Table Of Contents

Access Control List Commands on the Virtual Firewall

access-group

access-group (global)

access-list extended

access-list remark

access-list resequence

clear access-list

description (object group)

host

object-group network

object-group service

show access-list

show acl-merge

Access Control List Commands on the Virtual Firewall

---

This module describes the commands necessary to configure access control lists (ACLs) on the VFW application.

---

Note The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.

---

access-group

To apply an access control list (ACL) to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in the appropriate interface configuration mode. To remove an ACL from an interface, use the no form of this command.

access-group {input | output} acl_name

no access-group {input | output} acl_name

Syntax Description

input	Specifies the inbound direction of the interface to which you want to apply the ACL.
output	Specifies the outbound direction of the interface to which you want to apply the ACL.
acl_name	Identifier of an existing ACL that you want to apply to an interface.

Defaults

No default behavior or values

Command Modes

Interface configuration
Management interface configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

You must apply ACLs to an interface to allow the passing of traffic on an interface. You can apply one ACL of each type (extended and EtherType) to both directions of the interface. For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode, but you must apply the ACL to both interfaces.

A bridge group interface supports extended ACLs for IP traffic, and EtherType ACLs for non-IP traffic. For non-IP traffic, configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames. You can configure the VFW application to pass one or any of the following non-IP EtherTypes: Multiprotocol Label Switching (MPLS), Internet Protocol version 6 (IPv6), and bridge protocol data units (BDPUs).

The output option is not allowed for EtherType ACLs.

To apply an ACL globally to all interfaces in a context, use the access-group (global) command.

Examples

The following example shows how to apply an ACL named INBOUND to the inbound direction of an interface:

firewall/Admin(config)# interface xy

firewall/Admin(config-if)# access-group input INBOUND

The following example shows how to remove an ACL from an interface:

firewall/Admin(config-if)# no access-group input INBOUND

Related Commands

Command	Description
access-group (global)	Applies an ACL to the inbound direction on all interfaces in a context and makes the ACL active.
access-list extended	Creates an extended ACL.
show access-list	Displays statistics associated with a specific ACL.

access-group (global)

To apply an access control list (ACL) to the inbound direction on all interfaces in a context and make the ACL active, use the access-group command in configuration mode. To remove an ACL from all interfaces in a context, use the no form of this command.

access-group input acl_name

no access-group input acl_name

Syntax Description

input	Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL
acl_name	Identifier of an existing ACL that you want to apply to an interface

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:

•You can use the access-group command in configuration mode only if there are no interfaces in the context to which you have applied an ACL previously using the access-group command in interface configuration mode.

•Similarly, if you have applied an ACL globally to all interfaces in a context, you cannot apply an ACL to an individual interface using the access-group command in interface configuration mode.

•You can apply one Layer 2 ACL and one Layer 3 ACL globally to all interfaces in a context.

•To all Layer 2 bridge-group virtual interfaces (BVIs) in a context, you can apply both a Layer 3 and a Layer 2 ACL.

•To all Layer 3 interfaces in a context, you can apply only a Layer 3 ACL.

Examples

The following example shows how to apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context:

firewall/Admin(config)# access-group input INBOUND

Related Commands

Command	Description
access-group	Applies an access control list (ACL) to the inbound or outbound direction of an interface and makes the ACL active.
access-list extended	Creates an extended ACL.
show access-list	Displays statistics associated with a specific ACL.

access-list extended

To create an extended access control list (ACL), use the access-list extended command in configuration mode. To delete the ACL, use the no form of this command.

