ip access-list¶

Configure Access List

access-list Specification¶

Type Collection

Object Key(s) name

Collection Name access-list-list

Collection URI /axapi/v3/ip/access-list

Element Name access-list

Element URI /axapi/v3/ip/access-list/{name}

Element Attributes access-list_attributes

Schema access-list schema

Operations Allowed:

Operation	Method	URI	Payload
Create Object	POST	/axapi/v3/ip/access-list	access-list attributes
Create List	POST	/axapi/v3/ip/access-list	access-list attributes
Get Object	GET	/axapi/v3/ip/access-list/{name}	access-list attributes
Get List	GET	/axapi/v3/ip/access-list	access-list-list
Modify Object	POST	/axapi/v3/ip/access-list/{name}	access-list attributes
Replace Object	PUT	/axapi/v3/ip/access-list/{name}	access-list attributes
Replace List	PUT	/axapi/v3/ip/access-list	access-list-list
Delete Object	DELETE	/axapi/v3/ip/access-list/{name}	access-list attributes

access-list-list¶

access-list-list is JSON List of access-list attributes

access-list-list : [

{ access-list attributes },

{ access-list attributes },

…

]

access-list attributes¶

name

Description IP Access List Name. Does not support name as digits or start with digit.

Type: string

Maximum Length: 16 characters

Maximum Length: 1 characters

rules

Type: List

user-tag

Description Customized tag

Type: string

Format: string-rlx

Maximum Length: 127 characters

Maximum Length: 1 characters

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

rules¶

Specification

Type list

Block object keys

acl-log

Description Log matches against this entry

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

action

Description ‘deny’: Deny; ‘permit’: Permit; ‘l3-vlan-fwd-disable’: Disable L3 forwarding between VLANs;

Type: string

Supported Values: deny, permit, l3-vlan-fwd-disable

any-code

Description Any ICMP code

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: any-code icmp-code and special-code are mutually exclusive

any-type

Description Any ICMP type

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: any-type icmp-type and special-type are mutually exclusive

dscp

Description DSCP

Type: number

Range: 1-63

dst-any

Description Any destination host

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: dst-anydst-host, dst-subnet and dst-object-group are mutually exclusive

dst-eq

Description Match only packets on a given destination port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: dst-eqdst-gt, dst-lt and dst-range are mutually exclusive

dst-gt

Description Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: dst-gtdst-eq, dst-lt and dst-range are mutually exclusive

dst-host

Description A single destination host (Host address)

Type: string

Format: ipv4-address

Mutual Exclusion: dst-hostdst-any, dst-subnet and dst-object-group are mutually exclusive

dst-lt

Description Match only packets with a lesser port number

Type: number

Range: 2-65535

Mutual Exclusion: dst-ltdst-eq, dst-gt and dst-range are mutually exclusive

dst-mask

Description Destination Mask 0=apply 255=ignore

Type: string

Format: ipv4-rev-netmask

dst-object-group

Description Destination network object group name

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: dst-object-groupdst-any, dst-host and dst-subnet are mutually exclusive

dst-port-end

Description Edning Destination Port Number

Type: number

Range: 1-65535

dst-range

Description Match only packets in the range of port numbers (Starting Destination Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: dst-rangedst-eq, dst-gt and dst-lt are mutually exclusive

dst-subnet

Description Destination Address

Type: string

Format: ipv4-address

Mutual Exclusion: dst-subnetdst-any, dst-host and dst-object-group are mutually exclusive

established

Description TCP established

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

ethernet

Description Ethernet interface (Port number)

Type: number

Format: interface

fragments

Description IP fragments

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

geo-location

Description Specify geo-location name

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

icmp

Description Internet Control Message Protocol

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: icmptcp, udp, ip and service-obj-group are mutually exclusive

icmp-code

Description ICMP code number

Type: number

Range: 0-254

Mutual Exclusion: icmp-code any-code and special-code are mutually exclusive

icmp-type

Description ICMP type number

Type: number

Range: 0-254

Mutual Exclusion: icmp-type any-type and special-type are mutually exclusive

ip

Description Any Internet Protocol

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: ipicmp, tcp, udp and service-obj-group are mutually exclusive

remark

Description Access list entry comment (Notes for this ACL)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

seq-num

Description Sequence Number

Type: number

Range: 1-8192

service-obj-group

Description Service object group (Source object group name)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: service-obj-groupicmp, tcp, udp and ip are mutually exclusive

special-code

Description ‘frag-required’: Code 4, fragmentation required; ‘host-unreachable’: Code 1, destination host unreachable; ‘network-unreachable’: Code 0, destination network unreachable; ‘port-unreachable’: Code 3, destination port unreachable; ‘proto-unreachable’: Code 2, destination protocol unreachable; ‘route-failed’: Code 5, source route failed;

Type: string

Supported Values: frag-required, host-unreachable, network-unreachable, port-unreachable, proto-unreachable, route-failed

Mutual Exclusion: special-code any-code and icmp-code are mutually exclusive

special-type

Description ‘echo-reply’: Type 0, echo reply; ‘echo-request’: Type 8, echo request; ‘info-reply’: Type 16, information reply; ‘info-request’: Type 15, information request; ‘mask-reply’: Type 18, address mask reply; ‘mask-request’: Type 17, address mask request; ‘parameter-problem’: Type 12, parameter problem; ‘redirect’: Type 5, redirect message; ‘source-quench’: Type 4, source quench; ‘time-exceeded’: Type 11, time exceeded; ‘timestamp’: Type 13, timestamp; ‘timestamp-reply’: Type 14, timestamp reply; ‘dest-unreachable’: Type 3, destination unreachable;

Type: string

Supported Values: echo-reply, echo-request, info-reply, info-request, mask-reply, mask-request, parameter-problem, redirect, source-quench, time-exceeded, timestamp, timestamp-reply, dest-unreachable

Mutual Exclusion: special-type icmp-type and any-type are mutually exclusive

src-any

Description Any source host

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: src-anysrc-host, src-subnet and src-object-group are mutually exclusive

src-eq

Description Match only packets on a given source port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: src-eqsrc-gt, src-lt and src-range are mutually exclusive

src-gt

Description Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: src-gtsrc-eq, src-lt and src-range are mutually exclusive

src-host

Description A single source host (Host address)

Type: string

Format: ipv4-address

Mutual Exclusion: src-hostsrc-any, src-subnet and src-object-group are mutually exclusive

src-lt

Description Match only packets with a lower port number

Type: number

Range: 2-65535

Mutual Exclusion: src-ltsrc-eq, src-gt and src-range are mutually exclusive

src-mask

Description Source Mask 0=apply 255=ignore

Type: string

Format: ipv4-rev-netmask

src-object-group

Description Network object group (Source network object group name)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: src-object-groupsrc-any, src-host and src-subnet are mutually exclusive

src-port-end

Description Ending Port Number

Type: number

Range: 1-65535

src-range

Description match only packets in the range of port numbers (Starting Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: src-rangesrc-eq, src-gt and src-lt are mutually exclusive

src-subnet

Description Source Address

Type: string

Format: ipv4-address

Mutual Exclusion: src-subnetsrc-any, src-host and src-object-group are mutually exclusive

tcp

Description protocol TCP

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: tcpicmp, udp, ip and service-obj-group are mutually exclusive

transparent-session-only

Description Only log transparent sessions

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

trunk

Description Ethernet trunk (trunk number)

Type: number

Format: interface

udp

Description protocol UDP

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: udpicmp, tcp, ip and service-obj-group are mutually exclusive

vlan

Description VLAN ID

Type: number

Range: 1-4094