Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Command Reference
Layer 2 Access List Commands
Downloads: This chapterpdf (PDF - 472.0KB) The complete bookPDF (PDF - 7.38MB) | Feedback

Layer 2 Access List Commands

Table Of Contents

Layer 2 Access List Commands

copy access-list ethernet-service

deny (ES ACL)

ethernet-service access-group

ethernet-services access-list

permit (ES ACL)

resequence access-list ethernet-service

show access-lists ethernet-services

show access-lists ethernet-services trace

show access-list ethernet-service usage pfilter


Layer 2 Access List Commands


This module describes the Cisco IOS XR software commands used to configure Ethernet services (Layer 2) access lists on Cisco ASR 9000 Series Aggregation Services Routers.

An Ethernet services access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR software features such as traffic filtering. Each ACL includes an action element (permit or deny) and filter elements based on criteria such as source address, destination address, VLAN ID and CoS value parameters.

For detailed information about Ethernet services ACL concepts, configuration tasks, and examples, see the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide.

copy access-list ethernet-service

To create a copy of an existing Ethernet services access list, use the copy access-list ethernet-services command in EXEC mode.

copy access-list ethernet-service source-acl destination-acl

Syntax Description

source-acl

Name of the access list to be copied.

destination-acl

Name of the destination access list where the contents of the source-acl argument is copied.


Command Defaults

None

Command Modes

EXEC

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Use the copy access-list ethernet-service command to copy a configured Ethernet services access list. Use the source-acl argument to specify the access list to be copied and the destination-acl argument to specify where to copy the contents of the source access list. The destination-acl argument must be a unique name; if the destination-acl argument name already exists for an access list, the access list is not copied. The copy access-list ethernet-service command checks that the source access list exists then checks the existing list names to prevent overwriting existing access lists.

Task ID
Task ID
Operations

acl

read, write

filesystem

execute


Examples

In the following example, a copy of access list list-1 is created as list-2:

RP/0/RSP0/CPU0:router# show access-list ethernet-service list-1
 
   
ethernet service access-list list-1
  10 permit any any 
  20 permit 2.3.4 5.4.3
RP/0/RSP0/CPU0:router# copy access-list ethernet-service list-1 list-2
RP/0/RSP0/CPU0:router# show access-list ethernet-service list-2
ethernet service access-list list2
  10 permit any any 
  20 permit 2.3.4 5.4.3
 
   

Related Commands

Command
Description

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


deny (ES ACL)

To set conditions for an Ethernet services access list, use the deny command in Ethernet services access list configuration mode. To remove a condition, use the no form of the command.

[sequence-number] deny {src-mac-address src-mac-mask | any | host | dest-mac-address dest-mac-mask} [{ethertype-number} | capture | vlan min-vlan-ID [max-vlan-ID]] [cos cos-value] [dei] [inner-vlan min-vlan-ID [max-vlan-ID]] [inner-cos cos-value] [inner-dei]

no sequence-number

Syntax Description

sequence-number

(Optional) Number of the deny statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

src-mac-address

Source MAC address in format H.H.H.

src-mac-mask

Source MAC mask in format H.H.H.

any

Denies any source MAC address and mask.

host

Denies host with a specific host source MAC address and mask, in format H.H.H.

dest-mac-address

Destination MAC address in format H.H.H.

dest-mac-mask

Destination MAC mask in format H.H.H.

ethertype-number

16-bit ethertype number in hexadecimal. Range is 0x1 to 0xffff.

capture

(Optional) Captures packets using the traffic mirroring feature and copies this to a capture file.

vlan

(Optional) Denies a specific VLAN or a range of VLANs.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

cos

(Optional) Denies based on class of service value.

cos-value

Class of service value. Range is from 0 to 7.

dei

(Optional) Denies based on the setting of the discard eligibility indicator (DEI).

inner-vlan

(Optional) Denies a specific VLAN ID or range of VLAN IDs for the inner header.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

inner-cos

(Optional) Denies based on inner header class of service value.

cos-value

Inner header class of service value. Range is from 0 to 7.

inner-dei

(Optional) Denies based on inner header discard eligibility indicator.


Command Defaults

There is no default condition under which a packet is denied passing the Ethernet services access list.

