Displays access list information.
access-list | Specifies configuring access-list features. |
list_dot_rule | Access-list name with optional rule name in format list_name {.rule_name}. |
profile-index | Specifies the profile index. |
profile_index | Defines the profile index (range 1–63). This options shows all access list information associated with the specified profile. |
matches | Shows rules with a specific match type, such as match types such as app-signature, ether, etc. |
app-signature | Shows application signature specific settings. |
ether | Shows type field in Ethernet II packet. |
icmp6type | Shows ICMPv6 type.code. |
icmptype | Specifies the ICMPv6 type.code. |
ipdestsocket | Specifies the destination IP address with optional post-fixed port. |
ipfrag | Specifies IP fragmentation flag. |
ipproto | Specifies protocol field in IP packet. |
ipsourcesocket | Specifies source IP address with optional post-fixed port. |
iptos | Specifies IPv4 type of service/IPv6 traffic class field. |
ipttl | Specifies IP time to live. |
tcpdestportIP | Specifies TCP port destination with optional post-fix IPv4 address. |
tcpsourceportIP | Specifies TCP port source with optional post-fix IPv4 address. |
udpdestportIP | Specifies UDP port destination with optional post-fix IPv4 address. |
udpsourceportIP | Specifies UDP port source with optional post-fix IPv4 address. |
mask | Shows rules based on the number of most significant bits to match data value. |
mask | Specifies mask value (1–144). Note: You cannot specify "0" because that
indicates no mask.
|
data | Specifies showing rules based on the data (corresponds to type option). |
data | Specifies the data value to show (corresponds to type
option). You can query for any ‘Match data‘ field of the rule types. The data
can be full or partial string or a hexadecimal input that starts with “0x” or “0X”
or integer data values (for example: IPTTL, IPTOS, IPProto)
Note: Partial matches cannot be found
for rule types that have integer values (IPTTL, IPTOS, IPProto, Ether). Since
the data field for these rule types only accepts integers (or hex), and are not
mixed with IP addresses or ports, it made no sense to do partial matches for
these rule types.
|
actions | Shows rules with a specific action, such as CoS, drop, forward, mirror destination, and Syslog. |
drop | Shows rules that are set to drop any packets that match this rule. |
forward | Shows rules that are set to forward any packets that match this rule. |
-1 | Shows rules not assigned a drop or forward action. |
cos | Shows rules with the specified Class of Service (CoS). |
cos | Specifies the CoS (0–255 or -1). |
mirror-destination | Shows rules with the specified mirror destination. |
control_index | Specifies the mirror destination control index (1–4). |
syslog | Shows rules with Syslog enabled. |
detail | Specifies displaying all rule information in detail. |
N/A.
This command provides information about all the rules in an access list and the policy profile index that the access list is associated with.
Note
"Rule Hit Count" is cleared whenever the access list is unassigned from a profile, or the profile's assigned access list changes.The following example shows information for the access-list "ACL1":
# show policy access-list list-name ACL1 PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|TS|VLAN|CoS |Mir| 1 |ACL1 ace4 UDPSrcPort |135:192.168.0.1 | 22| TCPSrcPort |111:123.190.0.1 | 24|All |NV| |drop| | | ace3 TTL |22 (0x16) | 8|All |NV| | | 3| | ace2 IPTOS |2 (0x2) | 8|All |NV| | | 2| | ace1 Ether |23 (0x17) | 16|All |NV|T |drop| | | Rule Type - Rule Description: Port, MAC Address, IP address etc. Rule Data - Varies depending on Rule Type Mask - Mask size for rule data where applicable ST - V-Volatile NV-NonVolatile TS - Flags: T-Traps S-Syslog For Profile Identifer (PID) Rules: VLAN - VLAN ID, drop or forward (fwrd) CoS - Class Of Service Mir - Mirror index if assigned or prohibited (pro)
The following example shows detailed information about rules that are configured to drop packets:
# show policy access-list action drop detail ======================================== Access-list: :ACL1 Profile Index :1 Rule Name :ace4 Match Type 1 :UDP Source Port Match Data 1 :135:192.168.0.1 Match Mask 1 :22 Actions VLAN :0 (Drop) COS :-1 (Unconfigured) Mirror :-1 (Unconfigured) Rule Hit Count : 0 Syslog Status : Disabled Trap Status : Disabled Rule Name :ace1 Match Type 1 :Ether Type Match Data 1 :23 Match Mask 1 :16 Actions VLAN :0 (Drop) COS :-1 (Unconfigured) Mirror :-1 (Unconfigured) Rule Hit Count : 222 Syslog Status : Disabled Trap Status : Enabled ========================================
# show policy access-list actions forward PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir| 31 |ACE rule3 IPDest |10.4.5.6:22 | 48| TCPSrcPort |62:10.7.8.9 | 48|All |NV|S|fwrd| 1| 4| 31 |ACE rule4 TCPDestPort |22 | 16| IPProto |6 (0x6) | 8| Ether |2048 (0x800) | 16|All |NV|S|fwrd| 7| 2| 31 |ACE rule5 UDPSrcPort |162:192.1.2.3 | 48| UDPDestPort |163:192.3.2.1 | 48| TTL |5 (0x5) | 8| IPTOS |5 (0x5) | 8|All |NV|S|fwrd| 4| 2| 31 |ACE rule7 IPSource |10.124.8.9 | 32| IPProto |6 (0x6) | 8| Application |Health Car ICICIPrude| 72|All |NV|S|fwrd| 3| 1
# show policy access-list actions cos -1 PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir| 31 |ACE rule1 IPSource |10.1.2.3 | 32| ICMPType |8.0 | 16| Ether |2048 (0x800) | 16|All |NV|S|drop| | | ACL/Rule/Match:
# show policy access-list data IC PID |ACL/Rule/Match |Match Data |Msk|PortStr |ST|S|VLAN|CoS |Mir| 31 |ACE rule7 IPSource |10.124.8.9 | 32| IPProto |6 (0x6) | 8| Application |Health Car ICICIPrude| 72|All |NV|S|fwrd| 3| 1|
This command was first available in ExtremeXOS 30.5.
This command is available on all Universal switches supported in this document.