ACL Commands
  • 15 Nov 2023
  • 5 Minutes to read
  • Contributors
  • PDF

ACL Commands

  • PDF

Article summary

ACL (Access Control List) CLI commands are categorized as follows:

Configuration Commands

This section includes ACL configuration commands.

deny

Command Objective:
This command specifies the packets to be denied depending upon the associated parameters.

Syntax:

deny { any | host < src-ip-address > | < network-src-ip > < mask > } [ { any | host < dest-ip-address > | < network-dest-ip > < mask > } ]priority <short (1-255)>

Parameter Description:

  • any|host < src-ip-address >| < network-src-ip >< mask > – Denies traffic with the specified source address. The sources are:
    • any – Denies packets from any source.
    • host < src-mac-address > – Denies packets with the specified host source IPv4 address.
    • < src-ip-address > < mask > – Denies packets with the specified source IP address from and the network mask to be used with the source IP address.
  • any|host < dest‑ip‑address >| < network-dest-ip > < mask > – Denies traffic with the specified destination address. The destination can be:
    • any – Denies the packets with any destination.
    • host < dest-ip-address > – Denies packets with the specified host destination IPv4 address.
    • < mask > – Denies packets with the specified destination IP address and the network mask for the given destination IP address.
  • priority < short (1-255) > - Configures the filter priority to decide in which order the filter rule is applicable when the packet matches with more than one filter rule. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.

Mode:
ACL Standard Access List Configuration Mode

Default:

  • any - Source and Destination address are not checked.
  • priority - 1

Example:

Your Product(config-std-nacl)# deny host 100.0.0.10 any priority 5

mac access-group

Command Objective:
This command applies a MAC access control list (ACL) to a Layer 2 interface.

The no form of this command can be used to remove the MAC ACLs from the interface.

Syntax:
mac access-group < access-list-number (1-65535) > {in | out}

no mac access-group [< access-list-number (1-65535) >] {in | out}

Parameter Description:

  • < access‑list‑number(1-65535) > - Specifies the MAC access control list number which is to be enabled on the interface. This value ranges from 1 to 65535.
  • in - Configures the packets as Inbound packets.
    Note: The MAC ACL defined with both Protocol and Encaptype combination cannot be applied to a Layer 2 Interface.
  • out - Configures the packets as Outbound packets.
    Note: Redirect Filter is not applicable for out port.

Mode:
Interface Configuration Mode


Note: MAC access list must have been created.

Example:

Your Product (config-if)# mac access-group 5 in

mac access-list extended

Command Objective:

This command configures Layer 2 MAC Access-list with the specified access-list number and enters the MAC-Access list configuration mode. ACLs in the system perform both access control and layer 2 field classifications. The extended MAC access list number value ranges from 1 to 65535.

The no form of the command deletes the specified MAC access-list.

Syntax:

mac access-list extended < access-list-number (1-65535) >

no mac access-list extended < short (1-65535) >

Mode:
Global Configuration Mode

Example:

Your Product(config)# mac access-list extended 5
Your Product(config-ext-macl)#

permit

Command Objective:
This command configures the packets to be forwarded depending upon the associated parameters. Standard IP access lists use source addresses for matching operations.

Syntax:

permit { any | host <ucast_addr> | <ucast_addr> <ip_mask> } [ {any | host <ip_addr> | <ip_addr> <ip_mask> } ]{priority <short (1-255)>}

Parameter Description:

  • any | host < ucast_addr > | < ucast_addr > < ip_mask > – Specifies the source IP address. The source IP address can be:
    • any – Specifies that packets are forwarded/rejected from any source.
    • host < ucast_addr > – Specifies the host IPv4 address is used for forwarded/rejected the packets.
  • any | host < ip_addr > | < ip_addr > < ip_mask > – Configures the IPv4 address​ and the subnet mask for the IPv4 address.
    • priority < value(1-255) > - Configures the priority of the filter to decide which filter rule is applicable when the packet matches with more than one filter rules. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.

    Mode:
    ACL Standard Access List Configuration Mode

    Default:

    • priority - 1

    Example:

    Your Product (config-std-nacl)# permit any any priority 255
    

    Display Commands

    This section includes ACL display commands.

    show access-lists

    Command Objective:
    This command displays the access lists configuration.

    Syntax:
    show access-lists [{ip < access-list-number (1-65535) > | mac < access-list-number (1-65535) > | user-defined < access-list-number (1-65535) > | < access-list-number (1-65535) >}]

    Parameter Description:

    • ip < access-list-number (1-65535) > – Displays the access lists configuration for the specified IP Access List. This value ranges from 1 to 65535.
    • mac < access-list-number (1-65535) > - Displays the access lists configuration for the specified MAC Access List. This value ranges from 1 to 65535.
    • user-defined < access-list-number (1-65535) > - Displays the access lists configuration for the specified User Defined Access List. This value ranges from 1 to 65535.
    • < access-list-number (1-65535) > - Displays the access list configuration for the specified access list number. This value ranges from 1 to 65535.

    Mode:
    Privileged/User EXEC Mode

    Example:

    Your Product# show access-lists
    
    IP ACCESS LISTS
    -----------------
    Standard IP Access List 34
    ----------------------------
     IP address Type                  : IPV4
     Source IP address                : 172.30.3.134
     Source IP address mask           : 255.255.255.255
     Source IP Prefix Length          : 32
     Destination IP address           : 0.0.0.0
     Destination IP address mask      : 0.0.0.0
     Destination IP Prefix Length     : 0
     Flow Identifier                  : 0
     In Port List                     : NIL
     Out Port List                    : NIL
     Filter Action                    : Deny
     Status                           : InActive
    Extended IP Access List 1002
    -----------------------------
     Filter Priority                  : 1
     Filter Protocol Type             : ANY
     IP address Type                  : IPV4
     Source IP address                : 0.0.0.0
     Source IP address mask           : 0.0.0.0
     Source IP Prefix Length          : 0
     Destination IP address           : 0.0.0.0
     Destination IP address mask      : 0.0.0.0
     Destination IP Prefix Length     : 0
     Flow Identifier                  : 0
     In Port List                     : NIL
     Out Port List                    : NIL
     Filter TOS                       : Invalid combination
     Filter DSCP                      : NIL
     Filter Action                    : Permit
     Status                           : InActive
    Extended IP Access List 10022
    -----------------------------
     Filter Priority                  : 1
     Filter Protocol Type             : ANY
     IP address Type                  : IPV4
     Source IP address                : 0.0.0.0
     Source IP address mask           : 0.0.0.0
     Source IP Prefix Length          : 0
     Destination IP address           : 0.0.0.0
     Destination IP address mask      : 0.0.0.0
     Destination IP Prefix Length     : 0
     Flow Identifier                  : 0
     In Port List                     : NIL
     Out Port List                    : NIL
     Filter TOS                       : Invalid combination
     Filter DSCP                      : NIL
     Filter Action                    : Permit
     Status                           : InActive
    MAC ACCESS LISTS
    -----------------
     No MAC Access Lists have been configured
    

    © 2024 Cisco and/or its affiliates. All rights reserved.
     
    For more information about trademarks, please visit: Cisco trademarks
    For more information about legal terms, please visit: Cisco legal terms

    For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.