IP extended ACL

access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address | object-group network_grp_name} {dest_ip_address netmask | any | host dest_ip_address | object-group network_grp_name}

no access-list name

TCP or a UDP extended ACL

access-list name [line number] extended {deny | permit} {tcp | udp} {src_ip_address netmask | any | host src_ip_address | object-group network_grp_name} [operator port [port2]] {dest_ip_address netmask | any | host dest_ip_address | object-group network_grp_name} [operator port3 [port4]]

no access-list name

ICMP extended ACL:

access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address | object-group network_grp_name} {dest_ip_address netmask | any | host dest_ip_address | object-group network_grp_name} [icmp_type code operator code]

no access-list name

Object group extended ACL:

access-list name [line number] extended {deny | permit} object-group service_grp_name {src_ip_address netmask | any | host src_ip_address | object-group network_grp_name} {dest_ip_address netmask | any | host dest_ip_address | object-group network_grp_name}

no access-list name

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 characters.
line number	(Optional) Specifies the line number position where you want the entry you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the VFW application applies a default increment and a line number to the entry and appends it at the end of the ACL.
extended	Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.
deny	Blocks connections on the assigned interface.
permit	Allows connections on the assigned interface.
protocol	Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number. Valid protocol choices are provided in Table 1.
src_ip_address netmask	Traffic from a source defined by the IP address and the network mask. Use these arguments to specify network traffic from a range of source IP addresses.
host src_ip_address	Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify network traffic from a single IP address.
any	Specifies network traffic from any source.
port [port2]	TCP or UDP source port name or number from which you permit or deny services access. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 3 for a list of well-known port names and numbers.
dest_ip_address netmask	Specifies the IP address of the network or host to which the packet is being sent and the network mask bits to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.
host destination_address	IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify network traffic destined to a single IP address.
port3 [port4]	TCP or UDP destination port name or number to which you permit or deny services access. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 3 for a list of well-known ports.
icmp_type	(Optional) Type of ICMP messaging. Enter either an integer corresponding to the ICMP code number or one of the ICMP types as described in Table 2.
icmp_operator	An operator that the VFW application applies to the ICMP code number that follows. Enter one of the following operators: •lt—Less than. •gt—Greater than. •eq—Equal to. •neq—Not equal to. •range—An inclusive range of ICMP code values. When you use this operator, specify two code numbers to define the range.
code	ICMP code number that corresponds to an ICMP type. See Table 3. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.
object-group service_grp_name	Specifies the identifier of an existing service object group. To use service object groups in an ACL, replace the normal service (protocol operator port) or ICMP type (icmp_type) arguments with the object-group service_grp_name keyword and argument.
object-group network_grp_name	Specifies the identifier of an existing network object group. To use network object groups in an ACL, replace the normal network (source_address, mask, and so on) arguments with the object-group network_grp_name keyword and argument.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	The object-group keyword was added.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

The VFW application does not explicitly support standard ACLs. To configure a standard ACL, specify the ports and destination addresses as "any" in an extended ACL.

There are three major types of extended ACLs:

•IP

•TCP or UDP

•ICMP

For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the VFW application allows all returning traffic for established connections.

You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can also apply the same ACLs on multiple interfaces.

Valid protocol choices for an IP extended ACL are provided in Valid IP Protocols for access-list extended CommandTable 1.

Table 1 Valid IP Protocols for access-list extended Command

Protocol	Code Number	Description
ah	51	Authentication Header
eigrp	88	Enhanced IGRP
esp	50	Encapsulated Security Payload
gre	47	Generic Routing Encapsulation
icmp	1	Internet Control Message Protocol (See Table 2 for optional ICMP messaging types)
igmp	2	Internet Group Management Protocol
ip	0	Internet Protocol
ip-in-ip	4	IP-in-IP Layer 3 Tunneling protocol
ospf	89	Open Shortest Path First
pim	103	Protocol Independent Multicast
tcp	6	Transmission Control Protocol
udp	17	User Datagram Protocol

If you selected icmp as the IP protocol type, you can optionally specify the type of ICMP messaging. Enter either an integer corresponding to the ICMP code number or one of the ICMP messaging types as described in Table 2.

