show policy rule

show policy rule {all | app-signature | {profile-index profile_index | admin-profile} ether {ether} | icmp6type {icmp6type} | icmptype {icmptype} | ip6dest {ip6dest} | ipdest {ipdest} | ipfrag | ipproto {ipproto} | ipsource { ipsource } | iptos { iptos } | ipttl { ipttl } | macdest { macdest } | macsource { macsource } | port { port } | tcpdestportIP { tcpdestportIP } | tcpsourceportIP { tcpsourceportIP } | udpdestportIP { udpdestportIP } | udpsourceportIP { udpsourceportIP }} {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {cos cos | admin-pid admin_pid }} {detail | wide}

Description

Use this command to display policy classification and admin rule information.

Syntax Description

rule Show current Policy Rule.
all Optional, show all policy rules
app-signature Specifies application signature specific settings.
profile-index Optional: Specify the profile index
admin-profile Optional: Show rule based on Policy ID of 0
mask Optional: Show rule based on the number of most significant bits to match data value.
mask Optional: Show rule based on the number of most significant bits to match data value. Range = 1–144.
port-string Optional: Show rule based on the port number on which this rule is applied; single port in port-string format.
port-string Optional: Show rule based on the port number on which this rule is applied; single port in port-string format.
storage-type Optional: Show rule based on its non-volatile storage type (V - volatile; NV - non-volatile).
non-volatile Show rule with non-volatile storage type.
volatile Show rule with volatile storage type.
drop Show rules that are set to 'drop' any packets which match this rule.
forward Show rules that are set to 'forward' any packets which match this rule.
cos Optional: Show rules with Class of Service.
cos Optional: Show rules with Class of Service (0–255) or -1.
admin-pid Policy ID.
admin-pid Policy ID. Range = 0 - 102.
wide Optional: Extend the concise view beyond 80 columns to display complete rule data.
detail Optional: show all rule information in detail.
port Port string.
port Port string - (data: 1; mask: 16).
macdest MAC destination address.
macdest MAC destination address - (data: a-b-c-d-e-f; mask: 1-48).
ip6dest IPv6 address.
ip6dest IPv6 address (data: aaaa::bbbb; mask 1-128).
ipsource Source IP address.
ipsource Source IP address - (data: a.b.c.d; mask: 1–32).
ipdest Destination IP address.
ipdest Destination IP address - (data: a.b.c.d.; mask: 1–32).
ipfrag IP fragmentation flag.
tcpdestportIP TCP port dst with optional post-fix IPv4 address.
tcpdestportIP TCP port dst with optional post-fix IPv4 address - (data: ab[:c.d.e.f]); mask: 1–48.
udpdestportIP UDP port dst with optional post-fix IPv4 address.
udpdestportIP UDP port dst with optional post-fix IPv4 address - (data: ab[:c.d.e.f]); mask: 1-48.
tcpsourceportIP TCP port src with optional post-fix IPv4 address.
tcpsourceportIP TCP port src with optional post-fix IPv4 address - (data: ab[:c.d.e.f]); mask: 1–48.
udpsourceportIP UDP port src with optional post-fix IPv4 address.
udpsourceportIP UDP port src with optional post-fix IPv4 address - (data: ab[:c.d.e.f]); mask: 1–48.
ipttl IP time to live.
ipttl IP time to live - (data: 0–255).
iptos IPv4 type of service / IPv6 traffic class field.
iptos IPv4 type of service / IPv6 traffic class field - (data: 0–255; mask: 1–8).
ipproto Protocol field in IP packet.
ipproto Protocol field in IP packet - (data: 0–255 or 0-0xFF; mask: 1–8).
ether Type field in Ethernet II packet.
ether Type field in Ethernet II packet - (data: 0–65535 or 0x0-0xFFFF; mask: 1–16).
icmp6type Specifies type code in ICMPv6 packet.
icmp6type ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16).
icmptype Specifies type code in ICMP packet.
icmptype ICMP type code (data: a.b; mask: 1–16).

Default

Usage Guidelines

Use this command to display policy classification and admin rule information.

Example

The following example shows policy classification and admin rule information:

# show policy rule
Admn|Rule Type   |Rule Data            |Msk|PortStr  |RS|ST|dPID|aPID|Mir|
admn|MACSource   |00-77-77-77-00-20    | 48|1        | A| V|   5|    |   |
admn|MACSource   |00-77-77-77-00-21    | 48|4        | A| V|   5|    |   |
admn|Port        |1                    | 16|1        | A|NV|    |  22|   |
admn|Port        |4                    | 16|4        | A|NV|    |  22|   |
PID |Rule Type   |Rule Data            |Msk|PortStr  |RS|ST|VLAN|CoS |Mir|
5   |Ether       |2048 (0x800)         | 16|All      | A|NV|fwrd|    |  1|
5   |Ether       |33079 (0x8137)       | 16|All      | A|NV|fwrd|    |  1|
 
Rule Type - Rule Description: Port, MAC Address, IP address etc.
Rule Data - Varies depending on Rule Type
Mask      - Mask size for rule data where applicable
RS - RowStatus:
  A-Active NS-NotInService NR-NotReady CG-CreateAndGo CW-CreateAndWait D-Destroy
ST     - V-Volatile NV-NonVolatile
For Admin Profile Rules (Admn):
  dPID - Dynamic Profile Index
  aPID - Admin Profile Index
For Profile Identifer (PID) Rules:
  VLAN - VLAN ID, drop or forward (fwrd)
  CoS  - Class Of Service
Mir  - Mirror index if assigned

The following example shows detailed policy classification and admin rule information:

# show policy rule detail
========================================
Profile Index       :Admin-Profile
Rule Type           :Port string
Rule Data           :26
Mask                :16
Port                :26
- - - - - - - - - - - - - - - - - - - -
Status              :active
Storage Type        :nonVolatile
Operational-PID     :-1    
Admin-PID           :1     
========================================
========================================
Profile Index       :1
Rule Type           :MAC source address
Rule Data           :00-00-00-00-00-10
Mask                :48
Port                :All ports
- - - - - - - - - - - - - - - - - - - -
Status              :active
Storage Type        :nonVolatile
VLAN                :-1   (Unconfigured)
COS                 :-1   (Unconfigured)
Mirror              :0    (Prohibited)

Rule Hit Count      : 0
Audit Syslog Status : Prohibit
Audit Trap Status   : Prohibit
========================================
Profile Index       :1
Rule Type           :Port string
Match Type 1        :MAC source address
Match Data 1        :192.168.123.100
Match Mask 1        :32
Match Type 2        :IP source address
Match Data 2        :00-00-00-00-00-10
Match Mask 2        :48
Port                :All ports
- - - - - - - - - - - - - - - - - - - -
Status              :active
Storage Type        :nonVolatile
VLAN                :0    (Drop)
COS                 :-1   (Unconfigured)
Mirror              :0    (Prohibited)

Rule Hit Count      : 0
Audit Syslog Status : Enabled
Audit Trap Status   : Prohibit
========================================

History

This command was first available in ExtremeXOS release 16.1.

ICMP and ICMPv6 type information added in ExtremeXOS 22.5.

Mirror information and rule usage counter information were added in ExtremeXOS 30.2.

The app-signature option was added in ExtremeXOS 30.4.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.