Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Define the AACL term actions. You can configure the router to accept or discard the targeted traffic. The action modifiers (count and forwarding-class) are optional.


You can configure one of the following actions:

  • accept—Accept the packets and all subsequent packets in flows that match the rules.

  • discard—Discard the packet and all subsequent packets in flows that match the rules.

When you select accept as the action, you can optionally configure one or both of the following action modifiers. No action modifiers are allowed with the discard action.

  • count (application | application-group | application-group-any | nested-application | none)—For all accepted packets that match the rules, record a packet count using AACL statistics practices. You can specify one of the following options; there is no default setting:

    • application—Count the application that matched in the from clause.

    • application-group—Count the application group that matched in the from clause.

    • application-group-any—Count all application groups that match from application-group-any under the any group name.

    • nested-application—Count all nested applications that matched in the from clause.

    • none—Same as not specifying count as an action.

  • forwarding-class class-name—Specify the packets’ forwarding-class name.

policer policer-name—Apply rate-limiting properties to the traffic as configured at the [edit firewall policer policer-name] hierarchy level. This configuration allows bit-rate and burst-size attributes to be applied to the traffic that are not supported by AACL rules. When you include a policer, the only allowed action is discard. For more information on policers, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.5.

policer statement added in Junos OS Release 9.6.

nested-application option for the count statement added in Junos OS Release 11.1.