Table 2 ICMP Types 

ICMP Code Number	ICMP Type
0	echo-reply
3	unreachable
4	source-quench
5	redirect
6	alternate-address
8	echo
9	router-advertisement
10	router-solicitation
11	time-exceeded
12	parameter-problem
13	timestamp-request
14	timestamp-reply
15	information-request
16	information-reply
17	mask-request
18	mask-reply
30	traceroute
31	conversion-error
32	mobile-redirect

Table 3 Well-Known Port Numbers and Keywords 

Key Word	Port Number	Description
aol	5190	America-Online
bgp	179	Border Gateway Protocol
chargen	19	Character Generator
citrix-ica	1494	Citrix Independent Computing Architecture protocol
cmd	514	Same as exec, with automatic authentication
ctiqbe	2748	Computer Telephony Interface Quick Buffer Encoding
daytime	13	Daytime
discard	9	Discard
domain	53	Domain Name System
echo	7	Echo
exec	512	Exec (RSH)
finger	79	Finger
ftp	21	File Transfer Protocol
ftp-data	20	FTP data connections
gopher	70	Gopher
h323	1720	H.323 call signaling
hostname	101	NIC hostname server
http	80	Hyper Text Transfer Protocol
https	443	HTTP over TLS/SSL
ident	113	Ident Protocol
imap4	143	Internet Message Access Protocol, version 4
irc	194	Internet Relay Chat
kerberos	88	Kerberos
klogin	543	Kerberos Login
kshell	544	Kerberos Shell
ldap	389	Lightweight Directory Access Protocol
ldaps	636	LDAP over TLS/SSL
login	513	Login (rlogin)
lotusnotes	1352	IBM Lotus Notes
lpd	515	Printer Service
matip-a	350	Mapping of Airline Traffic over Internet Protocol (MATIP) Type A
netbios-ssn	139	NetBios Session Service
nntp	119	Network News Transport Protocol
pcanywhere-data	5631	PC Anywhere data
pim-auto-rp	496	PIM Auto-RP
pop2	109	Post Office Protocol v2
pop3	110	Post Office Protocol v3
pptp	1723	Point-to-Point Tunneling Protocol, RFC 2637
rpc	71	Remote Procedure Call
rtsp	554	Real-time Stream Control Protocol
sip	5060	Session Initiation Protocol
smtp	25	Simple Mail Transfer Protocol
sqlnet	1521	Structured Query Language Network
ssh	22	Secure Shell
sunrpc	111	Sun Remote Procedure Call
tacacs	49	Terminal Access Controller Access Control System
talk	517	Talk
telnet	23	Telnet
time	37	Time
uucp	540	UNIX-to-UNIX Copy Program
whois	43	Nickname
www	80	World Wide Web (HTTP)

Examples

The following example shows how to configure a TCP extended ACL:

firewall/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 
255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000

The following example shows how to remove an entry from an extended ACL:

firewall/Admin(config)# no access-list INBOUND line 10

The following example shows how to allow an external host with IP address 192.168.12.5 to be able to ping a host behind the VFW application with an IP address of 10.0.0.5:

firewall/Admin(config)#  access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5

Related Commands

Command	Description
clear access-list	Clears access control list (ACL) statistics.
show access-list	Displays statistics associated with a specific ACL.

access-list remark

To add a comment to an access control list (ACL), use the access-list remark command in configuration mode. To remove an ACL remark, use the no form of this command.

access-list name remark text

no access-list name remark text

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 characters.
remark text	Specifies any comments you want to include about the nature of the ACL. Comments appear at the top of the ACL. Enter an unquoted text string with a maximum of 100 alphanumeric characters You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.

Defaults

No default behavior or values

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

Use the access-list remark command to add comments about an ACL to clarify the function of the ACL. You can enter only one comment per ACL; the comment appears at the top of the ACL

If you delete an ACL using the no access-list name command, then the remarks are also removed.

