Active ACL configuration versus user-specified configuration

The show access-list command shows the active configuration of the switch. The active configuration is the ACLs that have been configured and accepted by the system. The active configurations are the interfaces on which the ACLs have successfully been programmed in the hardware.

The output of the show access-list command with the configuration parameter shows the ACLs that have been configured. The output of this command may not be the same as what was programmed in the hardware or what is active on the switch. The situation might occur because of one or more of the following:
  • Unsupported command parameters might have been configured.

  • Unsupported applications might have been specified.

  • Applying an ACL might have been unsuccessful due to lack of hardware resources.

To determine if a discrepancy exists between what was configured and what is active, run the show access-list command with the configuration parameter.

If the active ACLs and configured ACLs are not the same, the switch shows a warning message in the output of the show command:

! access-list ip MY_IP_ACL user configuration does not match active configuration.
! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.

If the configured ACL is processing, the switch shows an in-progress warning.

! access-list ip MY_IP_ACL user configuration currently being processed
! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.

If the switch shows a warning message or in-progress message, additional changes can be made until the error message is no longer shown in the show command, or you can run the access-list {all|ip <ACL-NAME>|ipv6 <ACL-NAME>|mac <ACL-NAME>} reset command. The access-list reset command changes the user-specified configuration to match the active configuration. For details, see access-list reset.

NOTE:

The show running-config command also shows a warning about ACLs that are in progress or failed.

Examples

Applying an ACL with TCP acknowledgments (ACKs) on egress, which is unsupported by the hardware:

switch(config-acl)# 10 permit tcp 172.16.2.0/16 any ack

Showing the user-specified configuration:

switch(config)# do show access-list ip TEST_ACL
        10 permit tcp 172.16.2.0/16 any ack
    interface 1/1/1
    ! access-list ip TEST_ACL user configuration does not match active configuration.
    ! run 'show access-list [commands]' to display active access-list configuration.
        apply access-list ip TEST_ACL out

    switch(config)# do show access-list commands
    access-list ip TEST_ACL
        10 permit tcp 172.16.2.0/16 any ack
    ! access-list ip TEST_ACL user configuration does not match active configuration.
    ! run 'access-list all reset' to reset all access-lists to match active configuration.

    switch(config)# do show access-list commands configuration
    access-list ip TEST_ACL
        10 permit tcp 172.16.2.0/16 any ack
    ! access-list ip TEST_ACL user configuration does not match active configuration.
    ! run 'access-list all reset' to reset all access-lists to match active configuration.
    interface 1/1/1
        apply access-list ip TEST_ACL out

    switch(config)# do show access-list
    Type       Name
      Sequence Comment
               Action                          L3 Protocol
               Source IP Address               Source L4 Port(s)
               Destination IP Address          Destination L4 Port(s)
               Additional Parameters
    -------------------------------------------------------------------------------
    IPv4       TEST_ACL
            10 permit                          tcp
               172.16.2.0/16
               any
               ack
Resetting the user-specified configuration to match the active configuration:
switch(config)# access-list all reset

Showing the updated user-specified configuration:

 switch(config)# do show access-list commands configuration
    access-list ip TEST_ACL
        10 permit tcp 172.16.2.0/16 any ack