ns-acl¶
The following operations can be performed on "ns-acl":
add| rm| set| unset| enable| disable| stat| rename| show|
add ns acl¶
Adds an extended ACL rule to the Citrix ADC. To commit this operation, you must apply the extended ACLs. Extended ACL rules filter data packets on the basis of various parameters, such as IP address, source port, action, and protocol.
Synopsis¶
add ns acl <aclname> <aclaction> [-td <positive_integer>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] (-TTL <positive_integer> | -stateful ( YES | NO )) [-srcMac <mac_addr> [-srcMacMask <string>]] [(-protocol <protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan <positive_integer> | -vxlan <positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED | DISABLED )] [-logstate ( ENABLED | DISABLED ) [-ratelimit <positive_integer>]] [-type ( CLASSIC | DFD ) [-dfdhash <dfdhash>]]
Arguments¶
aclname
Name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
aclaction
Action to perform on incoming IPv4 packets that match the extended ACL rule. Available settings function as follows: * ALLOW - The Citrix ADC processes the packet. * BRIDGE - The Citrix ADC bridges the packet to the destination without processing it. * DENY - The Citrix ADC drops the packet.
Possible values: BRIDGE, DENY, ALLOW
td
Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0. Minimum value: 0 Maximum value: 4094
srcIP
IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
srcIPVal
IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example:10.102.29.30-10.102.29.189.
srcPort
Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
srcPortVal
Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90. Maximum value: 65535
destIP
IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
destIPVal
IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
destPort
Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
Note: The destination port can be specified only for TCP and UDP protocols.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
destPortVal
Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
Note: The destination port can be specified only for TCP and UDP protocols. Maximum value: 65535
TTL
Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value. Minimum value: 1 Maximum value: 2147483647
srcMac
MAC address to match against the source MAC address of an incoming IPv4 packet.
srcMacMask
Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111". Default value: "000000000000"
protocol
Protocol to match against the protocol of an incoming IPv4 packet.
Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS, GGP, IPoverIP, ST, CBT, BBN-RCC-M, NVP-II, PUP, EMCON, XNET, CHAOS, MUX, DCN-MEAS, HMP, PRM, XNS-IDP, TRUNK-1, TRUNK-2, LEAF-1, LEAF-2, IRTP, ISO-TP4, NETBLT, MFE-NSP, MERIT-INP, SEP, 3PC, IDPR, XTP, DDP, IDPR-CMTP, TP++, IL, IPv6, SDRP, IPv6-Route, IPv6-Frag, IDRP, GRE, MHRP, BNA, ESP, AH, I-NLSP, SWIPE, NARP, MOBILE, TLSP, SKIP, ICMPV6, IPv6-NoNx, IPv6-Opts, Any-Host-Internal-Protocol, CFTP, Any-Local-Network, SAT-EXPAK, KRYPTOLAN, RVD, IPPC, Any-Distributed-File-System, TFTP, VISA, IPCV, CPNX, CPHB, WSN, PVP, BR-SAT-MO, SUN-ND, WB-MON, WB-EXPAK, ISO-IP, VMTP, SECURE-VM, VINES, TTP, NSFNET-IG, DGP, TCF, OSPFIGP, Sprite-RP, LARP, MTP, AX.25, IPIP, MICP, SCC-SP, ETHERIP, Any-Private-Encryption-Scheme, GMTP, IFMP, PNNI, PIM, ARIS, SCPS, QNX, A/N, IPComp, SNP, Compaq-Pe, IPX-in-IP, VRRP, PGM, Any-0-Hop-Protocol, ENCAP, DDX, IATP, STP, SRP, UTI, SMP, SM, PTP, FIRE, CRTP, CRUDP, SSCOPMCE, IPLT, SPS, PIPE, SCTP, FC, RSVP-E2E-IGNORE, Mobility-Header, UDPLite
protocolNumber
Protocol to match against the protocol of an incoming IPv4 packet. Minimum value: 1 Maximum value: 255
vlan
ID of the VLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs. Minimum value: 1 Maximum value: 4094
vxlan
ID of the VXLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs. Minimum value: 1 Maximum value: 16777215
interface
ID of an interface. The Citrix ADC applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.
established
Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule.
icmpType
ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.