Examples

The following example shows how to add a comment to an ACL:

firewall/Admin(config)# access-list INBOUND remark This is a remark

The following example shows how to remove comments from an ACL:

firewall/Admin(config)#  no access-list INBOUND line 200 remark

Related Commands

Command	Description
clear access-list	Clears access control list (ACL) statistics.
show access-list	Displays statistics associated with a specific ACL.

access-list resequence

To resequence the access control list (ACL) entries in an ACL with a specific starting number and interval, use the access-list resequence command in configuration mode. To reset the number assigned to an ACL entry to the default of 10, use the no form of this command.

access-list name resequence number1 number2 delay

no access-list name

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 characters.
resequence	Specifies the renumbering of the entries in an ACL.
number1	Number assigned to the first entry in the ACL. Enter any integer.
number2	Number added to each entry in the ACL after the first entry. Enter any integer.
delay	Amount of time in seconds to wait before resequencing the access list. Values can range from 0 to 120.

Defaults

The default resequence value is 10.
The default delay value is 20 seconds.

Command Modes

Configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

Examples

The following example shows how to resequence the ACL entries by multiples of 15, starting with 5:

firewall/Admin(config)# access-list INBOUND resequence 5 15

Related Commands

Command	Description
clear access-list	Clears access control list (ACL) statistics.
show access-list	Displays statistics associated with a specific ACL.

clear access-list

To clear access control list (ACL) statistics, use the clear access-list command in EXEC mode.

clear access-list name

Syntax Description

name	Name of an existing ACL

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

Examples

The following example shows how to clear the statistics for access control list ACL1:

firewall/Admin# clear access-list ACL1

Related Commands

Command	Description
access-list extended	Creates an extended ACL.
show access-list	Displays statistics associated with a specific ACL.

description (object group)

To provide a description for an object group, use the description command in the appropriate object group configuration mode. To delete the description, use the no form of this command.

description text

no description

Syntax Description

text	Description for the interface. Enter an unquoted text string containing a maximum of 240 characters including spaces.

Defaults

No default behavior or values

Command Modes

Network object group configuration
Service object group configuration

Command History

Release	Modification
Release 3.8.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.

Usage Guidelines

Use the description command to add a description to an object group configuration. The maximum number of characters is 240.

Examples

The following example shows how to configure a description for an object group:

firewall/admin(config-objgroup-serv)# description Object Group Description

Related Commands

Command	Description
object-group network	Creates an object group made up of a group of hosts or subnet IP addresses.
object-group service	Creates an object group made up of a group of TCP or UDP port specifications.

host

To associate a host IP address with a network object group, use the host command in network object group configuration mode. To remove a host from the network object group, use the no form of this command.

host ip_address

no host ip_address

Syntax Description

ip_address

Host IP address associated with the network object group. Enter an IP address in dotted-decimal notation.

Command Modes

Network object group configuration

Command History

Release	Modification
Release 3.8.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.

Usage Guidelines

This command has no usage guidelines.

Examples

The following example shows how to associate host IP address 192.168.12.15 with a network object group:

host1/Admin(config-objgrp-netw)# host 192.168.12.15

Related Commands

Command	Description
object-group network	Creates an object group made up of a group of hosts or subnet IP addresses.
object-group service	Creates an object group made up of a group of TCP or UDP port specifications.

object-group network

To create an object group comprising a group of hosts or subnet IP addresses, use the object-group network command in configuration mode. To remove the network object group from the configuration, use the no form of this command.

object-group network name

no object-group network name

Syntax Description

name	Unique identifier for the object group. Enter the object group name as an unquoted, alphanumeric string from 1 to 64 characters.

Command Modes

Configuration

Command History

Release	Modification
Release 3.8.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.

Usage Guidelines

Object groups allow you to streamline the creation of multiple ACL entries in an ACL. A network object groups is made up of a group of hosts or subnet IP addresses. After you create a group, you can use a single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.

