Cisco ASR 9000 Series Aggregation Services Router VPN and Ethernet Services Command Reference, Release 5.1.x
Layer 2 Access List Commands
Downloads: This chapterpdf (PDF - 1.4MB) The complete bookPDF (PDF - 5.22MB) | Feedback

Layer 2 Access List Commands

Layer 2 Access List Commands

For detailed information about Ethernet services ACL concepts, configuration tasks, and examples, see the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide.

copy access-list ethernet-service

To create a copy of an existing Ethernet services access list, use the copy access-list ethernet-services command in EXEC mode.

copy access-list ethernet-service source-acl destination-acl

Syntax Description

source-acl

Name of the access list to be copied.

destination-acl

Name of the destination access list where the contents of the source-acl argument is copied.

Command Default

None

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the copy access-list ethernet-service command to copy a configured Ethernet services access list. Use the source-acl argument to specify the access list to be copied and the destination-acl argument to specify where to copy the contents of the source access list. The destination-acl argument must be a unique name; if the destination-acl argument name already exists for an access list, the access list is not copied. The copy access-list ethernet-service command checks that the source access list exists then checks the existing list names to prevent overwriting existing access lists.

Task ID

Task ID

Operations

acl

read, write

filesystem

execute

Examples

In the following example, a copy of access list list-1 is created as list-2:

RP/0/RSP0/CPU0:router# show access-list ethernet-service list-1

ethernet service access-list list-1
  10 permit any any 
  20 permit 2.3.4 5.4.3
RP/0/RSP0/CPU0:router# copy access-list ethernet-service list-1 list-2
RP/0/RSP0/CPU0:router# show access-list ethernet-service list-2
ethernet service access-list list2
  10 permit any any 
  20 permit 2.3.4 5.4.3

Related Commands

Command

Description

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

deny (ES ACL)

To set conditions for an Ethernet services access list, use the deny command in Ethernet services access list configuration mode. To remove a condition, use the no form of the command.

[sequence-number] deny { src-mac-address src-mac-mask | any | host | dest-mac-address dest-mac-mask } [ ethertype-number | capture | vlan min-vlan-ID [max-vlan-ID] ] [ cos cos-value ] [dei] [ inner-vlan min-vlan-ID [max-vlan-ID] ] [ inner-cos cos-value ] [inner-dei]

no sequence-number

Syntax Description

sequence-number

(Optional) Number of the deny statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

src-mac-address

Source MAC address in format H.H.H.

src-mac-mask

Source MAC mask in format H.H.H.

any

Denies any source MAC address and mask.

host

Denies host with a specific host source MAC address and mask, in format H.H.H.

dest-mac-address

Destination MAC address in format H.H.H.

dest-mac-mask

Destination MAC mask in format H.H.H.

ethertype-number

16-bit ethertype number in hexadecimal. Range is 0x1 to 0xffff.

capture

(Optional) Captures packets using the traffic mirroring feature and copies this to a capture file.

vlan

(Optional) Denies a specific VLAN or a range of VLANs.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

cos

(Optional) Denies based on class of service value.

cos-value

Class of service value. Range is from 0 to 7.

dei

(Optional) Denies based on the setting of the discard eligibility indicator (DEI).

inner-vlan

(Optional) Denies a specific VLAN ID or range of VLAN IDs for the inner header.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

inner-cos

(Optional) Denies based on inner header class of service value.

cos-value

Inner header class of service value. Range is from 0 to 7.

inner-dei

(Optional) Denies based on inner header discard eligibility indicator.

Command Default

There is no default condition under which a packet is denied passing the Ethernet services access list.

