display packet-filter verbose
Use display packet-filter verbose to display application details of ACLs for packet filtering.
Syntax
In standalone mode:
display packet-filter verbose { global | interface interface-type interface-number | vlan vlan-id } { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]
In IRF mode:
display packet-filter verbose { global | interface interface-type interface-number | vlan vlan-id } { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
global: Specifies all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
vlan vlan-id: Specifies a VLAN by its VLAN ID.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
acl-number: Specifies the number of an ACL:
2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
slot slot-number: Specifies a card by its slot number. If no slot is specified, the command displays ACL application details on the main board for packet filtering. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the ID of the IRF member device, and the slot-number argument represents the number of the slot that holds the card. If no card is specified, the command displays ACL application details for packet filtering on all main boards of the IRF fabric. (In IRF mode.)
Usage guidelines
When none of acl-number and name acl-name is specified, this command displays application details of all ACLs for packet filtering.
If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.
If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for incoming packet filtering in VLAN 2.
<Sysname> display packet-filter verbose vlan 2 inbound VLAN: 2 In-bound policy: ACL 2001, Hardware-count rule 0 permit rule 5 permit source 1.1.1.1 0 (Failed) rule 10 permit vpn-instance test (Failed) ACL 2002 (Failed)
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for incoming packet filtering on GigabitEthernet 3/0/1.
<Sysname> display packet-filter verbose interface gigabitethernet 3/0/1 inbound Interface: GigabitEthernet3/0/1 In-bound policy: ACL 2001, Hardware-count (Failed) rule 0 permit rule 5 permit source 1.1.1.1 0 (Failed) rule 10 permit vpn-instance test (Failed) ACL 2002 (Failed), Hardware-count (Failed) ACL6 2000, Hardware-count rule 0 permit ACL 4000, Hardware-count IPv4 default action: Deny, Hardware-count (Failed) IPv6 default action: Deny, Hardware-count (Failed) MAC default action: Deny, Hardware-count
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for incoming packet filtering on all physical interfaces.
<Sysname> display packet-filter verbose global inbound Global: In-bound policy: ACL 2001 rule 0 permit rule 5 permit source 1.1.1.1 0 (Failed) rule 10 permit vpn-instance test (Failed) ACL 2002 (Failed) ACL6 2000, Hardware-count ACL 4000, Hardware-count rule 0 permit IPv4 default action: Deny IPv6 default action: Deny MAC default action: Deny
Table 6: Command output
Field | Description |
|---|---|
Interface | Interface to which the ACL applies. |
VLAN | VLAN to which the ACL applies. |
Global | ACL application details for packet filtering on all physical interfaces. |
In-bound policy | ACL used for filtering incoming traffic. |
Out-bound policy | ACL used for filtering outgoing traffic. |
ACL 2001 | IPv4 basic ACL 2001 has been successfully applied. |
ACL 2002 (Failed) | The device has failed to apply IPv4 basic ACL 2002. |
Hardware-count | Successfully enables counting ACL rule matches. |
Hardware-count (Failed) | The device has failed to enable counting ACL rule matches. |
rule 5 permit source 1.1.1.1 0 (Failed) | The device has failed to apply rule 5 because hardware resources are not sufficient or the rule is not supported. |
IPv4 default action | Packet filter default action for packets that do not match any IPv4 ACLs:
|
IPv6 default action | Packet filter default action for packets that do not match any IPv6 ACLs:
|
MAC default action | Packet filter default action for packets that do not match any Ethernet frame header ACLs:
|