Guest

Cisco IOS Software Releases 12.0 S

IP Receive ACL

  • Viewing Options

  • PDF (311.3 KB)
  • Feedback
IP Receive ACL

Table Of Contents

IP Receive ACL

Contents

Prerequisites for IP Receive ACL

Restrictions for IP Receive ACL

Information About IP Receive ACL

Using Access Control Lists

Using an IP Receive ACL

Configuring an IP Receive ACL

Monitoring and Maintaining IP Receive ACL

Displaying Per ACE Counters for IPv6

Information About Behavior Change

Enabling or Disabling Per ACE Counters

Configuring and Displaying Per ACE Counters for IPv6

Configuring and Displaying Aggregate Entries for IPV6

Configuration Examples for IP Receive ACL

Configuring a Receive ACL for IPv4 Traffic

Configuring a Receive ACL for IPv6 Traffic

Displaying the Number of Packets Denied on a Line Card by a Receive ACL

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip receive access-list

ipv6 receive access-list

show ipv6 access-list


IP Receive ACL


Part Number OL-8697-01 (Rev A1), August 5, 2010

The IP Receive ACL feature provides basic filtering capability for IPv4 and IPv6 traffic that is received on a router with the following benefits:

The router can protect high-priority routing protocol traffic from an attack because filtering occurs after an input access control list (ACL) is applied on the ingress interface.

You can implement this feature in a security solution to protect a router from remote intrusions and to limit access to Cisco IOS services if unwanted services are inadvertently left enabled. Access to the router can be restricted to known, trusted sources and expected traffic profiles.

On distributed platforms, such as the Cisco 12000 series, the IP receive ACL filters traffic on the distributed line cards before packets are received by the route processor. This feature allows the users to filter denial of service (DoS) floods against the router, thereby preventing the flood from degrading the performance of the route processor.

Feature History

Release
Modification

12.0(22)S

This feature was introduced on the Cisco 12000 series Internet router.

12.0(24)S

This feature was implemented on the Cisco 7500 series.

12.0(31)S

This feature was implemented on the Cisco 10720 Internet Router.

12.0(31)S3
12.0(32)S

This feature was enhanced to filter IPv6 traffic on the Cisco 12000 series Internet router.

12.0(32)SY08

This feature was enhanced to include per access control entry (ACE) counters in the command output of show ipv6 access-list if no-merge option is enabled on the Cisco 12000 series Internet router. If the merge option is enabled, aggregate counters for access control are displayed in the command output of show ipv6 access-list on the Cisco 12000 series Internet router.


Contents

Prerequisites for IP Receive ACL

Restrictions for IP Receive ACL

Information About IP Receive ACL

Configuring an IP Receive ACL

Monitoring and Maintaining IP Receive ACL

Displaying Per ACE Counters for IPv6

Additional References

Command Reference

Prerequisites for IP Receive ACL

Before you configure the IP Receive ACL feature, you must first create the ACL that you want to use to pass or deny traffic, using the access-list (for IPv4 traffic) or ipv6 access-list (for IPv6 traffic) command.

Restrictions for IP Receive ACL

Named ACLs

A named ACL for IPv4 traffic is not supported as the receive ACL.

IPv6 ACLs

When you create a receive ACL using an IPv6 ACL, you must define a unique ACL name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.

Link Bundling

Link-bundling isn't supported for any IPv6 feature, including IPv6 ACLs.

Cisco 10720 Specific Restrictions

On the Cisco 10720 Internet Router, the IP Receive ACL feature is implemented with the following restrictions:

The IP Receive ACL feature is applied only to IPv4 traffic destined for the Route Processor (RP), with the exception of IPv4 options.

The IP Receive ACL feature supports only standard and extended access lists. You cannot use a named ACL as the receive ACL.

Because ICMP ping replies are implemented in PXF (not in the Route Processor as on other platforms), you must configure ICMP filtering separately on each 10720 input interface (not on the RP interface).

Information About IP Receive ACL

To configure the IP Receive ACL feature, you should understand the following concepts:

Using Access Control Lists

Using an IP Receive ACL

Using Access Control Lists

Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, use access control lists (also referred to as access lists).

An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The Cisco IOS software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.

The two main tasks involved in using access lists are as follows:

1. Create an access list by specifying an access list number or name and access conditions.

2. Apply the access list to interfaces or terminal lines.

Cisco IOS software supports the following types of access lists for IP packet filtering:

Standard IP access lists that use source addresses for matching operations.