Command Modes

Ethernet services access list configuration

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Use the deny command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID
Task ID
Operations

acl

read, write


Examples

The following example shows how to define an Ethernet services access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1
RP/0/RSP0/CPU0:router(config-es-acl)# 10 permit 00ff.eedd.0010 ff00.0000.00ff 
0011.ab10.cdef ffff.0000.ff00 vlan 1000-1100  inner-vlan 100 inner-cos 7 inner-dei
RP/0/RSP0/CPU0:router(config-es-acl)# 20 deny host eedd.0011.ff1c ff00.0000.00ff any vlan 
300  cos 1 dei inner-vlan 30 inner-cos 6
RP/0/RSP0/CPU0:router(config-es-acl)# 30 permit any any vlan 500 cos 2 inner-vlan 600 
inner-cos 5 inner-dei

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


ethernet-service access-group

To control access to an interface, use the ethernet-service access-group command in interface configuration mode. To remove the specified access group, use the no form of the command.

ethernet-service access-group access-list-name {ingress | egress}

no ethernet-service access-group access-list-name {ingress | egress}

Syntax Description

access-list-name

Name of an Ethernet services access list as specified by the ethernet-service access-list command.

ingress

Filters on inbound packets.

egress

Filters on outbound packets.


Command Defaults

The interface does not have an Ethernet services access list applied to it.

Command Modes

Interface configuration

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Use the ethernet-service access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the acl-name argument to specify a particular Ethernet services access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets.

If the list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns a host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID
Task ID
Operations

acl

read, write


Examples

The following example show how to apply filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/0:

RP/0/RSP0/CPU0:router(config)# interface gigabitethernet 0/2/0/2
RP/0/RSP0/CPU0:router(config-if)# ethernet-service access-group p-ingress-filter ingress
RP/0/RSP0/CPU0:router(config-if)# ethernet-service access-group p-egress-filter egress

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


ethernet-services access-list

To define an Ethernet services (Layer 2) access list by name, use the ethernet-services access-list command in global configuration mode. To remove all entries in an Ethernet services access list, use the no form of the command.

ethernet-services access-list access-list-name

no ethernet-services access-list access-list-name

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.


Command Defaults

No Ethernet services access list is defined.

Command Modes

Global configuration

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

The ethernet-services access-list command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined with the deny (ES ACL) or permit (ES ACL) command.

Use the resequence access-list ethernet-service command if you need to add a permit or deny statement between consecutive entries in an existing Ethernet services access lists.

Task ID
Task ID
Operations

acl

read, write


Examples

The following example shows how to define an Ethernet services access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


permit (ES ACL)

To set conditions for an Ethernet services access list, use the permit command in Ethernet services access list configuration mode. To remove a condition, use the no form of the command.

[sequence-number] permit {src-mac-address src-mac-mask | any | host | dest-mac-address dest-mac-mask} [{ethertype-number} | capture | vlan min-vlan-ID [max-vlan-ID]] [cos cos-value] [dei] [inner-vlan min-vlan-ID [max-vlan-ID]] [inner-cos cos-value] [inner-dei]

no sequence-number

Syntax Description

sequence-number

(Optional) Number of the permit statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

src-mac-address

Source MAC address in format H.H.H.

src-mac-mac

Source MAC mask in format H.H.H.

any

Permits any source MAC address and mask.

host

Permits host with a specific host source MAC address and mask, in format H.H.H.

dest-mac-address

Destination MAC address in format H.H.H.

dest-mac-mac

Destination MAC mask in format H.H.H.

ethertype-number

16-bit ethertype number in hexadecimal. Range is 0x1 to 0xffff.

capture

(Optional) Captures packets using the traffic mirroring feature and copies this to a capture file.

vlan

(Optional) Permits a specific VLAN or a range of VLANs.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

cos

(Optional) Permits based on class of service value.

cos-value

Class of service value. Range is from 0 to 7.

dei

(Optional) Permits based on the setting of the discard eligibility indicator (DEI).

inner-vlan

(Optional) Permits a specific VLAN ID or range of VLAN IDs for the inner header.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

inner-cos

(Optional) Permits based on inner header class of service value.

cos-value

Inner header class of service value. Range is from 0 to 7.

inner-dei

(Optional) Permits based on inner header discard eligibility indicator.


Command Defaults

There is no specific default condition under which a packet is permitted passing the Ethernet services ACL.

Command Modes

Ethernet services access list configuration

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Use the permit command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID
Task ID
Operations

acl

read, write


Examples

The following example show how to set a permit condition for an access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1
RP/0/RSP0/CPU0:router(config-es-al)# 10 permit 00ff.eedd.0010 ff00.0000.00ff 
0011.ab10.cdef ffff.0000.ff00 vlan 1000-1100  inner-vlan 100 inner-cos 7 inner-dei
RP/0/RSP0/CPU0:router(config-es-al)# 20 permit any host 000a.000b.000c 0800 vlan 500 cos 2 
inner-vlan 600 inner-cos 5 inner-dei
RP/0/RSP0/CPU0:router(config-es-al)# 30 permit any host 000a.000b.000c 8137 vlan 500 cos 2 
inner-vlan 600 inner-cos 5 inner-dei

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


resequence access-list ethernet-service

To renumber existing statements and increment subsequent statements to allow a new Ethernet services access list statement, use the resequence access-list ethernet-service command in EXEC mode.

resequence access-list ethernet-service access-list-name [starting-sequence-number [increment]]

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

starting-sequence-number

(Optional) Number of the first statement in the specified access list, which determines its order in the access list. Maximum value is 2147483646. Default is 10.

increment

(Optional) Number by which the base sequence number is incremented for subsequent statements. Maximum value is 2147483646. Default is 10.


Command Defaults

starting-sequence-number: 10

increment: 10

Command Modes

EXEC

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Use the resequence access-list ethernet-service command to add a permit or deny statement between consecutive entries in an existing Ethernet services access list. Specify the first entry number (the start-sequence-number) and the increment by which to separate the entry numbers of the statements. the software remembers the existing statements, thereby making room to add new statements with the unused entry numbers.

Task ID
Task ID
Operations

acl

read, write


Examples

In the following example, suppose you have an existing access list:

ethernet service access-list L2ACL1
  10 permit 1.2.3 4.5.6
  20 deny 2.3.4 5.4.3
  30 permit 3.1.2 5.3.4 cos 5
 
   

You need to add additional entries in the access list ahead of the first permit statement. First, you resequence the entries, renumbering the statements starting with number 20 and an increment of 10, and then you have room for additional statements between each of the existing statements:

RP/0/RSP0/CPU0:router# resequence access-list ethernet-service L2ACL1 20 10
RP/0/RSP0/CPU0:router# show access-list ethernet-services L2ACL1
 
   
ethernet service access-list L2ACL1
  20 permit 1.2.3 4.5.6
  30 deny 2.3.4 5.4.3
  40 permit 3.1.2 5.3.4 cos 5
 
   

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


show access-lists ethernet-services

To display the contents of current Ethernet services access lists, use the show access-lists ethernet-services command in EXEC mode.

show access-lists ethernet-services [access-list-name | maximum | standby | summary]
[
hardware | usage] [ingress | egress] [implicit | detail | sequence | location location

Syntax Description

access-list-name

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

maximum

(Optional) Show the maximum number of configurable Ethernet services ACLs and ACEs.

standby

(Optional) Display all access lists in standby mode.

summary

(Optional) Display a summary of Ethernet services access lists.

hardware

(Optional) Display Ethernet services access list entries in hardware including the match count for a specific ACL in a particular direction across the line card.

usage

(Optional) Display the usage of this ACL in a given location.

ingress

(Optional) Filters on inbound packets.

egress

(Optional) Filters on outbound packets.

implicit

(Optional) Display the count of packets implicitly denied by a particular ACL.

detail

(Optional) Display TCAM entries.

sequence

(Optional) Display statistics for a specific sequence number.

sequence-number

Sequence number value. Range is 1 to 2147483647.

location

(Optional) Display information for a specific node number.

location

Fully qualified location specification


Command Defaults

The contents of all Ethernet services access lists are displayed.

Command Modes

EXEC

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Task ID
Task ID
Operations

acl

read, write


Examples

The following examples lists defined Ethernet services access list maximum thresholds:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services maximum
 
   
  Max configurable ACLs: 10000
  Max configurable ACEs: 350000
 
   
RP/0/RSP0/CPU0:router# show access-lists ethernet-services maximum detail
 
   
  Total ACLs configured: 2
  Total ACEs configured: 3
  Max configurable ACLs: 10000
  Max configurable ACEs: 350000
 
   

The following example lists the Ethernet services access-list standby:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services standby
 
   
ethernet-services access-list i
 10 permit host 0001.0002.0003 host 000a.000b.000c
ethernet-services access-list l2_acl
 10 permit any any
 20 deny host 0002.0003.0004 host 000.50004.0003
 
   

The following example displays a summary of the number of Ethernet services ACLs configured on the system:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services summary
 
   
ACL Summary:
  Total ACLs configured: 2
  Total ACEs configured: 3
 
   

The following example displays the number of packets matching the access list l2_acl for each ACE:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress 
location 0/0/CPU0
 
   
ethernet service access-list l2_acl
  10 permit any any ( 3524 hw matches)
  20 deny host 0002.0003.0004 host 0005.0004.0003 (5394 hw matches)
 
