Viewing specific ACL configuration details

This command displays a specific IPv6 or IPv4 ACL configured in the running config file in an easy-to-read tabular format.

NOTE:

This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.

For information on IPv4 ACL operation, see the latest version of the access security guide for your switch.

Syntax


show access-list <identifier> [config]

Displays detailed information on the content of a specific ACL configured in the running-config file.

For example, suppose you configured the following two ACLs in the switch:

Identifier

Type

Desired action

Accounting

IPv6

  • Permit Telnet traffic from these two IPv6 addresses:

  • 2001:db8:0:1af::10: 14

  • 2001:db8:0:1af::10: 24

  • Deny Telnet traffic from all other devices in the same subnet.

  • Permit all other IPv6 traffic from the subnet.

  • Deny and log any IPv6 traffic from any other source.

List-120

IPv4 Extended

  • Permit any TCP traffic from 10.30.133.27 to any destination.

  • Deny any other IPv4 traffic from 10.30.133.(1-255).

  • Permit all other IPv4 traffic from any source to any destination.

Use show access-list <identifier> to show an ACL.

Figure 103: IPv6 ACL example

The show access-list identifier config command shows the same ACL data as show access-list <identifier> but in the format used by the show <run | config> commands to list the switch configuration. For example:

Figure 104: An ACL listed with the "Config" option
Table 9: Descriptions of data types included in show access-list <acl-id> output

Field

Description

Name

The ACL identifier. Can be a number from 1 to 199, or a name.

Type

Standard or Extended. The former uses only source IPv4 addressing. The latter uses both source and destination IPv4 addressing and also allows TCP or UDP port specifiers.

Applied

"Yes" means the ACL has been applied to a port or VLAN interface. "No" means the ACL exists in the switch configuration, but has not been applied to any interface, and is therefore not in use.

SEQ

The sequential number of the Access Control Entry (ACE) in the specified ACL.

Entry

Lists the content of the ACEs in the selected ACL.

Action

Permit (forward) or deny (drop) a packet when it is compared to the criteria in the applicable ACE and found to match. Includes the optional log option, if used, in deny actions.

Remark

Displays any optional remark text configured for the selected ACE.

IP

Used for Standard ACLsThe source IPv4 address to which the configured mask is applied to determine whether there is a match with a packet.

Src IP

Used for Extended ACLsSame as above.

Dst IP

Used for Extended ACLsThe source and destination IPv4 addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.

Mask

The mask configured in an ACE and applied to the corresponding IPv4 address in the ACE to determine whether a packet matches the filtering criteria.

Proto

Used only in extended ACLs to specify the packet protocol type to filter. Must be either IPv4, TCP, or UDP. For TCP protocol selections, includes the established option, if configured.

Port(s)

Used only in extended ACLs to show any TCP or UDP operator and port numbers included in the ACE.

TOS

Used only in extended ACLs to indicate Type-of-Service setting, if any.

Precedence

Used only in extended ACLs to indicate the IP precedence setting, if any.