Extended IP access lists that use source and destination addresses for matching operations, and optional protocol type information for finer filtering.

Dynamic extended IP access lists that grant access per user to a specific source or destination host basis through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions. Dynamic access lists and lock-and-key access are described in "Configuring Lock-and-Key Security (Dynamic Access Lists)" in the Cisco IOS Security Configuration Guide.

Reflexive access lists that allow IP packets to be filtered based on session information. Reflexive access lists contain temporary entries, and are nested within an extended, named IP access list. For information on reflexive access lists, refer to the "Configuring IP Session Filtering (Reflexive Access Lists)" chapter in the Cisco IOS Security Configuration Guide and the "Reflexive Access List Commands" chapter in the Cisco IOS Security Command Reference.

For detailed information on how to create and use different types of access lists, refer to:

"Configuring IP Services" chapter in Cisco IOS IP Configuration Guide, Release 12.3

"Access Control Lists: Overview and Guidelines" chapter in Cisco IOS Security Configuration Guide, Release 12.3

The following example shows how to create a numbered access list. In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the Cisco IOS software accepts one address on subnet 48 and rejects all others on that subnet. The last line of the list shows that the software accepts addresses on all other network 36.0.0.0 subnets.

access-list 2 permit 36.48.0.3
access-list 2 deny 36.48.0.0 0.0.255.255
access-list 2 permit 36.0.0.0 0.255.255.255
interface ethernet 0
	ip access-group 2 in

Using an IP Receive ACL

You can configure an ACL that you have created to filter IPv4 or IPv6 traffic to process receive IP packets and reduce the CPU load on the route processor of unwanted traffic. In this way, you mitigate the adverse effects of denial-of-service attacks against the router. On a distributed platform, such as the Cisco 12000 series, the IP receive ACL filters traffic on the distributed line cards before IP packets are punted to the route processor, including:

Local addresses configured on router interfaces

Multicast groups of which the router is a member

Link-local unicast and multicast addresses

The following counters are updated for packets processed by the IP Receive ACL feature:

Access control entry (ACE) counters—Displayed with the show access-lists and show ipv6 access-list commands or, on a Cisco 12000 series ISE line card, with the show access-lists hardware interface interface-type slot:port [in | out] command, after you connect to the Cisco IOS image running on the line card using the attach slot-number command:

"Receive policy deny" counter for dropped packets—Displayed with the execute-on slot show controller events command on a Cisco 12000 series Internet router.

The IP Receive ACL feature is designed to be used in any of the following ways, depending on your network configuration and security goals:

Always-on configuration—After you determine the amount of control-plane traffic to be handled by the router, configure an ACL with the set of rules that explicitly permits desired IP packets. At the end of the ACL configuration, include a final deny statement to block all other traffic: deny ip any any (for IPv4 traffic) or deny ipv6 any any (for IPv6 traffic).

Reactive configuration—Either you do not configure a receive ACL to be used by default, or you configure a very permissive receive ACL. You can include an explicit rule to block a denial-of-service attack for when the routers detects an attack.

Traffic analysis —You can configure a receive ACL with permit statements to collect counters for the various types of traffic received on the router.

Configuring an IP Receive ACL

This section describes the procedure for configuring the IP Receive ACL feature.

PREREQUISITES

Before you configure the IP Receive ACL feature, you must create a numbered ACL for IPv4 traffic or a named ACL for IPv6 traffic as follows:

For IPv4 traffic:

To define a standard IP access list, enter the following command:

access-list access-list-number {deny | permit} source [source-wildcard] [log]

To define an extended IP access list, enter the following command:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{
deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

For information about the configuration procedure for IPv4 ACLs and command syntax, refer to the "Filtering IP Packets Using Access Lists" section in the "Configuring IP Services" chapter of the Cisco IP Configuration Guide, Release 12.3.

For IPv6 traffic, enter the following commands:

ipv6 access-list access-list-name

permit {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [flow-label value] [fragments] [log] [log-input] [reflect name [timeout value]] [routing] [time-range name] [sequence value]

Or

deny {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [flow-label value] [fragments] [log] [log-input] [routing] [time-range name] [undetermined-transport] [sequence value]

For information about the configuration procedure for IPv6 ACLs and command syntax, refer to the Implementing Security for IPv6

SUMMARY STEPS

1. enable

2. configure terminal

3. ip receive access-list number

Or

ipv6 receive access-list name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip receive access-list number

Example:

Router(config)# ip receive access-list 2


Or

ipv6 receive access-list name

Example:

Router(config)# ipv6 receive access-list deny-telnet

Enables a a numbered ACL for IPv4 traffic or a named ACL for IPv6 traffic as the receive ACL that filters packets destined for the router.