Command Modes

Ethernet services access list configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the deny command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to define an Ethernet services access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1
RP/0/RSP0/CPU0:router(config-es-acl)# 10 permit 00ff.eedd.0010 ff00.0000.00ff 0011.ab10.cdef ffff.0000.ff00 vlan 1000-1100  inner-vlan 100 inner-cos 7 inner-dei
RP/0/RSP0/CPU0:router(config-es-acl)# 20 deny host eedd.0011.ff1c ff00.0000.00ff any vlan 300  cos 1 dei inner-vlan 30 inner-cos 6
RP/0/RSP0/CPU0:router(config-es-acl)# 30 permit any any vlan 500 cos 2 inner-vlan 600 inner-cos 5 inner-dei

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

ethernet-service access-group

To control access to an interface, use the ethernet-service access-group command in interface configuration mode. To remove the specified access group, use the no form of the command.

ethernet-service access-group access-list-name { ingress | egress }

no ethernet-service access-group access-list-name { ingress | egress }

Syntax Description

access-list-name

Name of an Ethernet services access list as specified by the ethernet-service access-list command.

ingress

Filters on inbound packets.

egress

Filters on outbound packets.

Command Default

The interface does not have an Ethernet services access list applied to it.

Command Modes

Interface configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the ethernet-service access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the acl-name argument to specify a particular Ethernet services access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets.

If the list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns a host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example show how to apply filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/0:

RP/0/RSP0/CPU0:router(config)# interface gigabitethernet 0/2/0/2
RP/0/RSP0/CPU0:router(config-if)# ethernet-service access-group p-ingress-filter ingress
RP/0/RSP0/CPU0:router(config-if)# ethernet-service access-group p-egress-filter egress

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

ethernet-services access-list

To define an Ethernet services (Layer 2) access list by name, use the ethernet-services access-list command in global configuration mode. To remove all entries in an Ethernet services access list, use the no form of the command.

ethernet-services access-list access-list-name

no ethernet-services access-list access-list-name

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

Command Default

No Ethernet services access list is defined.

Command Modes

Global configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The ethernet-services access-list command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined with the deny (ES ACL) or permit (ES ACL) command.

Use the resequence access-list ethernet-service command if you need to add a permit or deny statement between consecutive entries in an existing Ethernet services access lists.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to define an Ethernet services access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

permit (ES ACL)

To set conditions for an Ethernet services access list, use the permit command in Ethernet services access list configuration mode. To remove a condition, use the no form of the command.

[sequence-number] permit { src-mac-address src-mac-mask | any | host | dest-mac-address dest-mac-mask } [ ethertype-number | capture | vlan min-vlan-ID [max-vlan-ID] ] [ cos cos-value ] [dei] [ inner-vlan min-vlan-ID [max-vlan-ID] ] [ inner-cos cos-value ] [inner-dei]

no sequence-number

Syntax Description

sequence-number

(Optional) Number of the permit statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list ethernet-service command to change the number of the first statement and increment subsequent statements of a configured access list.

src-mac-address

Source MAC address in format H.H.H.

src-mac-mac

Source MAC mask in format H.H.H.

any

Permits any source MAC address and mask.

host

Permits host with a specific host source MAC address and mask, in format H.H.H.

dest-mac-address

Destination MAC address in format H.H.H.

dest-mac-mac

Destination MAC mask in format H.H.H.

ethertype-number

16-bit ethertype number in hexadecimal. Range is 0x1 to 0xffff.

capture

(Optional) Captures packets using the traffic mirroring feature and copies this to a capture file.

vlan

(Optional) Permits a specific VLAN or a range of VLANs.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

cos

(Optional) Permits based on class of service value.

cos-value

Class of service value. Range is from 0 to 7.

dei

(Optional) Permits based on the setting of the discard eligibility indicator (DEI).

inner-vlan

(Optional) Permits a specific VLAN ID or range of VLAN IDs for the inner header.

min-vlan-ID

ID for a specific VLAN or the beginning of a range of VLAN IDs.

max-vlan-ID

(Optional) ID for the end of a range of VLAN IDs.

inner-cos

(Optional) Permits based on inner header class of service value.

cos-value

Inner header class of service value. Range is from 0 to 7.

inner-dei

(Optional) Permits based on inner header discard eligibility indicator.

