3.10.14 Access Control Entry (ACE) Configuration

Use this command to configure ACE parameters. Use the access-list ace global configuration command to set the access-list ace. The command without the update keyword creates or overwrites an existing ACE, any unspecified parameter is set to its default value. Use the update keyword to update an existing ACE and only specified parameter are modified. The ACE must be ordered by an appropriate sequence, the received frame only hits on the first matched ACE. Use the next or last keyword to adjust the ACE's sequence order.

Command Syntax:

access-list ace [ update ] <ace_id> [ next { <ace_id_next> | last } ] [ ingress { interface { <port_type> <ingress_port_id> | <port_type> [ <ingress_port_list> ] } | any } ] [ policy <policy> [ policy-bitmask <policy_bitmask> ] ] [ tag { tagged | untagged | any } ] [ vid { <vid> | any } ] [ tag-priority { <tag_priority> | 0-1 | 2-3 | 4-5 | 6-7 | 0-3 | 4-7 | any } ] [ dmac-type { unicast | multicast | broadcast | any } ] [ frame-type { any | etype [ etype-value { <etype_value> | any } ] [ smac { <etype_smac> | any } ] [ dmac { <etype_dmac> | any } ] | arp [ sip { <arp_sip> | any } ] [ dip { <arp_dip> | any } ] [ smac { <arp_smac> | any } ] [ arp-opcode { arp | rarp | other | any } ] [ arp-flag [ arp-request { <arp_flag_request> | any } ] [ arp-smac { <arp_flag_smac> | any } ] [ arp-tmac { <arp_flag_tmac> | any } ] [ arp-len { <arp_flag_len> | any } ] [ arp-ip { <arp_flag_ip> | any } ] [ arp-ether { <arp_flag_ether> | any } ] ] | ipv4 [ sip { <sipv4> | any } ] [ dip { <dipv4> | any } ] [ ip-protocol { <ipv4_protocol> | any } ] [ ip-flag [ ip-ttl { <ip_flag_ttl> | any } ] [ ip-options { <ip_flag_options> | any } ] [ ip-fragment { <ip_flag_fragment> | any } ] ] | ipv4-icmp [ sip { <sipv4_icmp> | any } ] [ dip { <dipv4_icmp> | any } ] [ icmp-type { <icmpv4_type> | any } ] [ icmp-code { <icmpv4_code> | any } ] [ ip-flag [ ip-ttl { <ip_flag_icmp_ttl> | any } ] [ ip-options { <ip_flag_icmp_options> | any } ] [ ip-fragment { <ip_flag_icmp_fragment> | any } ] ] | ipv4-udp [ sip { <sipv4_udp> | any } ] [ dip { <dipv4_udp> | any } ] [ sport { <sportv4_udp_start> [ to <sportv4_udp_end> ] | any } ] [ dport { <dportv4_udp_start> [ to <dportv4_udp_end> ] | any } ] [ ip-flag [ ip-ttl { <ip_flag_udp_ttl> | any } ] [ ip-options { <ip_flag_udp_options> | any } ] [ ip-fragment { <ip_flag_udp_fragment> | any } ] ] | ipv4-tcp [ sip { <sipv4_tcp> | any } ] [ dip { <dipv4_tcp> | any } ] [ sport { <sportv4_tcp_start> [ to <sportv4_tcp_end> ] | any } ] [ dport { <dportv4_tcp_start> [ to <dportv4_tcp_end> ] | any } ] [ ip-flag [ ip-ttl { <ip_flag_tcp_ttl> | any } ] [ ip-options { <ip_flag_tcp_options> | any } ] [ ip-fragment { <ip_flag_tcp_fragment> | any } ] ] [ tcp-flag [ tcp-fin { <tcpv4_flag_fin> | any } ] [ tcp-syn { <tcpv4_flag_syn> | any } ] [ tcp-rst { <tcpv4_flag_rst> | any } ] [ tcp-psh { <tcpv4_flag_psh> | any } ] [ tcp-ack { <tcpv4_flag_ack> | any } ] [ tcp-urg { <tcpv4_flag_urg> | any } ] ] | ipv6 [ next-header { <next_header> | any } ] [ sip { <sipv6> [ sip-bitmask <sipv6_bitmask> ] | any } ] [ hop-limit { <hop_limit> | any } ] | ipv6-icmp [ sip { <sipv6_icmp> [ sip-bitmask <sipv6_bitmask_icmp> ] | any } ] [ icmp-type { <icmpv6_type> | any } ] [ icmp-code { <icmpv6_code> | any } ] [ hop-limit { <hop_limit_icmp> | any } ] | ipv6-udp [ sip { <sipv6_udp> [ sip-bitmask <sipv6_bitmask_udp> ] | any } ] [ sport { <sportv6_udp_start> [ to <sportv6_udp_end> ] | any } ] [ dport { <dportv6_udp_start> [ to <dportv6_udp_end> ] | any } ] [ hop-limit { <hop_limit_udp> | any } ] | ipv6-tcp [ sip { <sipv6_tcp> [ sip-bitmask <sipv6_bitmask_tcp> ] | any } ] [ sport { <sportv6_tcp_start> [ to <sportv6_tcp_end> ] | any } ] [ dport { <dportv6_tcp_start> [ to <dportv6_tcp_end> ] | any } ] [ hop-limit { <hop_limit_tcp> | any } ] [ tcp-flag [ tcp-fin { <tcpv6_flag_fin> | any } ] [ tcp-syn { <tcpv6_flag_syn> | any } ] [ tcp-rst { <tcpv6_flag_rst> | any } ] [ tcp-psh { <tcpv6_flag_psh> | any } ] [ tcp-ack { <tcpv6_flag_ack> | any } ] [ tcp-urg { < tcpv6_flag_urg> | any } ] ] } ] [ action { permit | deny | filter { switchport <filter_switch_port_list> | interface <port_type> [ <fliter_port_list> ] } } ] [ rate-limiter { <rate_limiter_id> | disable } ] [ mirror [ disable ] ] [ logging [ disable ] ] [ shutdown [ disable ] ] [ lookup-second [ disable ] ] [ redirect { switchport { <1-53> | <redirect_switch_port_list> } | interface { <port_type> <redirect_port_id> | <port_type> [ <redirect_port_list> ] } | disable } ]

Table 3-56. Command Description
	Argument	Description
Parameter	`<ace_id>`	ACE ID. The allowed range is 1 to 128
	`<ace_id_next>`	The next ACE ID. Insert the current ACE before the next ACE ID
	`<ingress_port_id>`	Select the ingress port for which this ACE applies. All: The ACE applies to all ports. Port n: The ACE applies to this port number, where n is the number of the switch port.
	`<ingress_port_list>`	List of Port ID, for example, 1/1,3-5;2/2-4,6.
	`<policy>`	A specific policy value. The allowed range is 0 to 6.
	`<policy_bitmask>`	The Value of Policy bitmask specified in decimal or hexadecimal. The allowed range is 0x0 to 0x3f.
	`<vid>`	The value of VID field. The allowed range is 1 to 4095
	`<tag_priority>`	The tag priority for this ACE. A frame that hits this ACE matches this tag priority. The allowed number range is 0 to 7 or range 0–1, 2–3, 4–5, 6–7, 0–3, and 4–7. The value 'Any' means that no tag priority is specified (tag priority is “don't-care”).
	`<etype_value>`	The value of EtherType field. The allowed range is 0x600 to 0xFFFF but excluding 0x800(IPv4), 0x806(ARP) and 0x86DD(IPv6). The value Any means that no EtherType filter is specified (EtherType filter status is “don't-care”).
	`<etype_smac>`	The value of source MAC address field.
	`<etype_dmac>`	The value of destination MAC address field.
	`<arp_sip>`	The value of source IP address field.
	`<arp_dip>`	The value of destination IP address field.
	`<arp_smac>`	The value of source MAC address field.
	`<arp_flag_request>`	The value of ARP Request/Reply opcode field.
	`<arp_flag_smac>`	The value of ARP sender hardware address (SHA) field
	`<arp_flag_tmac>`	The value of ARP target hardware address (THA) field.
	`<arp_flag_len>`	The value of ARP/RARP hardware address length (HLN) and protocol address length (PLN) field.
	`<arp_flag_ip>`	The value of ARP/RARP hardware address space (HRD) field.
	`<arp_flag_ether>`	The value of ARP/RARP protocol address space (PRO) field.
	`<sipv4>`	The value of source IP address field.
	`<dipv4>`	The value of destination IP address field.
	`<ipv4_protocol>`	The value of IPv4 protocol field.
	`<ip_flag_ttl>`	The value of IPv4 TTL field.
	`<ip_flag_options>`	The value of IPv4 options field.
	`<ip_flag_fragment>`	The value of IPv4 fragment field.
	`<sipv4_icmp>`	The value of source IP address field.
	`<dipv4_icmp>`	The value of destination IP address field.
	`<icmpv4_type>`	The value of ICMP type field. The allowed range is 0 to 255
	`<icmpv4_code>`	The value of ICMP code field.
	`<ip_flag_icmp_ttl>`	The value of IPv4 TTL field.
	`<ip_flag_icmp_options>`	The value of IPv4 options field.
	`<ip_flag_icmp_fragment>`	The value of IPv4 fragment field.
	`<sipv4_udp> <sipv4_tcp>`	The value of source IP address field.