Monitoring and Maintaining IP Receive ACL

To display information about the configured receive ACL, use the following show commands in privileged EXEC mode:

Command
Purpose

Router# show access-lists

Displays the contents of all IPv4 access lists, including counters for permit and deny statements.

Router# execute-on slot slot-number show controller events

Displays the number of packets denied on a specified line card by the receive ACL.

Router# show ip access-list

Displays the contents of one access list.

Note The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.

Router# show ipv6 access-list

Displays the contents of all current IPv6 access lists, including counters for permit and deny statements.


Displaying Per ACE Counters for IPv6

This section provides details regarding a behavior change in IPv6 functionality introduced in Cisco IOS Release 12.0(32)SY08 on Cisco 12000 series Internet router. It contains the following topics:

Information About Behavior Change

Before Cisco IOS Release 12.0(32)SY08, the per ACE counters were not supported for IPv6 on Cisco 12000 series Internet router. Hence, show ipv6 access-list command output showed only aggregate counters regardless of the merge or no merge option. The feature enhancement done as part of the behavior change in IPv6 ACL feature is that per ACE counters are also displayed in the show ipv6 access-list command outoupt when no-merge option is configured and aggregate counters are displayed when merge option is configured. This behavior change has been introduced in Cisco IOS Release 12.0(32)SY08 on Cisco 12000 series Internet router.

The advantages of displaying per ACE counter entries for IPv6 access-list is:

Ease to deploy IPv6 access-list

Enhances security by using the match information available through per ACE counters

Mitigate attacks using per ACE counter IPv6 match information

Enabling or Disabling Per ACE Counters

To enable display of per ACE counters for IPv6 packets, use the hw-module slot slot-number tcam compile acl no-merge command from global configuration mode. To enable display of aggregate information of IPv6 packets use the no hw-module slot slot-number tcam compile acl no-merge command from global configuration mode:

Command
Purpose

Router# configure

Enters global configuration mode.

Router(config)# hw-module slot slot-number tcam compile acl no-merge

Enables the no-merge option which provisions the display of per ACE counters IPv6 information in the show ipv6 access-list command output.

Router(config)# no hw-module slot slot-number tcam compile acl no-merge


Enables the merge option which provisions an aggregate display of IPv6 information in the show ipv6 access-list command output.


Configuring and Displaying Per ACE Counters for IPv6

This section describes the procedure for configuring and displaying per ACE counters for IPv6 packets.

SUMMARY STEPS

1. enable

2. configure terminal

3. hw-module slot slot-number tcam compile acl no-merge

4. exit

5. show ipv6 access-list V6-Destination-PermitAll-DenyOne

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

hw-module slot slot-number tcam compile acl no-merge

Example:

Router(config)# hw-module slot 2 tcam compile acl no-merge

Enables the no-merge option to display per ACE counter entries for IPv6 in the show ipv6 access-list command output.

Step 4 

exit

Example:

Router(config)# exit

Exits from global configuration mode and enters privilege execution mode.

Step 5 

show ipv6 access-list access-list-name

Example:

Router# show ipv6 access-list V6-Source-PermitAll-DenyOne


IPv6 access list V6-Destination-PermitAll-DenyOne

permit ipv6 any 2600:1::/120 sequence 10

permit ipv6 any 2600:2::/120 sequence 20

permit ipv6 any 2600:3::/120 sequence 30

deny ipv6 any 2600:4::/120 (1000 matches) sequence 40

permit ipv6 any 2600:5::/120 sequence 50

permit ipv6 any 2600:6::/120 sequence 60

permit ipv6 any any sequence 100

Displays the per ACE counter details for IPv6 access-list.

Configuring and Displaying Aggregate Entries for IPV6

This section describes the procedure for configuring and displaying aggregate entries for IPv6 packets.

SUMMARY STEPS

1. enable

2. configure terminal

3. no hw-module slot slot-number tcam compile acl no-merge

4. exit

5. show ipv6 access-list V6-Source-DenyAll-PermitOne

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

no hw-module slot slot-number tcam compile acl no-merge

Example:

Router(config)# no hw-module slot 2 tcam compile acl no-merge

Enables the merge option to display aggregate (total) entries for IPv6 in the show ipv6 access-list command output.

Step 4 

exit

Example:

Router(config)# exit

Exits from global configuration mode and enters privilege execution mode.

