Displaying Acls - Foundry Networks Switch and Router Installation And Configuration Manual

Foundry Switch and Router Installation and Configuration Guide
NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the
interfaces before changing the ACL mode.
To enable the strict ACL UDP mode, enter the following command at the global CONFIG level of the CLI:
BigIron(config)# ip strict-acl-udp
Syntax: [no] ip strict-acl-udp
This command configures the device to compare all UDP packets against the configured ACLs before forwarding
them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
BigIron(config)# no ip strict-acl-udp

Displaying ACLs

To display the ACLs configured on a device, use the following method.
USING THE CLI
To display detailed information for the ACLs and their entries, enter the following command at any level of the CLI.
BigIron(config)# show access-list
Access-list = 101
TCP applicable filters
Port 80
deny M:209.157.22.26:255.255.255.255
M:209.157.22.26:255.255.255.255,
Any other port applicable filters
UDP applicable filters
Any other port applicable filters
ICMP applicable filters
Other protocol applicable filters
Syntax: show access-list [<num>]
To display the syntax for the entries in the ACLs, enter the show ip access-lists command. Here is an example:
BigIron(config)# show access-list
Extended IP access list 101
deny tcp host 209.157.22.26 host 209.157.22.26 eq http log
Syntax: show ip access-lists [<num>]
Displaying the Log Entries
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a
Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the
Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL
timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets
during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled
for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
13 - 24
tcp eq 80 log
December 2000