show access-list

Syntax

Syntax that filters by ACLs applied to an interface or VLAN:

show access-list [interface <IF-NAME>|vlan <VLAN-ID>] [ip|ipv6|mac] 
                 [in|out|routed-in] [commands] [configuration] [vsx-peer]

Syntax that filters by the named ACL:

show access-list [ip|ipv6|mac] [<ACL-NAME>]
                 [commands] [configuration] [vsx-peer]

Description

Shows information about your defined ACLs and where they have been applied. When show access-list is entered without parameters, information for all ACLs is shown. The parameters filter the list of ACLs for which information is shown.

Available filtering includes:
  • The content of a specific ACL.

  • All ACLs of a specific type.

  • All ACLs applied to a specific interface (port or LAG).

  • All ACLs applied to a specific VLAN.

  • All ACLs applied in a particular direction.

  • All IPv4 or IPv6 ACLs applied to interface VLANs (routed in).

Command context

Operator (>) or Manager (#)

Parameters

interface <IF-NAME>

Specifies the interface name (port or LAG).

vlan <VLAN-ID>

Specifies the VLAN.

ip|ipv6|mac

Specifies the ACL type: ip for IPv4, ipv6 for IPv6, or mac for MAC.

in|out

Selects the traffic direction on which the ACL is applied.

  • in selects the inbound (ingress) traffic direction.

  • out (not applicable to VLANs) selects the outbound (egress) traffic direction. Only for IPv4 ACLs applied to route-only ports. Not available for ACLs applied to either IPv4 bridged ports or IPv6 ports, or for MAC ACLs applied to ports or VLANS.

routed-in
Selects the routed traffic direction on which the ACL is applied.
NOTE:

This is only available for IPv4 and IPv6 ACLs applied to interface VLANs.

  • routed-in selects the routed inbound (routed ingress) traffic direction.

<ACL-NAME>

Specifies the ACL name.

commands

Specifies that the ACL definition is to be shown as the commands and parameters used to create it rather than in tabular form.

configuration

Specifies that the user-configured ACLs be shown as entered, even if the ACLs are not active due to ACE-definition command issues or hardware issues. This parameter is useful if there is a mismatch between the entered configuration and the previous successfully programmed (active) ACLs configuration.

[vsx-peer]

Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed. This parameter is available on switches that support VSX.

Authority

Operators or Administrators or local user group members with execution rights for this command. Operators can execute this command from the operator context (>) only.

Examples

Creating an IPv4 ACL, applying it to an interface VLAN (routed in), and then showing ACL information filtered for that interface VAN:

switch(config)# access-list ip test
switch(config-acl-ip)# 10 permit any 1.1.1.2 2.2.2.2 count
switch(config-acl-ip)# 20 permit any 1.1.1.2 2.2.2.1 count
switch(config-acl-ip)# 30 permit any 2.2.2.2 1.1.1.2 count
switch(config-acl-ip)# 40 permit any 2.2.2.2 1.1.1.1 count
switch(config-acl-ip)# 50 permit any any any count
switch(config-acl-ip)# exit
switch(config)#
switch(config)# interface vlan100
switch(config-if-vlan)# apply access-list ip test routed-in
switch(config-if-vlan)# exit
switch(config)# show access-list interface vlan100 ip routed-in

Direction                                 
Type       Name                                              
  Sequence Comment                                           
           Ac  L3 Protocol       
           Source IP Address               Source L4 Port(s) 
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters                             
-------------------------------------------------------------------------------
Routed Inbound                            
IPv4       test
        10 
           permit                          any  
           1.1.1.2                         
           2.2.2.2                         
           Hit-counts: enabled 
        20 
           permit                          any  
           1.1.1.2                         
           2.2.2.1                         
           Hit-counts: enabled 
        30 
           permit                          any  
           2.2.2.2                         
           1.1.1.2                         
           Hit-counts: enabled 
        40 
           permit                          any  
           2.2.2.2                         
           1.1.1.1                         
           Hit-counts: enabled 
        50 
           permit                          any  
           any                             
           any                             
           Hit-counts: enabled 
-------------------------------------------------------------------------------

Showing an IPv4 ACL:

switch# show access-list ip MY_ACL
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv4       MY_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0          >  1023
           any
        30 permit                          tcp
           172.26.1.0//255.255.255.0
           any
           syn
           ack
           dscp 10
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------

Showing an IPv4 ACL as commands:

switch# show access-list ip MY_ACL commands
access-list ip MY_ACL
    10 permit udp any 172.16.1.0/255.255.255.0
    20 permit tcp 172.16.2.0/255.255.0.0 gt 1023 any
    30 permit tcp 172.26.1.0/255.255.255.0 any syn ack dscp 10
    40 deny any any any count

Showing IPv4 ACLs applied to VLAN 10, inbound:

switch# show access-list vlan 10 ip in
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv4       My_ip_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0          >  1023
           any
        30 permit                          tcp
           172.26.1.0//255.255.255.0
           any
           syn
           ack
           dscp 10
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing IPv6 ACLs applied to LAG 128, inbound:
switch# show access-list interface lag128 ipv6 in
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv6       MY_IPV6_ACL
        10 permit                          udp
           any
           2001::1/64
        20 permit                          tcp
           2001:2001::2:1/128               >  1023
           any
        30 permit                          tcp
           2001:2011::1/64
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing an IPv6 ACL as commands:
switch# show access-list ipv6 MY_IPV6_ACL commands
access-list ipv6 MY_IPV6_ACL
    10 permit udp any 2001::1/64
    20 permit tcp 2001:2001::2:1/128 gt 1023 any
    40 deny any any any count
Showing a MAC ACL:
switch# show access-list mac MY_MAC_ACL
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing a MAC ACL as commands:
switch# show access-list mac MY_MAC_ACL commands
access-list mac MY_MAC_ACL
    10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6
    20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4
    30 deny any any any count