Step 5 

show ipv6 access-list access-list-name

Example:

Router# show ipv6 access-list V6-Source-DenyAll-PermitOne


IPv6 access list V6-Source-DenyAll-PermitOne

deny ipv6 2600:1::/120 any sequence 10

deny ipv6 2600:2::/120 any sequence 20

deny ipv6 2600:3::/120 any sequence 30

permit ipv6 2600:4::/120 any sequence 40

deny ipv6 2600:5::/120 any sequence 50

deny ipv6 2600:6::/120 any sequence 60

deny ipv6 any any sequence 100

Displays the aggegate entries for IPv6 access-list.

Configuration Examples for IP Receive ACL

This section contains the following configuration examples for IP Receive ACL:

Configuring a Receive ACL for IPv4 Traffic

Configuring a Receive ACL for IPv6 Traffic

Displaying the Number of Packets Denied on a Line Card by a Receive ACL

Configuring a Receive ACL for IPv4 Traffic

The following example shows how to enable a receive ACL for IPv4 traffic that permits OSPF and BGP packets from one host, and allows the router to respond to pings (excluding fragmented pings):

ip receive access-list 100
access-list 100 deny icmp any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 100 permit ospf any any precedence internet
access-list 100 permit tcp host 10.0.0.1 any eq bgp precedence internet
access-list 100 deny ip any any

Configuring a Receive ACL for IPv6 Traffic

The following example shows how to enable a receive ACL for IPv6 traffic that blocks all attempts to establish a Telnet connection to the router while permitting all other IPv6 traffic:

ipv6 receive access-list deny-telnet
deny tcp any any eq telnet 
permit ipv6 any any 

Displaying the Number of Packets Denied on a Line Card by a Receive ACL

The following example shows how to display the number of packets denied on a specified line card by the receive ACL. The number of denied packets is displayed for the "Receive policy deny" counter:

execute-on slot 5 show controller events

========= Line Card (Slot 5) =========
Drop Counters
Packets punt to RP: 8
HW engine punt: 12889
HW engine reject: 8
Receive policy deny: 12889
Gen4 Packet Sanity Check (Warning): 8

RX HW Engine Reject Counters
MAC ID unrecognized: 8


Additional References

The following sections provide references related to the IP Receive ACL feature.

Related Documents

Related Topic
Document Title

General information about how to use and configure access control lists

"Access Control Lists: Overview and Guidelines" chapter in Cisco IOS Security Configuration Guide, Release 12.3

Configuring IP Access Lists

Information about how to use and configure an IPv4 ACL for traffic filtering

"Filtering IP Packets Using Access Lists" section in the "Configuring IP Services" chapter of the Cisco IP Configuration Guide, Release 12.3

Information about how to use and configure an IPv6 ACL for traffic filtering

Implementing Security for IPv6

Command syntax and usage guidelines for IPv4 ACL configuration commands

"IP Addressing and Services Commands" in the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3

Command syntax and usage guidelines for IPv6 ACL configuration commands

Cisco IOS IPv6 Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0S command reference publications.

ip receive access-list

ipv6 receive access-list

show ipv6 access-list

ip receive access-list

To activate a receive access control list (ACL) for IPv4 traffic, use the ip receive access-list command in global configuration mode. To deactivate the ACL and allow the router to receive all IPv4 traffic, use the no form of this command.

ip receive access-list number

no ip receive access-list number

Syntax Description

number

Number of IPv4 ACL.

Note Named IPv4 ACLs are not supported as the receive ACL.


Defaults

Receive ACLs are not activated, and all IPv4 traffic is permitted.

Command Modes

Global configuration

Command History

Release
Modification

12.0(22)S

This command was introduced on the Cisco 12000 series.

12.0(24)S

This command was implemented on the Cisco 7500 series.

12.0(31)S

This command was implemented on the Cisco 10720 Internet router.


Usage Guidelines

Use the ip receive access-list command to configure a receive ACL that filters IPv4 packets sent to the router.

Examples

The following example shows how to permit Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) packets from one host, and allow the router to respond to pings (excluding fragmented pings):

ip receive access-list 100
access-list 100 deny icmp any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 100 permit ospf any any precedence internet
access-list 100 permit tcp host 10.0.0.1 any eq bgp precedence internet
access-list 100 deny ip any any

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.


ipv6 receive access-list

To activate a receive access control list for IPv6 traffic, use the ipv6 receive access-list command in global configuration mode. To deactivate the ACL and allow the router to receive all IPv6 traffic, use the no form of this command.

ipv6 receive access-list name

no ipv6 receive access-list name

Syntax Description

name

Name of IPv6 ACL.