   

The following example displays the number of packets matching the implicit deny in access list l2_acl:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress 
implicit location 0/0/CPU0
 
   
ethernet-services access-list l1_acl
 2147483647 implicit deny any any (2300 hw matches)
 
   

The following example displays the number of packets matching a particular sequence number:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress 
sequence 20 location 0/0/CPU0
 
   
ethernet-services access-list l2_acl
 20 deny host 0002.0003.0004 host 0005.0004.0003 (5394 hw matches)
 
   

The following example displays statistics for the TCAM entry for Ethernet services access list l2acl_4:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2acl_4 hardware ingress 
sequence 10 detail location 0/6/CPU0
Wed Jun 24 00:28:51.367 UTC
 
   
ACL name: l2acl_4
Format type : 1
Channel ID: 2
Sequence Number: 10
Grant: permit
Logging: OFF
Hits: 0
Statistics pointer: 0x150628
Number of TCAM entries: 1
idx = 0
Entry : 0 for ACE : 10
RAW value  : 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RAW mask   : 00 03 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 
   
-------------------------------Field Details----------------------------------
outer_vlan_id value     : 0000
outer_vlan_id mask      : 0ffff
outer_vlan discard eligibility value: 00
outer_vlan discard eligibility mask : 01
outer_vlan_id cos value: 00
outer_vlan_id cos mask: 07
Ethernet type value     : 0000
Ethernet type mask      : ffff
Base app id value     : 02
Base app id value     : 00
Base acl id value    : 0001
Base acl id mask     : 0000
outer vlan id present value     : 0
outer vlan id present mask      : 1
inner vlan id present value     : 0
inner vlan id present mask      : 1
Mac source address value     : 0000 0000 0000
Mac source address mask      : ffff ffff ffff
Mac destination address value  : 0000 0000 0000
Mac destination address mask   : ffff ffff ffff
RP/0/RSP0/CPU0:router#

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


show access-lists ethernet-services trace

To display Ethernet services access list trace information use the show access-lists ethernet-services trace command in EXEC mode.

show access-lists ethernet-services trace {client | intermittent | critical | both | all}

Syntax Description

client

Trace data for ES ACL client.

intermittent

Trace data for intermittent failures.

critical

Trace data for server-critical failures

both

Trace data for server-critical and intermittent failures.

all

Trace data for server-critical and intermittent failures.


Command Modes

EXEC

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Task ID
Task ID
Operations

acl

read


Examples

The following examples show how to display Ethernet services access list trace information:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace all
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 2 batches
 
   
RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace both
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 2 batches
 
   
RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace critical
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active
 
   
RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace intermittent
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: 
verifying 2 batches
 
   

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.


show access-list ethernet-service usage pfilter

To identify the modes and interfaces on which a particular ACL is applied, use the show access-list ethernet-service usage pfilter command in EXEC mode. Information displayed includes the application of all or specific ACLs, the interfaces on which they have been applied and the direction in which they are applied.

show access-list ethernet-services [access-list-name] usage pfilter location {location | all}

Syntax Description

access-list-name

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

location

Interface card on which the access list information is needed.

location

Fully qualified location specification.

all

Displays packet filtering usage for all interface cards.


Command Modes

EXEC

Command History

Release
Modification

Release 3.7.2

This command was introduced.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

Task ID
Task ID
Operations

acl

read, write


Examples

The following example shows how to display packet filter usage at a specific location:

RP/0/RSP0/CPU0:router# show access-list ethernet-services usage pfilter location 0/0/cpu0
pfilter location 0/0/cpu0
Interface : GigabitEthernet0/0/0/9
    Input ACL : l2_acl
    Output ACL : N/A
Interface : GigabitEthernet0/0/0/30
    Input ACL : N/A
    Output ACL : i
 
   

The following example shows the results of the command for a specific ACL:

RP/0/RSP0/CPU0:router# show access-list ethernet-services l2_acl usage pfilter location 
0/0/CPU0
Interface : GigabitEthernet0/0/0/9
    Input ACL : l2_acl
    Output ACL : N/A

Related Commands

Command
Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.

deny (ES ACL)

Sets a deny condition for an Ethernet services access list.

ethernet-service access-group

Controls access to an interface.

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.

permit (ES ACL)

Sets a permit condition for an Ethernet services access list.

resequence access-list ethernet-service

Renumbers existing statements and increments subsequent statements.

show access-lists ethernet-services

Displays contents of current Ethernet services access lists.

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.