show policy access-list

show policy access-list { [list_dot_ruleprofile-index profile_index ] | [ {matches [app-signature | ether | icmp6type | icmptype | ipdestsocket | ipfrag | ipproto | ipsourcesocket | iptos | ipttl | tcpdestportIP | tcpsourceportIP | udpdestportIP | udpsourceportIP ] {mask mask} {data data} } {actions [ {drop | forward } {cos cos} {-1} {mirror-destination control_index} {syslog ] } ] } {detail}

Description

Displays access list information.

Syntax Description

access-list Specifies configuring access-list features.
list_dot_rule Access-list name with optional rule name in format list_name {.rule_name}.
profile-index Specifies the profile index.
profile_index Defines the profile index (range 1–63). This options shows all access list information associated with the specified profile.
matches Shows rules with a specific match type, such as match types such as app-signature, ether, etc.
app-signature Shows application signature specific settings.
ether Shows type field in Ethernet II packet.
icmp6type Shows ICMPv6 type.code.
icmptype Specifies the ICMPv6 type.code.
ipdestsocket Specifies the destination IP address with optional post-fixed port.
ipfrag Specifies IP fragmentation flag.
ipproto Specifies protocol field in IP packet.
ipsourcesocket Specifies source IP address with optional post-fixed port.
iptos Specifies IPv4 type of service/IPv6 traffic class field.
ipttl Specifies IP time to live.
tcpdestportIP Specifies TCP port destination with optional post-fix IPv4 address.
tcpsourceportIP Specifies TCP port source with optional post-fix IPv4 address.
udpdestportIP Specifies UDP port destination with optional post-fix IPv4 address.
udpsourceportIP Specifies UDP port source with optional post-fix IPv4 address.
mask Shows rules based on the number of most significant bits to match data value.
mask Specifies mask value (1–144).
Note: You cannot specify "0" because that indicates no mask.
data Specifies showing rules based on the data (corresponds to type option).
data Specifies the data value to show (corresponds to type option).
You can query for any ‘Match data‘ field of the rule types. The data can be full or partial string or a hexadecimal input that starts with “0x” or “0X” or integer data values (for example: IPTTL, IPTOS, IPProto)
Note: Partial matches cannot be found for rule types that have integer values (IPTTL, IPTOS, IPProto, Ether). Since the data field for these rule types only accepts integers (or hex), and are not mixed with IP addresses or ports, it made no sense to do partial matches for these rule types.
actions Shows rules with a specific action, such as CoS, drop, forward, mirror destination, and Syslog.
drop Shows rules that are set to drop any packets that match this rule.
forward Shows rules that are set to forward any packets that match this rule.
-1 Shows rules not assigned a drop or forward action.
cos Shows rules with the specified Class of Service (CoS).
cos Specifies the CoS (0–255 or -1).
mirror-destination Shows rules with the specified mirror destination.
control_index Specifies the mirror destination control index (1–4).
syslog Shows rules with Syslog enabled.
detail Specifies displaying all rule information in detail.

Default

N/A.

Usage Guidelines

This command provides information about all the rules in an access list and the policy profile index that the access list is associated with.

The detail option provides detailed information about each rule.
Note

Note

"Rule Hit Count" is cleared whenever the access list is unassigned from a profile, or the profile's assigned access list changes.

Example

The following example shows information for the access-list "ACL1":

# show policy access-list list-name ACL1
PID |ACL/Rule/Match   |Match Data           |Msk|PortStr  |ST|TS|VLAN|CoS |Mir|
  1 |ACL1                   
       ace4                   
         UDPSrcPort   |135:192.168.0.1      | 22|
         TCPSrcPort   |111:123.190.0.1      | 24|All      |NV|  |drop|    |   |
       ace3                   
         TTL          |22 (0x16)            |  8|All      |NV|  |    |   3|   |
       ace2                   
         IPTOS        |2 (0x2)              |  8|All      |NV|  |    |   2|   |
       ace1                   
         Ether        |23 (0x17)            | 16|All      |NV|T |drop|    |   |

Rule Type - Rule Description: Port, MAC Address, IP address etc.
Rule Data - Varies depending on Rule Type
Mask      - Mask size for rule data where applicable
ST     - V-Volatile NV-NonVolatile
TS     - Flags:
  T-Traps S-Syslog
For Profile Identifer (PID) Rules:
  VLAN - VLAN ID, drop or forward (fwrd)
  CoS  - Class Of Service
Mir  - Mirror index if assigned or prohibited (pro)

The following example shows detailed information about rules that are configured to drop packets:

# show policy access-list action drop detail 
========================================
Access-list:        :ACL1
Profile Index       :1
  Rule Name           :ace4
    Match Type 1      :UDP Source Port
    Match Data 1      :135:192.168.0.1            
    Match Mask 1      :22
    Actions 
      VLAN              :0    (Drop)
      COS               :-1   (Unconfigured)
      Mirror            :-1   (Unconfigured)
      Rule Hit Count    : 0
      Syslog Status     : Disabled
      Trap Status       : Disabled
  Rule Name           :ace1
    Match Type 1      :Ether Type
    Match Data 1      :23
    Match Mask 1      :16
    Actions 
      VLAN              :0    (Drop)
      COS               :-1   (Unconfigured)
      Mirror            :-1   (Unconfigured)
      Rule Hit Count    : 222
      Syslog Status     : Disabled
      Trap Status       : Enabled
========================================
The following example shows explicit and implicit forward rules:
# show policy access-list actions forward
PID |ACL/Rule/Match   |Match Data           |Msk|PortStr  |ST|S|VLAN|CoS |Mir|
31  |ACE
       rule3
         IPDest       |10.4.5.6:22          | 48|
         TCPSrcPort   |62:10.7.8.9          | 48|All      |NV|S|fwrd|   1|  4|
31  |ACE
       rule4
         TCPDestPort  |22                   | 16|
         IPProto      |6 (0x6)              |  8|
         Ether        |2048 (0x800)         | 16|All      |NV|S|fwrd|   7|  2|
31  |ACE
       rule5
         UDPSrcPort   |162:192.1.2.3        | 48|
         UDPDestPort  |163:192.3.2.1        | 48|
         TTL          |5 (0x5)              |  8|
         IPTOS        |5 (0x5)              |  8|All      |NV|S|fwrd|   4|  2|
31  |ACE
       rule7
         IPSource     |10.124.8.9           | 32|
         IPProto      |6 (0x6)              |  8|
         Application  |Health Car ICICIPrude| 72|All      |NV|S|fwrd|   3|  1
The following example displays implicit CoS rule information:
# show policy access-list  actions cos -1
PID |ACL/Rule/Match   |Match Data           |Msk|PortStr  |ST|S|VLAN|CoS |Mir|
31  |ACE
       rule1
         IPSource     |10.1.2.3             | 32|
         ICMPType     |8.0                  | 16|
         Ether        |2048 (0x800)         | 16|All      |NV|S|drop|    |   |

ACL/Rule/Match:
The following example shows partial matches for rules with data "IC":
# show policy access-list data IC
PID |ACL/Rule/Match   |Match Data           |Msk|PortStr  |ST|S|VLAN|CoS |Mir|
31  |ACE
       rule7
         IPSource     |10.124.8.9           | 32|
         IPProto      |6 (0x6)              |  8|
         Application  |Health Car ICICIPrude| 72|All      |NV|S|fwrd|   3|  1|

History

This command was first available in ExtremeXOS 30.5.

Platform Availability

This command is available on all Universal switches supported in this document.