Note Numbered IPv6 ACLs are not supported as the receive ACL.


Defaults

Receive ACLs are not activated, and all IPv6 traffic is permitted.

Command Modes

Global configuration

Command History

Release
Modification

12.0(32)S

This command was introduced on the Cisco 12000 series.


Usage Guidelines

Use the ipv6 receive access-list command to configure a receive ACL that filters IPv6 packets sent to the router.

Examples

The following example shows how to enable a receive ACL for IPv6 traffic that blocks all attempts to establish a Telnet connection to the router, while permitting all other IPv6 traffic:

ipv6 receive access-list deny-telnet
deny tcp any any eq telnet 
permit ipv6 any any 

Related Commands

Command
Description

ipv6 access-list

Defines an IPv6 access list.


show ipv6 access-list

To display the contents of all current IPv6 access lists, use the show ipv6 access-list command in user EXEC or privileged EXEC mode.

show ipv6 access-list [access-list-name]

Syntax Description

access-list-name

(Optional) Name of access list.


Command Default

All IPv6 access lists are displayed.

Command Modes

User EXEC
Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.0(23)S

The priority field was changed to sequence and Layer 4 protocol information (extended IPv6 access list functionality) was added to the display output.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.0(32)SY08

The show ipv6 access-list access-list-name command output includes per ACE counter IPv6 details if no-merge option is enabled and if merge option is enabled then show ipv6 access-list access-list-name command output shows aggregate IPv6 entries.


Usage Guidelines

The show ipv6 access-list command provides output similar to the show ip access-list command, except that it is IPv6-specific.

The behavior change has been introduced in command output of show ipv6 access-list access-list-name command in Cisco IOS Release 12.0(32)SY08. The show ipv6 access-list access-list-name command output displays per ACE counter details if no-merge option is enabled. The command output displays aggregate details if merge option is enabled. To enable no-merge option use the hw-module slot slot-no tcam compile acl no-merge command. To enable merge option use the no hw-module slot slot-no tcam compile acl no-merge command from global configuration mode.


Note By default, the merge option is enabled for Engine 3 line cards and no-merge option is enabled for Engine 5 line cards.


Examples

The following output from the show ipv6 access-list command shows IPv6 access lists named inbound, tcptraffic, and outbound:

Router# show ipv6 access-list

IPv6 access list inbound
    permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10
    permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20
    permit udp any any reflect udptraffic sequence 30

IPv6 access list tcptraffic (reflexive) (per-user)
    permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time 
        left 243) sequence 1
    permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300 
        (time left 296) sequence 2

IPv6 access list outbound
    evaluate udptraffic
    evaluate tcptraffic

The following command output from the show ipv6 access-list access-list-name command shows per ACE counters for IPv6 access lists:

Router# show ipv6 access-list V6-Destination-PermitAll-DenyOne
IPv6 access list V6-Destination-PermitAll-DenyOne
    permit ipv6 any 2600:1::/120 sequence 10
    permit ipv6 any 2600:2::/120 sequence 20
    permit ipv6 any 2600:3::/120 sequence 30
    deny ipv6 any 2600:4::/120 (1000 matches) sequence 40
    permit ipv6 any 2600:5::/120 sequence 50
    permit ipv6 any 2600:6::/120 sequence 60
    permit ipv6 any any sequence 100

The following command output from the show ipv6 access-list access-list-name command shows aggregate details for IPv6 access lists:

Router# show ipv6 access-list V6-Source-DenyAll-PermitOne
IPv6 access list V6-Source-DenyAll-PermitOne
    deny ipv6 2600:1::/120 any sequence 10
    deny ipv6 2600:2::/120 any sequence 20
    deny ipv6 2600:3::/120 any sequence 30
    permit ipv6 2600:4::/120 any sequence 40
    deny ipv6 2600:5::/120 any sequence 50
    deny ipv6 2600:6::/120 any sequence 60
    deny ipv6 any any sequence 100
Individual entry match count isn't available from hardware
Aggregated hardware matches: permit/deny 0/1000

Related Commands

Command
Description

clear ipv6 access-list

Resets the IPv6 access list match counters.

show ip access-list

Displays the contents of all current IP access lists.

show ip prefix-list

Displays information about a prefix list or prefix list entries.

show ipv6 prefix-list

Displays information about an IPv6 prefix list or IPv6 prefix list entries.