You associate a network IP address with a network object group by typing in the address and network mask at the object group network configuration mode command prompt. Alternatively, you can use the host comand to specify a host to be associated with the object group. Refer to Cisco IOS XR Virtual Firewall Configuration Guide for more information.

If you add new members to an existing object group that is already in use by an entry in a large ACL, recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In some cases, making this change can cause the VFW application to devote over an hour to committing the ACL, during which time you cannot access the terminal. We recommend that you first remove the ACL entry that refers to the object group, make your change, and then add the ACL entry back into the ACL.

Examples

The following example shows how to create a network object group, with the IP address 192.168.12.15:

firewall/Admin(config)# object-group network NET_OBJ_GROUP1

firewall/Admin(config-objgrp-netw)# 192.168.12.15 255.255.255.0

Related Commands

Command	Description
host	Associates a host IP address with a network object group.
show access-list	Displays statistics associated with a specific access control list (ACL).

object-group service

To create an object group comprising a group of TCP or UDP port specifications, use the object-group service command in configuration mode. To remove the service object group from the configuration, use the no form of this command.

object-group service name

no object-group service name

Syntax Description

name	Unique identifier for the object group. Enter the object group name as an unquoted, alphanumeric string from 1 to 64 characters.

Command Modes

Configuration

Command History

Release	Modification
Release 3.8.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.

Usage Guidelines

Object groups allow you to streamline the creation of multiple ACL entries in an ACL. A service object group is made up of a group of TCP or UDP port specifications. After you create a group, you can use a single ACL entry to allow trusted hosts to make specific service requests to a group of public servers.

You associate a protocol and port designation with a service object group by typing the protocol name or number at the object group service configuration mode command prompt. Refer to Cisco IOS XR Virtual Firewall Configuration Guide for more information.

Valid protocol choices for a service object group are provided in Table 4.

Table 4 Valid IP Protocols for Service Object Groups

Protocol	Code Number	Description
ah	51	Authentication Header
eigrp	88	Enhanced IGRP
esp	50	Encapsulated Security Payload
gre	47	Generic Routing Encapsulation
icmp	1	Internet Control Message Protocol (See Table 5 for optional ICMP messaging types)
igmp	2	Internet Group Management Protocol
ip	0	Internet Protocol
ip-in-ip	4	IP-in-IP Layer 3 Tunneling protocol
ospf	89	Open Shortest Path First
pim	103	Protocol Independent Multicast
tcp	6	Transmission Control Protocol (See Table 6 for optional port numbers and keywords)
udp	17	User Datagram Protocol (See Table 6 for optional port numbers and keywords)

If you selected icmp as the IP protocol type, you can optionally specify the type of ICMP messaging. Enter either an integer corresponding to the ICMP code number or one of the ICMP messaging types as described in Table 5.

Table 5 ICMP Types 

ICMP Code Number	ICMP Type
0	echo-reply
3	unreachable
4	source-quench
5	redirect
6	alternate-address
8	echo
9	router-advertisement
10	router-solicitation
11	time-exceeded
12	parameter-problem
13	timestamp-request
14	timestamp-reply
15	information-request
16	information-reply
17	mask-request
18	mask-reply
30	traceroute
31	conversion-error
32	mobile-redirect

Available port numbers and keywords for defining TCP and UDP ports are provided in Table 6.

