show access-list

Syntax

Syntax that filters by ACLs applied to an interface or VLAN:

show access-list [interface <IF-NAME> [ip|ipv6|mac] [in|out] |
                 vlan <VLAN-ID>] [ip|ipv6|mac] [in]]
                 [commands] [configuration] [vsx-peer]

Syntax that filters by the named ACL:

show access-list [ip|ipv6|mac] [<ACL-NAME>]
                 [commands] [configuration] [vsx-peer]

Description

Shows information about your defined ACLs and where they have been applied. When show access-list is entered without parameters, information for all ACLs is shown. The parameters filter the list of ACLs for which information is shown.

Available filtering includes:
  • The content of a specific ACL.

  • All ACLs of a specific type.

  • All ACLs applied to a specific interface (port or LAG).

  • All ACLs applied to a specific VLAN.

  • All ACLs applied in a particular direction.

Command context

Operator (>) or Manager (#)

Parameters

interface <IF-NAME>

Specifies the interface name (port or LAG).

vlan <VLAN-ID>

Specifies the VLAN.

in|out

Selects the traffic direction on which the ACL is applied.

  • in selects the inbound (ingress) traffic direction.

  • out (not applicable to VLANs) selects the outbound (egress) traffic direction. Only for IPv4 ACLs applied to route-only ports. Not available for ACLs applied to IPv4 bridged ports, IPv6 ports, or MAC ACLs applied to ports.

ip|ipv6|mac

Specifies the ACL type: ip for IPv4, ipv6 for IPv6, or mac for MAC.

<ACL-NAME>

Specifies the ACL name.

commands

Specifies that the ACL definition is to be shown as the commands and parameters used to create it rather than in tabular form.

configuration

Specifies that the user-configured ACLs be shown as entered, even if the ACLs are not active due to ACE-definition command issues or hardware issues. This parameter is useful if there is a mismatch between the entered configuration and the previous successfully programmed (active) ACLs configuration.

[vsx-peer]

Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed. This parameter is available on switches that support VSX.

Authority

Operators or Administrators or local user group members with execution rights for this command. Operators can execute this command from the operator context (>) only.

Examples

Showing an IPv4 ACL:

switch# show access-list ip MY_ACL
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv4       MY_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0          >  1023
           any
        30 permit                          tcp
           172.26.1.0//255.255.255.0
           any
           syn
           ack
           dscp 10
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------

Showing an IPv4 ACL as commands:

switch# show access-list ip MY_ACL commands
access-list ip MY_ACL
    10 permit udp any 172.16.1.0/255.255.255.0
    20 permit tcp 172.16.2.0/255.255.0.0 gt 1023 any
    30 permit tcp 172.26.1.0/255.255.255.0 any syn ack dscp 10
    40 deny any any any count

Showing IPv4 ACLs applied to VLAN 10:

switch# show access-list vlan 10 ip in
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv4       My_ip_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0          >  1023
           any
        30 permit                          tcp
           172.26.1.0//255.255.255.0
           any
           syn
           ack
           dscp 10
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing IPv6 ACLs applied to LAG 128, inbound:
switch# show access-list interface lag128 ipv6 in
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv6       MY_IPV6_ACL
        10 permit                          udp
           any
           2001::1/64
        20 permit                          tcp
           2001:2001::2:1/128               >  1023
           any
        30 permit                          tcp
           2001:2011::1/64
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing an IPv6 ACL as commands:
switch# show access-list ipv6 MY_IPV6_ACL commands
access-list ipv6 MY_IPV6_ACL
    10 permit udp any 2001::1/64
    20 permit tcp 2001:2001::2:1/128 gt 1023 any
    40 deny any any any count
Showing a MAC ACL applied to interface 1/1/1, inbound:
switch# show access-list interface 1/1/1 in mac MY_MAC_ACL
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Showing a MAC ACL as commands:
switch# show access-list mac MY_MAC_ACL commands
access-list mac MY_MAC_ACL
    10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6
    20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4
    30 deny any any any count