Command Default

There is no specific default condition under which a packet is permitted passing the Ethernet services ACL.

Command Modes

Ethernet services access list configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the permit command following the ethernet-service access-list command to specify conditions under which a packet can pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit or deny statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list ethernet-service command to renumber the first statement and increment the entry number of each subsequent statement.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example show how to set a permit condition for an access list named L2ACL1:

RP/0/RSP0/CPU0:router(config)# ethernet-services access-list L2ACL1
RP/0/RSP0/CPU0:router(config-es-al)# 10 permit 00ff.eedd.0010 ff00.0000.00ff 0011.ab10.cdef ffff.0000.ff00 vlan 1000-1100  inner-vlan 100 inner-cos 7 inner-dei
RP/0/RSP0/CPU0:router(config-es-al)# 20 permit any host 000a.000b.000c 0800 vlan 500 cos 2 inner-vlan 600 inner-cos 5 inner-dei
RP/0/RSP0/CPU0:router(config-es-al)# 30 permit any host 000a.000b.000c 8137 vlan 500 cos 2 inner-vlan 600 inner-cos 5 inner-dei

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

resequence access-list ethernet-service

To renumber existing statements and increment subsequent statements to allow a new Ethernet services access list statement, use the resequence access-list ethernet-service command in EXEC mode.

resequence access-list ethernet-service access-list-name [ starting-sequence-number [increment] ]

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

starting-sequence-number

(Optional) Number of the first statement in the specified access list, which determines its order in the access list. Maximum value is 2147483646. Default is 10.

increment

(Optional) Number by which the base sequence number is incremented for subsequent statements. Maximum value is 2147483646. Default is 10.

Command Default

starting-sequence-number: 10

increment: 10

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the resequence access-list ethernet-service command to add a permit or deny statement between consecutive entries in an existing Ethernet services access list. Specify the first entry number (the start-sequence-number) and the increment by which to separate the entry numbers of the statements. the software remembers the existing statements, thereby making room to add new statements with the unused entry numbers.

Task ID

Task ID

Operations

acl

read, write

Examples

In the following example, suppose you have an existing access list:

ethernet service access-list L2ACL1
  10 permit 1.2.3 4.5.6
  20 deny 2.3.4 5.4.3
  30 permit 3.1.2 5.3.4 cos 5

You need to add additional entries in the access list ahead of the first permit statement. First, you resequence the entries, renumbering the statements starting with number 20 and an increment of 10, and then you have room for additional statements between each of the existing statements:

RP/0/RSP0/CPU0:router# resequence access-list ethernet-service L2ACL1 20 10
RP/0/RSP0/CPU0:router# show access-list ethernet-services L2ACL1

ethernet service access-list L2ACL1
  20 permit 1.2.3 4.5.6
  30 deny 2.3.4 5.4.3
  40 permit 3.1.2 5.3.4 cos 5

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

show access-lists ethernet-services

To display the contents of current Ethernet services access lists, use the show access-lists ethernet-services command in EXEC mode.

show access-lists ethernet-services [ access-list-name | maximum | standby | summary ] [ hardware | usage ] [ ingress | egress ] [ implicit | detail | sequence | location location ]

Syntax Description

access-list-name

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

maximum

(Optional) Show the maximum number of configurable Ethernet services ACLs and ACEs.

standby

(Optional) Display all access lists in standby mode.

summary

(Optional) Display a summary of Ethernet services access lists.

hardware

(Optional) Display Ethernet services access list entries in hardware including the match count for a specific ACL in a particular direction across the line card.

usage

(Optional) Display the usage of this ACL in a given location.

ingress

(Optional) Filters on inbound packets.

egress

(Optional) Filters on outbound packets.

implicit

(Optional) Display the count of packets implicitly denied by a particular ACL.

