Displays access list information.
| access-list | Specifies configuring access-list features. |
| list_dot_rule | Access-list name with optional rule name in format list_name {.rule_name}. |
| profile-index | Specifies the profile index. |
| profile_index | Defines the profile index (range 1–63). This options shows all access list information associated with the specified profile. |
| matches | Shows rules with a specific match type, such as match types such as app-signature, ether, etc. |
| app-signature | Shows application signature specific settings. |
| ether | Shows type field in Ethernet II packet. |
| icmp6type | Shows ICMPv6 type.code. |
| icmptype | Specifies the ICMPv6 type.code. |
| ipdestsocket | Specifies the destination IP address with optional post-fixed port. |
| ipfrag | Specifies IP fragmentation flag. |
| ipproto | Specifies protocol field in IP packet. |
| ipsourcesocket | Specifies source IP address with optional post-fixed port. |
| iptos | Specifies IPv4 type of service/IPv6 traffic class field. |
| ipttl | Specifies IP time to live. |
| tcpdestportIP | Specifies TCP port destination with optional post-fix IPv4 address. |
| tcpsourceportIP | Specifies TCP port source with optional post-fix IPv4 address. |
| udpdestportIP | Specifies UDP port destination with optional post-fix IPv4 address. |
| udpsourceportIP | Specifies UDP port source with optional post-fix IPv4 address. |
| mask | Shows rules based on the number of most significant bits to match data value. |
| mask | Specifies mask value (1–144). Note: You cannot specify "0" because that
indicates no mask.
|
| data | Specifies showing rules based on the data (corresponds to type option). |
| data | Specifies the data value to show (corresponds to type
option). You can query for any ‘Match data‘ field of the rule types. The data
can be full or partial string or a hexadecimal input that starts with “0x” or “0X”
or integer data values (for example: IPTTL, IPTOS, IPProto)
Note: Partial matches cannot be found
for rule types that have integer values (IPTTL, IPTOS, IPProto, Ether). Since
the data field for these rule types only accepts integers (or hex), and are not
mixed with IP addresses or ports, it made no sense to do partial matches for
these rule types.
|
| actions | Shows rules with a specific action, such as CoS, drop, forward, mirror destination, and Syslog. |
| drop | Shows rules that are set to drop any packets that match this rule. |
| forward | Shows rules that are set to forward any packets that match this rule. |
| -1 | Shows rules not assigned a drop or forward action. |
| cos | Shows rules with the specified Class of Service (CoS). |
| cos | Specifies the CoS (0–255 or -1). |
| mirror-destination | Shows rules with the specified mirror destination. |
| control_index | Specifies the mirror destination control index (1–4). |
| syslog | Shows rules with Syslog enabled. |
| detail | Specifies displaying all rule information in detail. |
N/A.
This command provides information about all the rules in an access list and the policy profile index that the access list is associated with.
Note
"Rule Hit Count" is cleared whenever the access list is unassigned from a profile, or the profile's assigned access list changes.The following example shows information for the access-list "ACL1":
# show policy access-list list-name ACL1
PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|TS|VLAN|CoS |Mir|
1 |ACL1
ace4
UDPSrcPort |135:192.168.0.1 | 22|
TCPSrcPort |111:123.190.0.1 | 24|All |NV| |drop| | |
ace3
TTL |22 (0x16) | 8|All |NV| | | 3| |
ace2
IPTOS |2 (0x2) | 8|All |NV| | | 2| |
ace1
Ether |23 (0x17) | 16|All |NV|T |drop| | |
Rule Type - Rule Description: Port, MAC Address, IP address etc.
Rule Data - Varies depending on Rule Type
Mask - Mask size for rule data where applicable
ST - V-Volatile NV-NonVolatile
TS - Flags:
T-Traps S-Syslog
For Profile Identifer (PID) Rules:
VLAN - VLAN ID, drop or forward (fwrd)
CoS - Class Of Service
Mir - Mirror index if assigned or prohibited (pro)
The following example shows detailed information about rules that are configured to drop packets:
# show policy access-list action drop detail
========================================
Access-list: :ACL1
Profile Index :1
Rule Name :ace4
Match Type 1 :UDP Source Port
Match Data 1 :135:192.168.0.1
Match Mask 1 :22
Actions
VLAN :0 (Drop)
COS :-1 (Unconfigured)
Mirror :-1 (Unconfigured)
Rule Hit Count : 0
Syslog Status : Disabled
Trap Status : Disabled
Rule Name :ace1
Match Type 1 :Ether Type
Match Data 1 :23
Match Mask 1 :16
Actions
VLAN :0 (Drop)
COS :-1 (Unconfigured)
Mirror :-1 (Unconfigured)
Rule Hit Count : 222
Syslog Status : Disabled
Trap Status : Enabled
========================================
# show policy access-list actions forward
PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir|
31 |ACE
rule3
IPDest |10.4.5.6:22 | 48|
TCPSrcPort |62:10.7.8.9 | 48|All |NV|S|fwrd| 1| 4|
31 |ACE
rule4
TCPDestPort |22 | 16|
IPProto |6 (0x6) | 8|
Ether |2048 (0x800) | 16|All |NV|S|fwrd| 7| 2|
31 |ACE
rule5
UDPSrcPort |162:192.1.2.3 | 48|
UDPDestPort |163:192.3.2.1 | 48|
TTL |5 (0x5) | 8|
IPTOS |5 (0x5) | 8|All |NV|S|fwrd| 4| 2|
31 |ACE
rule7
IPSource |10.124.8.9 | 32|
IPProto |6 (0x6) | 8|
Application |Health Car ICICIPrude| 72|All |NV|S|fwrd| 3| 1
# show policy access-list actions cos -1
PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir|
31 |ACE
rule1
IPSource |10.1.2.3 | 32|
ICMPType |8.0 | 16|
Ether |2048 (0x800) | 16|All |NV|S|drop| | |
ACL/Rule/Match:
# show policy access-list data IC
PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir|
31 |ACE
rule7
IPSource |10.124.8.9 | 32|
IPProto |6 (0x6) | 8|
Application |Health Car ICICIPrude| 72|All |NV|S|fwrd| 3| 1|
This command was first available in ExtremeXOS 30.5.
This command is available on all Universal switches supported in this document.