan <VID>
no match vlan
Parameters

<VID>  – VLAN ID, takes values of [1..4094].

Required privilege level

10

Command mode

CONFIG-ACL-RULE

Example
esr(config-acl-rule)# match vlan 100
CODE

rule

The command creates a rule and switches to CONFIG-ACL-RULE configuration mode. The rules are proceeded by the device in number ascending order.

The use of a negative form (no) of the command removes a specified rule.

Syntax
[no] rule <ORDER>
Parameters

<ORDER>  – rule number, takes values of [1..4094].

Required privilege level

10

Command mode

CONFIG-ACL

Example
esr(config-acl)# rule 10
esr(config-acl-rule)#
CODE

service-acl input

The command binds a specified access control list to a configured interface to filtrate incoming traffic.

The use of a negative form (no) of the command removes the binding of access control list to this interface.

Syntax
service-acl input <NAME>
no service-acl input
Parameters

<NAME> – access control list name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-GI

CONFIG-TE

CONFIG-PORT-CHANNEL

Example
esr(config-if-gi)# service-acl input acl-ssh-drop
CODE

show ip access-list

The command displays access control lists.

Syntax
show ip access-list [ <NAME> [ <ORDER> ] ]
Parameters

<NAME> – access control list name, set by the string of up to 31 characters;

<ORDER> – rule number, takes values of [1..4096]. When specifying a rule number, only the given rules information will be displayed.

Required privilege level

1

Command mode

ROOT

Example
esr# show ip access-list
Name                               Description
--------------------------------   -----------------------------------------------
acl-telnet-drop                    --
acl-ssh-drop                       Drop SSH traffic
esr# show ip access-list acl-ssh-drop
Index:                        1
Matching pattern:
    Protocol:                 TCP(6)
    Source MAC address:       any
    Source IP address:        any
    Source port:              any
    Destination MAC address:  any
    Destination IP address:   any
    Destination port:         22
Action:                       Deny
Status:                       Enabled
--------------------------------------------------------------------------------
Index:                        2
Matching pattern:
    Protocol:                 any
    Source MAC address:       any
    Source IP address:        any
    Destination MAC address:  any
    Destination IP address:   any
Action:                       Permit
Status:                       Enabled
--------------------------------------------------------------------------------
CODE