detail

(Optional) Display TCAM entries.

sequence

(Optional) Display statistics for a specific sequence number.

sequence-number

Sequence number value. Range is 1 to 2147483647.

location

(Optional) Display information for a specific node number.

location

Fully qualified location specification

Command Default

The contents of all Ethernet services access lists are displayed.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

acl

read, write

Examples

The following examples lists defined Ethernet services access list maximum thresholds:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services maximum

  Max configurable ACLs: 10000
  Max configurable ACEs: 350000

RP/0/RSP0/CPU0:router# show access-lists ethernet-services maximum detail

  Total ACLs configured: 2
  Total ACEs configured: 3
  Max configurable ACLs: 10000
  Max configurable ACEs: 350000

The following example lists the Ethernet services access-list standby:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services standby

ethernet-services access-list i
 10 permit host 0001.0002.0003 host 000a.000b.000c
ethernet-services access-list l2_acl
 10 permit any any
 20 deny host 0002.0003.0004 host 000.50004.0003

The following example displays a summary of the number of Ethernet services ACLs configured on the system:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services summary

ACL Summary:
  Total ACLs configured: 2
  Total ACEs configured: 3

The following example displays the number of packets matching the access list l2_acl for each ACE:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress location 0/0/CPU0

ethernet service access-list l2_acl
  10 permit any any ( 3524 hw matches)
  20 deny host 0002.0003.0004 host 0005.0004.0003 (5394 hw matches)

The following example displays the number of packets matching the implicit deny in access list l2_acl:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress implicit location 0/0/CPU0

ethernet-services access-list l1_acl
 2147483647 implicit deny any any (2300 hw matches)

The following example displays the number of packets matching a particular sequence number:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2_ACL hardware ingress sequence 20 location 0/0/CPU0

ethernet-services access-list l2_acl
 20 deny host 0002.0003.0004 host 0005.0004.0003 (5394 hw matches)

The following example displays statistics for the TCAM entry for Ethernet services access list l2acl_4:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services l2acl_4 hardware ingress sequence 10 detail location 0/6/CPU0
Wed Jun 24 00:28:51.367 UTC

ACL name: l2acl_4
Format type : 1
Channel ID: 2
Sequence Number: 10
Grant: permit
Logging: OFF
Hits: 0
Statistics pointer: 0x150628
Number of TCAM entries: 1
idx = 0
Entry : 0 for ACE : 10
RAW value  : 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RAW mask   : 00 03 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

-------------------------------Field Details----------------------------------
outer_vlan_id value     : 0000
outer_vlan_id mask      : 0ffff
outer_vlan discard eligibility value: 00
outer_vlan discard eligibility mask : 01
outer_vlan_id cos value: 00
outer_vlan_id cos mask: 07
Ethernet type value     : 0000
Ethernet type mask      : ffff
Base app id value     : 02
Base app id value     : 00
Base acl id value    : 0001
Base acl id mask     : 0000
outer vlan id present value     : 0
outer vlan id present mask      : 1
inner vlan id present value     : 0
inner vlan id present mask      : 1
Mac source address value     : 0000 0000 0000
Mac source address mask      : ffff ffff ffff
Mac destination address value  : 0000 0000 0000
Mac destination address mask   : ffff ffff ffff
RP/0/RSP0/CPU0:router#

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

show access-lists ethernet-services trace

To display Ethernet services access list trace information use the show access-lists ethernet-services trace command in EXEC mode.

show access-lists ethernet-services trace { client | intermittent | critical | both | all }

Syntax Description

client

Trace data for ES ACL client.

intermittent

Trace data for intermittent failures.

critical

Trace data for server-critical failures

both

Trace data for server-critical and intermittent failures.

all

Trace data for server-critical and intermittent failures.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

acl

read

Examples

The following examples show how to display Ethernet services access list trace information:

RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace all
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 2 batches

RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace both
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 2 batches

RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace critical
1 unique entries (256 possible, 0 filtered)
Jun 15 06:42:56.980 es/acl_mgr_un 0/RSP0/CPU0 1#t3 Manager state is active

RP/0/RSP0/CPU0:router# show access-lists ethernet-services trace intermittent
3 wrapping entries (1024 possible, 0 filtered, 3 total)
Jun 15 06:42:57.053 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:23:30.075 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 1 batches
Jun 16 02:29:41.383 es/acl_mgr/es_acl_mgr_wr 0/RSP0/CPU0t1 es_aclmgr_verify acl_add: verifying 2 batches

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-list ethernet-service usage pfilter

Identifies the modes and interfaces on which a particular ACL is applied.  

show access-list ethernet-service usage pfilter

To identify the modes and interfaces on which a particular ACL is applied, use the show access-list ethernet-service usage pfilter command in EXEC mode. Information displayed includes the application of all or specific ACLs, the interfaces on which they have been applied and the direction in which they are applied.

show access-list ethernet-services [access-list-name] usage pfilter location { location | all }

Syntax Description

access-list-name

(Optional) Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

location

Interface card on which the access list information is needed.

location

Fully qualified location specification.

all

Displays packet filtering usage for all interface cards.

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to display packet filter usage at a specific location:

RP/0/RSP0/CPU0:router# show access-list ethernet-services usage pfilter location 0/0/cpu0
pfilter location 0/0/cpu0
Interface : GigabitEthernet0/0/0/9
    Input ACL : l2_acl
    Output ACL : N/A
Interface : GigabitEthernet0/0/0/30
    Input ACL : N/A
    Output ACL : i

The following example shows the results of the command for a specific ACL:

RP/0/RSP0/CPU0:router# show access-list ethernet-services l2_acl usage pfilter location 0/0/CPU0
Interface : GigabitEthernet0/0/0/9
    Input ACL : l2_acl
    Output ACL : N/A

Related Commands

Command

Description

copy access-list ethernet-service

Creates a copy of an existing Ethernet services access list.  

deny (ES ACL)

Sets conditions for an Ethernet services access list  

ethernet-service access-group

Controls access to an interface.  

ethernet-services access-list

Defines an Ethernet services (Layer 2) access list by name.  

permit (ES ACL)

Sets conditions for an Ethernet services access list.  

resequence access-list ethernet-service

Renumbers existing statements and increment subsequent statements to allow a new Ethernet services access list statement.  

show access-lists ethernet-services

Displays the contents of current Ethernet services access lists.  

show access-lists ethernet-services trace

Displays Ethernet services access list trace information.  

show lpts pifib hardware entry optimized

To display a set of optimized entries that are combined as a single entry, inside the Ternary Content Addressable Memory (TCAM), use the show lpts pifib hardware entry optimized command in EXEC mode.

show lpts pifib hardware entry optimized location

Syntax Description

location

Mandatory. The location of the line card where the interface is present.

Command Default

None

Command Modes

EXEC

Command History

Release Modification
Release 4.1.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

lpts

read

Examples

The following example shows the output of the show lpts pifib hardware entry optimizedcommand:

RP/0/RSP0/CPU0:router# show lpts pifib hardware entry optimized location 0/4/CPU0
Node: 0/4/CPU0:
----------------------------------------
Protocol - Layer4 Protocol; Intf - Interface in optimized list

Protocol   laddr.Port, raddr.Port    Intf            VRF id       State               
---------- ------------------------- --------------- ------------ --------------------
IGMP       224.0.0.22.any , any.any  Te0/4/0/0       *            Uidb Set            
                                     Te0/4/0/1       *            Uidb Set            

           224.0.0.22.any , any.any  Te0/4/0/0       *            Uidb Set            
                                     Te0/4/0/1       *            Uidb Set            

           any.any , any.any         Te0/4/0/0       *            Uidb Set            
                                     Te0/4/0/1       *            Uidb Set