	`<dipv4_udp> <dipv4_tcp>`	The value of destination IP address field.
	`<sportv4_udp_start> <sportv4_tcp_start>`	The value of UDP/TCP source port field. The allowed range is 0 to 65535.
	`<sportv4_udp_end> <sportv4_tcp_end>`	The value of UDP/TCP source port field. The allowed range is 0 to 65535.
	`<dportv4_udp_start> <dportv4_tcp_start>`	The value of UDP/TCP destination port field. The allowed range is 0 to 65535.
	`<dportv4_udp_end> <dportv4_tcp_end>`	The value of UDP/TCP destination port field. The allowed range is 0 to 65535.
	`<ip_flag_udp_ttl> <ip_flag_tcp_ttl>`	The value of IPv4 TTL field.
	`<ip_flag_udp_options> <ip_flag_tcp_options>`	The value of IPv4 options field.
	`<ip_flag_udp_fragment> <ip_flag_tcp_fragment>`	The value of IPv4 fragment field
	`<tcpv4_flag_fin> <tcpv6_flag_fin>`	Specify the TCP “No more data from sender” (FIN) value for this ACE. 0: TCP frames where the FIN field is set must not be able to match this entry. 1: TCP frames where the FIN field is set must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<tcpv4_flag_syn> <tcpv6_flag_syn>`	Specify the TCP “Synchronize Sequence Numbers” (SYN) value for this ACE. 0: TCP frames where the SYN field is set must not be able to match this entry. 1: TCP frames where the SYN field is set must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<tcpv4_flag_rst> <tcpv6_flag_rst>`	Specify the TCP “Reset the connection” (RST) value for this ACE. 0: TCP frames where the RST field is set must not be able to match this entry. 1: TCP frames where the RST field is set must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<tcpv4_flag_psh> <tcpv6_flag_psh>`	Specify the TCP “Push Function” (PSH) value for this ACE. 0: TCP frames where the PSH field is set must not be able to match this entry. 1: TCP frames where the PSH field is set must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<tcpv4_flag_ack> <tcpv6_flag_ack>`	Specify the TCP “Acknowledgment field significant” (ACK) value for this ACE. 0: TCP frames where the ACK field is set must not be able to match this entry. 1: TCP frames where the ACK field is set must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<tcpv4_flag_urg> < tcpv6_flag_urg>`	Specify the TCP “Urgent Pointer field significant” (URG) value for this ACE. 0: TCP frames where the URG field is set must not be able to match this entry. 1: TCP frames where the URG field is set must be able to match this entry. Any: Any value is allowed ("don't-care").
	`<next_header>`	The value of IPv6 hop limiter field.
	`<sipv6>`	The value of source IP address field.
	`<sipv6_bitmask>`	The value of IPv6 source address bitmask.
	`<hop_limit>`	The value of IPv6 hop limiter field. zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry. non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry. Any: Any value is allowed ("don't-care")
	`<sipv6_icmp>`	The value of source IP address field.
	`<sipv6_bitmask_icmp>`	The value of IPv6 source address bitmask.
	`<icmpv6_type>`	The value of ICMP type field. The allowed range is 0 to 255.
	`<icmpv6_code>`	ICMP code value. The allowed range is 0 to 255.
	`<hop_limit_icmp>`	Hop limit settings for this ACE. zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry. non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<sipv6_udp> <sipv6_tcp>`	The value of source IP address field.
	`<sipv6_bitmask_udp> <sipv6_bitmask_tcp>`	Specific SIPv6 mask. The field only supported last 32 bits for IPv6 address.
	`<sportv6_udp_start> <sportv6_tcp_start>`	The value of TCP/UDP source port field start.
	`<sportv6_udp_end> <sportv6_tcp_end>`	The value of TCP/UDP source port field end.
	`<dportv6_udp_start> <dportv6_tcp_start>`	The value of TCP/UDP destination port field start.
	`<dportv6_udp_end> <dportv6_tcp_end>`	The value of TCP/UDP destination port field end.
	`<hop_limit_udp> <hop_limit_tcp>`	The value of IPv6 hop limiter field. zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry. non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry. Any: Any value is allowed (“don't-care”).
	`<filter_switch_port_list>`	List of switchport ID.
	`<fliter_port_list>`	List of Port ID, for example, 1/1,3-5;2/2-4,6.
	`<rate_limiter_id>`	Rate limiter ID.
	`<redirect_switch_port_list>`	List of switchport ID.
	`<redirect_port_id>`	Port ID in the format of switch-no/port-no.
	`<redirect_port_list>`	List of Port ID, for example, 1/1,3-5;2/2-4,6
Default	N.A
Mode	Global Configuration mode
Usage	Set the port ACE parameters.
Example	Example 1: Set the access-list ace ID1. `(config)# access-list ace 1`