Table 6 Well-Known Port Numbers and Keywords 

Key Word	Port Number	Description
aol	5190	America-Online
bgp	179	Border Gateway Protocol
chargen	19	Character Generator
citrix-ica	1494	Citrix Independent Computing Architecture protocol
cmd	514	Same as exec, with automatic authentication
ctiqbe	2748	Computer Telephony Interface Quick Buffer Encoding
daytime	13	Daytime
discard	9	Discard
domain	53	Domain Name System
echo	7	Echo
exec	512	Exec (RSH)
finger	79	Finger
ftp	21	File Transfer Protocol
ftp-data	20	FTP data connections
gopher	70	Gopher
h323	1720	H.323 call signaling
hostname	101	NIC hostname server
http	80	Hyper Text Transfer Protocol
https	443	HTTP over TLS/SSL
ident	113	Ident Protocol
imap4	143	Internet Message Access Protocol, version 4
irc	194	Internet Relay Chat
kerberos	88	Kerberos
klogin	543	Kerberos Login
kshell	544	Kerberos Shell
ldap	389	Lightweight Directory Access Protocol
ldaps	636	LDAP over TLS/SSL
login	513	Login (rlogin)
lotusnotes	1352	IBM Lotus Notes
lpd	515	Printer Service
matip-a	350	Mapping of Airline Traffic over Internet Protocol (MATIP) Type A
netbios-ssn	139	NetBios Session Service
nntp	119	Network News Transport Protocol
pcanywhere-data	5631	PC Anywhere data
pim-auto-rp	496	PIM Auto-RP
pop2	109	Post Office Protocol v2
pop3	110	Post Office Protocol v3
pptp	1723	Point-to-Point Tunneling Protocol, RFC 2637
rpc	71	Remote Procedure Call
rtsp	554	Real-time Stream Control Protocol
sip	5060	Session Initiation Protocol
smtp	25	Simple Mail Transfer Protocol
sqlnet	1521	Structured Query Language Network
ssh	22	Secure Shell
sunrpc	111	Sun Remote Procedure Call
tacacs	49	Terminal Access Controller Access Control System
talk	517	Talk
telnet	23	Telnet
time	37	Time
uucp	540	UNIX-to-UNIX Copy Program
whois	43	Nickname
www	80	World Wide Web (HTTP)

If you add new members to an existing object group that is already in use by an entry in a large ACL, recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In some cases, making this change can cause the VFW application to devote over an hour to committing the ACL, during which time you cannot access the terminal. We recommend that you first remove the ACL entry that refers to the object group, make your change, and then add the ACL entry back into the ACL.

Examples

The following example shows how to create a service object group for ICMP information-reply messages:

firewall/Admin(config)# object-group network ICMP_OBJ_GROUP1 

firewall/Admin(config-objgroup-serv)# icmp 16 

The following example shows how to create a service object group for HTTP messages:

firewall/Admin(config)# object-group network HTTP_OBJ_GROUP1

firewall/Admin(config-objgroup-serv)# tcp eq 80 

Related Commands

Command	Description
show access-list	Displays statistics associated with a specific access control list (ACL).

show access-list

To display statistics associated with a specific access control list (ACL), use the show access-list command in EXEC mode.

show access-list name [detail]

Syntax Description

name	Name of an existing ACL. Enter the name as an unquoted text string.
detail	Displays detailed ACL information, including a 4-byte MD5-hash value that the ACE uses to identify the ACL entry that caused a deny syslog (106023).

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	The detail keyword was added.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

The ACL information the VFW application displays when you execute the show access-list command includes the ACL name, number of elements in the ACL, operating status of the ACL (ACTIVE or NOT ACTIVE), any configured remarks, the ACL entry, and the ACL hit count.

Examples

The following example shows how to display statistical and configuration information for the ACL ACL1:

firewall/Admin# show access-list ACL1

access-list:ACL_IN, elements: 10, status: ACTIVE

  remark : "object group acl to deny specific hosts"

access-list ACL_IN line 8 extended deny tcp object-group DENIED object-group WEB eq www

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.4 host 209.165.201.29 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.4 host 209.165.201.16 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.4 host 209.165.201.78 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.78 host 209.165.201.29 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.78 host 209.165.201.16 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.78 host 209.165.201.78 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.89 host 209.165.201.29 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.89 host 209.165.201.16 eq www 
(hitcount=0)

  access-list ACL_IN line 8 extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www 
(hitcount=0)

access-list ACL_IN line 16 extended permit ip any any (hitcount=0)

The following example illustrates output from the show access-list command using the detail keyword.

firewall/Admin# show access-list acl1 detail

access-list:acl1, elements: 1, status: ACTIVE

  remark : xxx

access-list acl1 line 10 extended permit ip any any (hitcount=0) [0x7c7685e4]

Table 7 describes the fields in the show access-list command output.

Table 7 Field Descriptions for the show access-list Command Output 

Field	Description
Access-list	Name of the security ACL.
Elements	Number of entries in the ACL.
Status	Current status of the ACL: ACTIVE when the ACL is associated with at least one interface or NOT-ACTIVE when the ACL is not associated with at least one interface.
Remark	Configured comments that describe the ACL.
Entries	Full text of all entries in the ACL
Hitcounts	Hit counts for each ACL entry.
hash 1 (0xnnnnnnnn)	(Available with detail keyword only.) 32-bit hexadecimal MD5-hash value that the VFW application computes from the access-list command immediately when you configure an ACL. The VFW application includes this hash value in deny syslog messages to help you identify the ACL entry that caused the syslog in the output of this command. This hash value is line-number independent. To prevent possible discrepancies between the hash values in the deny syslog message and the output of this command after a reboot, be sure to use Tab completion or type entire keywords in the CLI when configuring individual entries in an ACL.
hash 2 (0xnnnn)	(Available with detail keyword only.) 16-bit hexadecimal (0xnnnn) MD5-hash value that the VFW application computes from the expanded access-list entries resulting from the object groups that you configure in an ACL. The VFW application computes the hash 2 value when you activate the ACL on an interface. For ACLs that do not have object groups, the hash 2 value is always 0x0. The VFW application also includes the hash 2 value in deny syslog messages to help you identify the expanded ACL entry that caused the syslog. This hash value is also line-number independent. To uniquely identify the expanded ACL entry that caused the syslog, you need to search for an entry in this command output that matches both the hash 1 and the hash 2 hexadecimal values.

Related Commands

Command	Description
access-list extended	Creates an extended ACL.
access-list remark	Adds a comment to an ACL.
access-list resequence	Resequences the ACL entries in an ACL with a specific starting number and interval.
clear access-list	Clears access control list (ACL) statistics.
show running-config	Displays the running configuration information associated with the current context.

show acl-merge

To display statistics related to merged access control lists (ACLs), use the show acl-merge command in EXEC mode.

show acl-merge {acls interface interface_name {in | out} [summary] | match interface interface_name {in | out} ip_address1 ip_address2 protocol src_port dest_port | merged-list interface interface_name {in | out} [non-redundant | summary]}

Syntax Description

acls	Displays various feature ACLs and their entries before the merge.
interface interface_name	Specifies the interface on which the ACL was applied.
in | out	Specifies the direction in which the ACL was applied to network traffic: incoming or outgoing.
summary	(Optional) Displays summary information before or after the merge.
match	Displays the ACL entry that matches the specified tuple.
ip_address1	Source IP address. Enter an IP address in dotted-decimal notation.
ip_address2	Destination IP address. Enter an IP address in dotted-decimal notation.
protocol	Protocol specified in the ACL.
src_port	Source port specified in the ACL.
dest_port	Destination port specified in the ACL.
merged-list	(Optional) Displays the merged ACL.
non-redundant	(Optional) Displays only those ACL entries that have been downloaded to a network processor.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Configuring Virtualization on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Configuration Guide.

The show acl-merge command is intended for use by trained Cisco personnel for troubleshooting purposes only.

The ACL merge list number (instance ID) is locally generated (not synchronized) on each VFW application in a redundant configuration. The number assigned depends on the order in which the ACLs are applied to the interfaces. This number can be different on the two modules. Even the ACL merged list could be different on the two modules depending on when redundancy is enabled.

Examples

The following example shows how to display the ACL merge information for interface abc:

firewall/Admin# show acl-merge acls interface abc in summary

Related Commands

This command has no related commands.