Reference Guide
Apply rules to ACL lter
OS10(config)# interface ethernet 1/1/29
OS10(conf-if-eth1/1/29)# ip access-group egress out
OS10(conf-if-eth1/1/29)# exit
OS10(config)# ip access-list egress
OS10(conf-ipv4-acl)# seq 10 deny ip any any count fragment
OS10(conf-ipv4-acl)# do commit
View IP ACL lter conguration
OS10# show ip access-lists out
Egress IP access-list abcd
Active on interfaces :
ethernet1/1/29
seq 10 deny ip any any fragment count (100 packets)
Clear access-list counters
Clear IPv4, IPv6, or MAC access-list counters for a specic access-list or all lists. The counter counts the number of packets that match
each permit or deny statement in an access-list. You can clear the counters to start at zero to get a more recent count of packets
matching an access-list. If you do not congure an access-list name, all IP access-list counters clear.
Use the show access-lists command to view access-list information.
• Clear IPv4 access-list counters in EXEC mode.
clear ip access-list counters access-list-name
• Clear IPv6 access-list counters in EXEC mode.
clear ipv6 access-list counters access-list-name
• Clear MAC access-list counters in EXEC mode.
clear mac access-list counters access-list-name
IP prex-lists
IP prex-lists control the routing policy. An IP prex-list is a series of sequential lters that contain a matching criterion (such as examine IP
route prex) and an action (permit or deny) to process routes. The lters are processed in sequence so that if a route prex does not
match the criterion in the rst lter, the second lter applies, and so on.
When the route prex matches a lter, the system drops or forwards the packet based on the lter’s designated action. If the route prex
does not match any of the lters in the prex-list, the route drops (implicit deny).
A route prex is an IP address pattern that matches on bits within the IP address. The format of a route prex is A.B.C.D/x, where
A.B.C.D is a dotted-decimal address and /x is the number of bits that match the dotted decimal address.
For example, in 112.24.0.0/16, the rst 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to
112.24.255.255. Use permit or deny lters for specic routes with the le (less or equal) and ge (greater or equal) parameters, where
x.x.x.x/x represents a route prex:
• To deny only /8 prexes, enter deny x.x.x.x/x ge 8 le 8
• To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12
• To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24
• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20
The following rules apply to prex-lists:
• A prex-list without any permit or deny lters allows all routes
• An “implicit deny” is assumed — the route drops for all route prexes that do not match a permit or deny lter in a congured prex-list
382
Access Control Lists