Viewing the content of a specific ACL

Displays a specific IPv6 or IPv4 ACL configured in the running config file in an easy-to-read tabular format.

Syntax:

show access-list <identifier> [config]

Displays detailed information on the content of a specific ACL configured in the running-config file.

NOTE:

This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.

For information on IPv4 ACL operation, see the latest version of the ArubaOS-Switch Access Security Guide for your switch.

For example, suppose you configured the following two ACLs in the switch:

Identifier

Type

Desired action

Accounting

IPv6

  • Permit Telnet traffic from these two IPv6 addresses:
    • 2001:db8:0:1af::10: 14

    • 2001:db8:0:1af::10: 24

  • Deny Telnet traffic from all other devices in the same subnet.

  • Permit all other IPv6 traffic from the subnet.

  • Deny and log any IPv6 traffic from any other source.

List-120

IPv4 Extended

  • Permit any TCP traffic from 10.30.133.27 to any destination.

  • Deny any other IP traffic from 10.30.133.(1–255).

  • Permit all other IP traffic from any source to any destination.

Use show access-list <identifier> to inspect a specific IPv6 or IPv4 ACL, as follows:

Listing an IPv6 ACL

Switch(config)# show access-list Accounting

Access Control Lists

  Name: Accounting
  Type: ipv6
  Applied: Yes

 SEQ  Entry
––––––––––––––––––––––––––––––––––––––––––––––––––––––––
 10   Action: permit
      Remark: Telnet Allowed 1
      Src IP: 2001:db8:0:1af::10:14     
      Prefix Len: 128 2
      Dst IP: :: 3                       
      Prefix Len: 0 
      Src Port(s): 4 Dst Port(s): eq 23 5
      Proto : TCP Option(s):6
      Dscp : -7

 20   Action: permit
      Src IP: 2001:db8:0:1af::10:23 8     Prefix Len: 128
      Dst IP: :: 9                        Prefix Len: 0
      Src Port(s):  Dst Port(s): eq 23
      Proto : TCP Option(s):
      Dscp : -

 30   Action: deny (log)
      Src IP: 2001:db8:0:1af::10        Prefix Len: 116
      Dst IP: ::                        Prefix Len: 0
      Src Port(s):  Dst Port(s):
      Proto : TCP Option(s):
      Dscp : -
      

1 Indicates whether the ACL is applied to an interface

2 Remark Field (appears if remark configured)

3 Source Address

4 Destination Address

5 TCP Destination Port (Note: An empty TCP field indicates that the TCP port number for that field can be any value)

6 Source and Destination Prefix Lengths

7 TCP Source Port

8 Protocol Data

9 DSCP Codepoint or Precedence

Listing an IPv4 extended ACL

Switch(config)# show access-list List–120

Access Control Lists

  Name: List–120
  Type: Extended
  Applied: No 1

 SEQ Entry
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
 10  Action: permit
     Remark: Telnet Allowed 2
     Src IP: 10.30.133.27 3    Mask: 0.0.0.0          Port(s): eq 23
     Dst IP: 0.0.0.0 4         Mask: 255.255.255.255  Port(s):  5
     Proto : IP 6
     TOS : -                   Precedence: - 7

 20  Action: deny (log)
     Src IP: 10.30.133.1       Mask: 0.0.0.255        Port(s):
     Dst IP: 0.0.0.0           Mask: 255.255.255.255  Port(s):
     Proto : IP
     TOS : -                   Precedence: -
 
 30  Action: permit
     Src IP: 0.0.0.0           Mask: 255.255.255.255  Port(s):
     Dst IP: 0.0.0.0           Mask: 255.255.255.255  Port(s):
     Proto : IP
     TOS : -                   Precedence: -
      

1 Indicates whether the ACL is applied to an interface

2 Remark Field (Appears if remark configured)

3 Source Address

4 TCP Source Port

5 Protocol Data

6 Empty field indicates that the destination TCP port can be any value

7 DSCP Codepoint and Precedence Data

The show access-list <identifier> config command shows the same ACL data as show access-list <identifier> but in the format used by the show <run|config> commands to list the switch configuration.

An ACL listed with the config option

Switch(config)# show access-list List–120 config

ip access-list extended "List–120"
 10 remark "Telnet Allowed"
 10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255 precedence 0
established
 20 deny ip 10.30.133.1 0.0.0.255 0.0.0.0 255.255.255.255 log
 30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 exit

Descriptions of data types included in show access-list <acl–id> output

Field

Description

Name

The ACL identifier. For IPv6 ACLs, is an alphanumeric name. For IPv4 ACLs, can be a number from 1 to 199, or an alphanumeric name.

Type

IPv6, Standard, or Extended. IPv6 ACLs use a source and a destination address, plus IPv6 protocol specifiers.
  • Standard ACLs are IPv4 only, and use only a source IP address.

  • Extended ACLs are available in IPv4 only, and use both source and destination IP addressing, as well as other IP protocol specifiers.

Applied

Yes” means the ACL has been applied to an interface.“No” means the ACL exists in the switch configuration, but has not been applied to any interface, and is therefore not in use.

SEQ

The sequential number of the ACE in the specified ACL.

Entry

Lists the content of the ACEs in the selected ACL.

Action

Permit (forward) or deny (drop) a packet when it is compared to the criteria in the applicable ACE and found to match. Includes the optional log option, if used, in deny actions.

Remark

Displays any optional remark text configured for the selected ACE.

IP

Used for IPv4 standard ACEs: The source IPv4 address to which the configured mask is applied to determine whether there is a match with a packet.

Src IP

Used for IPv6 ACEs and IPv4 extended ACEs: The source IPv6 or IPv4 address to which the configured mask is applied to determine whether there is a match with a packet.

Dst IP

Used for IPv6 ACEs and IPv4 extended ACEs: The source and destination IP addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.

Mask

Used in IPv4 ACEs, the mask is configured in an ACE and applied to the corresponding IP address in the ACE to determine whether a packet matches the filtering criteria.

Prefix Len (source and destination)

Used in IPv6 ACEs to specify the number of consecutive high-order (leftmost) bits of the source and destination addresses configured in an ACE to be used to determine a match with a packet being filtered by the ACE.

Proto

Used in IPv6 ACEs and IPv4 extended ACEs to specify the packet protocol type to filter.

Port(s)

Used in IPv4 extended ACEs to show any TCP or UDP operator and port numbers included in the ACE.

Src Port(s)Dst Port(s)

Used in IPv6 ACEs to show TCP or UDP source and destination operator and port numbers included in the ACE.

DSCP

Used in IPv6 ACEs to show the DSCP precedence or codepoint setting, if any.

TOS

Used in IPv4 extended ACEs to indicate Type-of-Service setting, if any.

Precedence

Used in IPv4 extended ACEs to indicate the IP precedence setting, if any.