- Print
- PDF
ACL (Access Control List) CLI commands are categorized as follows:
Configuration Commands
This section includes ACL configuration commands.
deny
Command Objective:
This command specifies the packets to be denied depending upon the associated parameters.
Syntax:
deny { any | host < src-ip-address > | < network-src-ip > < mask > } [ { any | host < dest-ip-address > | < network-dest-ip > < mask > } ]priority <short (1-255)>
Parameter Description:
- any|host < src-ip-address >| < network-src-ip >< mask > – Denies traffic with the specified source address. The sources are:
- any – Denies packets from any source.
- host < src-mac-address > – Denies packets with the specified host source IPv4 address.
- < src-ip-address > < mask > – Denies packets with the specified source IP address from and the network mask to be used with the source IP address.
- any|host < dest‑ip‑address >| < network-dest-ip > < mask > – Denies traffic with the specified destination address. The destination can be:
- any – Denies the packets with any destination.
- host < dest-ip-address > – Denies packets with the specified host destination IPv4 address.
< mask > – Denies packets with the specified destination IP address and the network mask for the given destination IP address.
- priority < short (1-255) > - Configures the filter priority to decide in which order the filter rule is applicable when the packet matches with more than one filter rule. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.
Mode:
ACL Standard Access List Configuration Mode
Default:
- any - Source and Destination address are not checked.
- priority - 1
Example:
Your Product(config-std-nacl)# deny host 100.0.0.10 any priority 5
mac access-group
Command Objective:
This command applies a MAC access control list (ACL) to a Layer 2 interface.
The no form of this command can be used to remove the MAC ACLs from the interface.
Syntax:
mac access-group < access-list-number (1-65535) > {in | out}
no mac access-group [< access-list-number (1-65535) >] {in | out}
Parameter Description:
- < access‑list‑number(1-65535) > - Specifies the MAC access control list number which is to be enabled on the interface. This value ranges from 1 to 65535.
- in - Configures the packets as Inbound packets.
Note: The MAC ACL defined with both Protocol and Encaptype combination cannot be applied to a Layer 2 Interface. - out - Configures the packets as Outbound packets.
Note: Redirect Filter is not applicable for out port.
Mode:
Interface Configuration Mode
Note: MAC access list must have been created.
Example:
Your Product (config-if)# mac access-group 5 in
mac access-list extended
Command Objective:
This command configures Layer 2 MAC Access-list with the specified access-list number and enters the MAC-Access list configuration mode. ACLs in the system perform both access control and layer 2 field classifications. The extended MAC access list number value ranges from 1 to 65535.
The no form of the command deletes the specified MAC access-list.
Syntax:
mac access-list extended < access-list-number (1-65535) >
no mac access-list extended < short (1-65535) >
Mode:
Global Configuration Mode
Example:
Your Product(config)# mac access-list extended 5
Your Product(config-ext-macl)#
permit
Command Objective:
This command configures the packets to be forwarded depending upon the associated parameters. Standard IP access lists use source addresses for matching operations.
Syntax:
permit { any | host <ucast_addr> | <ucast_addr> <ip_mask> } [ {any | host <ip_addr> | <ip_addr> <ip_mask> } ]{priority <short (1-255)>}
Parameter Description:
- any | host < ucast_addr > | < ucast_addr > < ip_mask > – Specifies the source IP address. The source IP address can be:
- any – Specifies that packets are forwarded/rejected from any source.
- host < ucast_addr > – Specifies the host IPv4 address is used for forwarded/rejected the packets.
- any | host < ip_addr > | < ip_addr > < ip_mask > – Configures the IPv4 address and the subnet mask for the IPv4 address.
- priority < value(1-255) > - Configures the priority of the filter to decide which filter rule is applicable when the packet matches with more than one filter rules. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.
Mode:
ACL Standard Access List Configuration Mode
Default:
- priority - 1
Example:
Your Product (config-std-nacl)# permit any any priority 255
Display Commands
This section includes ACL display commands.
show access-lists
Command Objective:
This command displays the access lists configuration.
Syntax:
show access-lists [{ip < access-list-number (1-65535) > | mac < access-list-number (1-65535) > | user-defined < access-list-number (1-65535) > | < access-list-number (1-65535) >}]
Parameter Description:
- ip < access-list-number (1-65535) > – Displays the access lists configuration for the specified IP Access List. This value ranges from 1 to 65535.
- mac < access-list-number (1-65535) > - Displays the access lists configuration for the specified MAC Access List. This value ranges from 1 to 65535.
- user-defined < access-list-number (1-65535) > - Displays the access lists configuration for the specified User Defined Access List. This value ranges from 1 to 65535.
- < access-list-number (1-65535) > - Displays the access list configuration for the specified access list number. This value ranges from 1 to 65535.
Mode:
Privileged/User EXEC Mode
Example:
Your Product# show access-lists
IP ACCESS LISTS
-----------------
Standard IP Access List 34
----------------------------
IP address Type : IPV4
Source IP address : 172.30.3.134
Source IP address mask : 255.255.255.255
Source IP Prefix Length : 32
Destination IP address : 0.0.0.0
Destination IP address mask : 0.0.0.0
Destination IP Prefix Length : 0
Flow Identifier : 0
In Port List : NIL
Out Port List : NIL
Filter Action : Deny
Status : InActive
Extended IP Access List 1002
-----------------------------
Filter Priority : 1
Filter Protocol Type : ANY
IP address Type : IPV4
Source IP address : 0.0.0.0
Source IP address mask : 0.0.0.0
Source IP Prefix Length : 0
Destination IP address : 0.0.0.0
Destination IP address mask : 0.0.0.0
Destination IP Prefix Length : 0
Flow Identifier : 0
In Port List : NIL
Out Port List : NIL
Filter TOS : Invalid combination
Filter DSCP : NIL
Filter Action : Permit
Status : InActive
Extended IP Access List 10022
-----------------------------
Filter Priority : 1
Filter Protocol Type : ANY
IP address Type : IPV4
Source IP address : 0.0.0.0
Source IP address mask : 0.0.0.0
Source IP Prefix Length : 0
Destination IP address : 0.0.0.0
Destination IP address mask : 0.0.0.0
Destination IP Prefix Length : 0
Flow Identifier : 0
In Port List : NIL
Out Port List : NIL
Filter TOS : Invalid combination
Filter DSCP : NIL
Filter Action : Permit
Status : InActive
MAC ACCESS LISTS
-----------------
No MAC Access Lists have been configured
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks