ACL Commands

ACL (Access Control List) CLI commands are categorized as follows:

• Configuration Commands
• Display Commands

Configuration Commands

This section includes ACL configuration commands.

deny

Command Objective:
This command specifies the packets to be denied depending upon the associated parameters.

Syntax:

deny { any | host < src-ip-address > | < network-src-ip > < mask > } [ { any | host < dest-ip-address > | < network-dest-ip > < mask > } ]priority <short (1-255)>

Parameter Description:

• any|host < src-ip-address >| < network-src-ip >< mask > – Denies traffic with the specified source address. The sources are:
• any – Denies packets from any source.
• host < src-mac-address > – Denies packets with the specified host source IPv4 address.
• < src-ip-address > < mask > – Denies packets with the specified source IP address from and the network mask to be used with the source IP address.

• any|host < dest‑ip‑address >| < network-dest-ip > < mask > – Denies traffic with the specified destination address. The destination can be:
• any – Denies the packets with any destination.
• host < dest-ip-address > – Denies packets with the specified host destination IPv4 address.
• < mask > – Denies packets with the specified destination IP address and the network mask for the given destination IP address.

• priority < short (1-255) > - Configures the filter priority to decide in which order the filter rule is applicable when the packet matches with more than one filter rule. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.

Mode:
ACL Standard Access List Configuration Mode

Default:

• any - Source and Destination address are not checked.
• priority - 1

Example:

Your Product(config-std-nacl)# deny host 100.0.0.10 any priority 5

mac access-group

Command Objective:
This command applies a MAC access control list (ACL) to a Layer 2 interface.

The no form of this command can be used to remove the MAC ACLs from the interface.

Syntax:
mac access-group < access-list-number (1-65535) > {in | out}

no mac access-group [< access-list-number (1-65535) >] {in | out}

Parameter Description:

• < access‑list‑number(1-65535) > - Specifies the MAC access control list number which is to be enabled on the interface. This value ranges from 1 to 65535.
• in - Configures the packets as Inbound packets.

  ---

  Note: The MAC ACL defined with both Protocol and Encaptype combination cannot be applied to a Layer 2 Interface.

  ---

• out - Configures the packets as Outbound packets.

  ---

  Note: Redirect Filter is not applicable for out port.

  ---

Mode:
Interface Configuration Mode

Example:

Your Product (config-if)# mac access-group 5 in

mac access-list extended

Command Objective:

This command configures Layer 2 MAC Access-list with the specified access-list number and enters the MAC-Access list configuration mode. ACLs in the system perform both access control and layer 2 field classifications. The extended MAC access list number value ranges from 1 to 65535.

The no form of the command deletes the specified MAC access-list.

Syntax:

mac access-list extended < access-list-number (1-65535) >

no mac access-list extended < short (1-65535) >

Mode:
Global Configuration Mode

Example:

Your Product(config)# mac access-list extended 5

Your Product(config-ext-macl)#

permit

Command Objective:
This command configures the packets to be forwarded depending upon the associated parameters. Standard IP access lists use source addresses for matching operations.

Syntax:

permit { any | host <ucast_addr> | <ucast_addr> <ip_mask> } [ {any | host <ip_addr> | <ip_addr> <ip_mask> } ]{priority <short (1-255)>}

Parameter Description:

• any | host < ucast_addr > | < ucast_addr > < ip_mask > – Specifies the source IP address. The source IP address can be:
• any – Specifies that packets are forwarded/rejected from any source.
• host < ucast_addr > – Specifies the host IPv4 address is used for forwarded/rejected the packets.

• any | host < ip_addr > | < ip_addr > < ip_mask > – Configures the IPv4 address​ and the subnet mask for the IPv4 address.

• priority < value(1-255) > - Configures the priority of the filter to decide which filter rule is applicable when the packet matches with more than one filter rules. Higher value of ‘filter priority’ implies a higher priority. This value ranges from 1 to 255.

Mode:
ACL Standard Access List Configuration Mode

Default:

• priority - 1

Example:

Your Product (config-std-nacl)# permit any any priority 255

Display Commands

This section includes ACL display commands.

show access-lists

Command Objective:
This command displays the access lists configuration.

Syntax:
show access-lists [{ip < access-list-number (1-65535) > | mac < access-list-number (1-65535) > | user-defined < access-list-number (1-65535) > | < access-list-number (1-65535) >}]

Parameter Description:

• ip < access-list-number (1-65535) > – Displays the access lists configuration for the specified IP Access List. This value ranges from 1 to 65535.
• mac < access-list-number (1-65535) > - Displays the access lists configuration for the specified MAC Access List. This value ranges from 1 to 65535.
• user-defined < access-list-number (1-65535) > - Displays the access lists configuration for the specified User Defined Access List. This value ranges from 1 to 65535.
• < access-list-number (1-65535) > - Displays the access list configuration for the specified access list number. This value ranges from 1 to 65535.

Mode:
Privileged/User EXEC Mode

Example:

Your Product# show access-lists

IP ACCESS LISTS
-----------------
Standard IP Access List 34
----------------------------
 IP address Type                  : IPV4
 Source IP address                : 172.30.3.134
 Source IP address mask           : 255.255.255.255
 Source IP Prefix Length          : 32
 Destination IP address           : 0.0.0.0
 Destination IP address mask      : 0.0.0.0
 Destination IP Prefix Length     : 0
 Flow Identifier                  : 0
 In Port List                     : NIL
 Out Port List                    : NIL
 Filter Action                    : Deny
 Status                           : InActive
Extended IP Access List 1002
-----------------------------
 Filter Priority                  : 1
 Filter Protocol Type             : ANY
 IP address Type                  : IPV4
 Source IP address                : 0.0.0.0
 Source IP address mask           : 0.0.0.0
 Source IP Prefix Length          : 0
 Destination IP address           : 0.0.0.0
 Destination IP address mask      : 0.0.0.0
 Destination IP Prefix Length     : 0
 Flow Identifier                  : 0
 In Port List                     : NIL
 Out Port List                    : NIL
 Filter TOS                       : Invalid combination
 Filter DSCP                      : NIL
 Filter Action                    : Permit
 Status                           : InActive
Extended IP Access List 10022
-----------------------------
 Filter Priority                  : 1
 Filter Protocol Type             : ANY
 IP address Type                  : IPV4
 Source IP address                : 0.0.0.0
 Source IP address mask           : 0.0.0.0
 Source IP Prefix Length          : 0
 Destination IP address           : 0.0.0.0
 Destination IP address mask      : 0.0.0.0
 Destination IP Prefix Length     : 0
 Flow Identifier                  : 0
 In Port List                     : NIL
 Out Port List                    : NIL
 Filter TOS                       : Invalid combination
 Filter DSCP                      : NIL
 Filter Action                    : Permit
 Status                           : InActive
MAC ACCESS LISTS
-----------------
 No MAC Access Lists have been configured