Note: This parameter can be specified only for the ICMP protocol. Minimum value: 0 Maximum value: 65536
icmpCode
Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.
If you set this parameter, you must set the ICMP Type parameter. Minimum value: 0 Maximum value: 65536
priority
Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created. Minimum value: 1 Maximum value: 100000
state
Enable or disable the extended ACL rule. After you apply the extended ACL rules, the Citrix ADC compares incoming packets against the enabled extended ACL rules.
Possible values: ENABLED, DISABLED Default value: ENABLED
logstate
Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.
Possible values: ENABLED, DISABLED Default value: DISABLED
ratelimit
Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter. Default value: 100 Minimum value: 1 Maximum value: 10000
type
Type of the acl ,default will be CLASSIC. Available options as follows: * CLASSIC - specifies the regular extended acls. * DFD - cluster specific acls,specifies hashmethod for steering of the packet in cluster .
Possible values: CLASSIC, DFD Default value: CLASSIC
dfdhash
Specifies the type hashmethod to be applied, to steer the packet to the FP of the packet.
Possible values: SIP-SPORT-DIP-DPORT, SIP, DIP, SIP-DIP, SIP-SPORT, DIP-DPORT
stateful
If stateful option is enabled, transparent sessions are created for the traffic hitting this ACL and not hitting any other features like LB, INAT etc.
Possible values: YES, NO Default value: NO
Example¶
add ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP
Related Commands¶
rm ns acl¶
Removes an extended ACL rule from the Citrix ADC. To commit this operation, you must apply the extended ACLs.
Synopsis¶
rm ns acl <aclname> ...
Arguments¶
aclname
Name of the extended ACL rule that you want to remove.
Example¶
rm ns acl restrict
Related Commands¶
set ns acl¶
Modifies the parameters of an ACL rule. To commit this operation, you must apply the extended ACLs.
Synopsis¶
set ns acl <aclname> [-aclaction <aclaction>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-srcMac <mac_addr> [-srcMacMask <string>]] [-protocol <protocol> | -protocolNumber <positive_integer>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-vlan <positive_integer> | -vxlan <positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-logstate ( ENABLED | DISABLED )] [-ratelimit <positive_integer>] [-established] [-dfdhash <dfdhash>] [-stateful ( YES | NO )]
Arguments¶
aclname
Name of the ACL rule whose parameters you want to modify.
aclaction
Action to perform on incoming IPv4 packets that match the extended ACL rule. Available settings function as follows: * ALLOW - The Citrix ADC processes the packet. * BRIDGE - The Citrix ADC bridges the packet to the destination without processing it. * DENY - The Citrix ADC drops the packet.
Possible values: BRIDGE, DENY, ALLOW
srcIP
IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
srcIPVal
IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example:10.102.29.30-10.102.29.189.
srcPort
Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
srcPortVal
Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90. Maximum value: 65535
destIP
IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
destIPVal
IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
destPort
Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
Note: The destination port can be specified only for TCP and UDP protocols.
operator
Either the equals (=) or does not equal (!=) logical operator.
Possible values: =, !=, EQ, NEQ
destPortVal
Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
Note: The destination port can be specified only for TCP and UDP protocols. Maximum value: 65535
srcMac
MAC address to match against the source MAC address of an incoming IPv4 packet.
srcMacMask
Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111". Default value: "000000000000"
protocol
Protocol to match against the protocol of an incoming IPv4 packet.
Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS, GGP, IPoverIP, ST, CBT, BBN-RCC-M, NVP-II, PUP, EMCON, XNET, CHAOS, MUX, DCN-MEAS, HMP, PRM, XNS-IDP, TRUNK-1, TRUNK-2, LEAF-1, LEAF-2, IRTP, ISO-TP4, NETBLT, MFE-NSP, MERIT-INP, SEP, 3PC, IDPR, XTP, DDP, IDPR-CMTP, TP++, IL, IPv6, SDRP, IPv6-Route, IPv6-Frag, IDRP, GRE, MHRP, BNA, ESP, AH, I-NLSP, SWIPE, NARP, MOBILE, TLSP, SKIP, ICMPV6, IPv6-NoNx, IPv6-Opts, Any-Host-Internal-Protocol, CFTP, Any-Local-Network, SAT-EXPAK, KRYPTOLAN, RVD, IPPC, Any-Distributed-File-System, TFTP, VISA, IPCV, CPNX, CPHB, WSN, PVP, BR-SAT-MO, SUN-ND, WB-MON, WB-EXPAK, ISO-IP, VMTP, SECURE-VM, VINES, TTP, NSFNET-IG, DGP, TCF, OSPFIGP, Sprite-RP, LARP, MTP, AX.25, IPIP, MICP, SCC-SP, ETHERIP, Any-Private-Encryption-Scheme, GMTP, IFMP, PNNI, PIM, ARIS, SCPS, QNX, A/N, IPComp, SNP, Compaq-Pe, IPX-in-IP, VRRP, PGM, Any-0-Hop-Protocol, ENCAP, DDX, IATP, STP, SRP, UTI, SMP, SM, PTP, FIRE, CRTP, CRUDP, SSCOPMCE, IPLT, SPS, PIPE, SCTP, FC, RSVP-E2E-IGNORE, Mobility-Header, UDPLite
protocolNumber
Protocol to match against the protocol of an incoming IPv4 packet. Minimum value: 1 Maximum value: 255
icmpType
ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.
Note: This parameter can be specified only for the ICMP protocol. Minimum value: 0 Maximum value: 65536
icmpCode
Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.
If you set this parameter, you must set the ICMP Type parameter. Minimum value: 0 Maximum value: 65536
vlan
ID of the VLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs. Minimum value: 1 Maximum value: 4094
vxlan
ID of the VXLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs. Minimum value: 1 Maximum value: 16777215
interface
ID of an interface. The Citrix ADC applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.
priority
Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created. Minimum value: 1 Maximum value: 100000
logstate
Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.
Possible values: ENABLED, DISABLED Default value: DISABLED
ratelimit
Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter. Default value: 100 Minimum value: 1 Maximum value: 10000
established
Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule.
dfdhash
Specifies the type hashmethod to be applied, to steer the packet to the FP of the packet.
Possible values: SIP-SPORT-DIP-DPORT, SIP, DIP, SIP-DIP, SIP-SPORT, DIP-DPORT
stateful
If stateful option is enabled, transparent sessions are created for the traffic hitting this ACL and not hitting any other features like LB, INAT etc.
Possible values: YES, NO Default value: NO
Example¶
set ns acl restrict -srcPort 50
Related Commands¶
unset ns acl¶
Resets the attributes of the specified extended ACL rule. Attributes for which a default value is available revert to their default values. Refer to the set ns acl command for a description of the parameters..Refer to the set ns acl command for meanings of the arguments.
Synopsis¶
unset ns acl <aclname> [-srcIP] [-srcPort] [-destIP] [-destPort] [-srcMac] [-srcMacMask] [-protocol] [-icmpType] [-icmpCode] [-vlan] [-vxlan] [-interface] [-logstate] [-ratelimit] [-established] [-stateful] [-dfdhash]
Example¶
unset ns acl rule1 -srcPort
Related Commands¶
enable ns acl¶
Enables an extended ACL rule. To commit this operation, you must apply the extended ACLs. After you apply the extended ACL rules, the Citrix ADC compares incoming packets against the enabled extended ACL rules.
Synopsis¶
enable ns acl <aclname> ...
Arguments¶
aclname
Name of the extended ACL rule that you want to enable.
Example¶
enable ns acl foo
Related Commands¶
disable ns acl¶
Disables an extended ACL rule. To commit this operation, you must apply the extended ACLs. After you apply the ACL rules, the Citrix ADC does not compare incoming packets against the disabled extended ACL rules.
Synopsis¶
disable ns acl <aclname> ...
Arguments¶
aclname
Name of the extended ACL rule that you want to disable.
Example¶
disable ns acl foo
Related Commands¶
stat ns acl¶
Displays statistics related to the extended ACL rules. To display statistics of all the extended ACL rules, run the command without any parameters. To display statistics of a particular extended ACL rule, specify the name of the extended ACL rule.
