Cisco Systems OL-6244-01

2-1178

Catalyst 6500 Series Switch Command Reference—Release8.4

OL-6244-01

Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands

show security acl log

Defaults This command has no default settings.

Command Types Switch command.

Command Modes Privileged.

Usage Guidelines This command is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching

Engine II (PFC2) only.

Configurations you make by entering this command are saved to NVRAM and hardware only after you

enter the commit command. Enter ACEs in batches and then enter the commit command to save them

in NVRAM and in the hardware.

When you specify the source IP address and the source mask, use the form

source_ip_addresssource_mask and follow these guidelines:

•The source_mask is required; 0 indicates a care bit, 1 indicates a don’t-care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0

255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

Valid protocol keywords include icmp (1), ip, ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88),

gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed

in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address,

conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply,

general-parameter-problem, host-isolated, host-precedence-unreac ha ble , ho st-r ed irect ,

host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, informa tion-r eply,

information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect,

net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, o pti on-mi ssing ,

packet-too-big, parameter-problem, port-unreachable, precedence-unr eachab le, prot ocol- unreac habl e,

reassembly-timeout, redirect, router-advertisement, router-solicitation , source -quenc h,

source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and

unreachable.

If the operator is positioned after the source and source-wildcard, it must match the source port. If the

operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen,

daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp,

pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc,

bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, net bios- ns, ntp , ri p, snm p,

snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

The number listed with the protocol type is the layer protocol number (for example, udp | 17).