Synopsis¶
stat ns acl [<aclname>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]
Arguments¶
aclname
Name of the extended ACL rule whose statistics you want the Citrix ADC to display.
detail
Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.
fullValues
Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated
ntimes
The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0
logFile
The name of the log file to be used as input.
clearstats
Clear the statsistics / counters
Possible values: basic, full
Output¶
count
devno
stateflag
Counters¶
Bridge ACL hits (ACLBdg)
Packets matching a bridge ACL, which is in transparent mode and bypasses service processing.
Deny ACL hits (ACLDeny)
Packets dropped because they match ACLs with processing mode set to DENY.
Allow ACL hits (ACLAllow)
Packets matching ACLs with processing mode set to ALLOW. Citrix ADC processes these packets.
NAT ACL hits (ACLNAT)
Packets matching a NAT ACL, resulting in a NAT session.
ACL hits (ACLHits)
Packets matching an ACL.
ACL misses (ACLMiss)
Packets not matching any ACL.
ACL Count (ACLCount)
Total number of ACL rules configured.
DFD ACL hits (dfdACLHits)
Packets matching an dfd ACL.
DFD ACL misses (dfdACLMiss)
Packets not matching any DFD ACL.
DFD ACL Count (dfdACLCount)
Total number of DFD ACL rules configured.
Hits for this ACL (Hits)
Number of times the acl was hit
Example¶
stat acl
Related Commands¶
rename ns acl¶
Renames an extended ACL rule.
Synopsis¶
rename ns acl <aclname> <newName>
Arguments¶
aclname
Name of the extended ACL rule that you want to rename.
newName
New name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
Example¶
rename acl rule rule-new
show ns acl¶
Displays settings related to the extended ACL rules. To display settings of all the extended ACL rules, run the command without any parameters. To display settings of a particular extended ACL rule, specify the name of the extended ACL rule.
Synopsis¶
show ns acl [<aclname>] [-type ( CLASSIC | DFD )]
Arguments¶
aclname
Name of the extended ACL rule whose details you want the Citrix ADC to display.
type
default will display both CLASSIC and DFD
Possible values: CLASSIC, DFD
Output¶
td
Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.
aclaction
Action to perform on incoming IPv4 packets that match the extended ACL rule. Available settings function as follows: * ALLOW - The Citrix ADC processes the packet. * BRIDGE - The Citrix ADC bridges the packet to the destination without processing it. * DENY - The Citrix ADC drops the packet.
srcMac
MAC address to match against the source MAC address of an incoming IPv4 packet.
srcMacMask
Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111".
stateflag
ACL state flag.
protocol
The protocol number in IP header or name.
protocolNumber
The protocol number in IP header or name.
srcPortVal
Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
operator
Either the equals (=) or does not equal (!=) logical operator.
destPortVal
Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
Note: The destination port can be specified only for TCP and UDP protocols.
operator
Either the equals (=) or does not equal (!=) logical operator.
srcIPVal
IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example:10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
destIPVal
IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
operator
Either the equals (=) or does not equal (!=) logical operator.
vlan
ID of the VLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.
vxlan
ID of the VXLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.
state
Enable or disable the extended ACL rule. After you apply the extended ACL rules, the Citrix ADC compares incoming packets against the enabled extended ACL rules.
TTL
Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value.
icmpType
ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.
Note: This parameter can be specified only for the ICMP protocol.
icmpCode
Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.
If you set this parameter, you must set the ICMP Type parameter.
interface
ID of an interface. The Citrix ADC applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.
hits
The hits of this ACL.
established
This flag indicates that the ACL should be used for TCP response traffic only.
priority
Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.
kernelstate
The commit status of the ACL.
logstate
Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.
ratelimit
Packet rate limit for acl logging
time
Time when this acl is applied.
aclassociate
ACL linked
dfdhash
Specifies the type hashmethod to be applied, to steer the packet to the FP of the packet.
stateful
If stateful option is enabled, transparent sessions are created for the traffic hitting this ACL and not hitting any other features like LB, INAT etc.
devno
count
Example¶
sh acl foo Name: foo Action: ALLOW Hits: 0 srcIP = 10.102.1.150 destIP = 202.54.12.47 srcMac: srcMacMask: Protocol: TCP srcPort destPort = 110 Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 1027