show access-list

show access-list {any | ports port_list | vlan vlan_name} {ingress | egress}


Displays the ACL (Access Control List)s configured on an interface.

Syntax Description

aclname Specifies the ACL name. The name can be from 1-32 characters long.
any Specifies the wildcard ACL.
port_list Specifies which ports‘ ACLs to display.
vlan_name Specifies which VLAN (Virtual LAN)‘s ACL to display.
ingress Display ingress ACLs.
egress Display egress ACLs.


The default is to display all interfaces, ingress.

Usage Guidelines

The ACL with the port and VLAN displayed as an asterisk (*) is the wildcard ACL.

If you do not specify an interface, the policy names for all the interfaces are displayed, except that dynamic ACL rule names are not displayed. To display dynamic ACLs use the following commands:

show access-list dynamic

show access-list dynamic rule rule {detail}

If you specify an interface, all the policy entries, and dynamic policy entries are displayed.


The following command displays all the interfaces configured with an ACL:

show access-list

The output from this command is similar to:

Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
*            3:6    TCP_flag             ingress  3      2
*            3:8    qos_hongkong         ingress  3      0
*            2:1    tc_2.4               ingress  4      0
*            2:7    tcp                  ingress  1      0
v1           *      tcp                  ingress  1      0
*            *      firewall1            ingress  2      1

The following command displays the ingress access list entries configured on the VLAN v1006:

show access-list v1006 ingress

The output from this command is similar to the following:

# RuleNo 1
entry dacl13 {       #Dynamic Entry
if match all {
ethernet-destination-address 00:01:05:00:00:00 ;
} then {
count c13 ;
redirect ;
} }
# RuleNo 2
entry dacl14 {       #Dynamic Entry
if match all {
ethernet-source-address 00:01:05:00:00:00 ;
} then {
count c14 ;
qosprofile qp7 ;
} }
# RuleNo 3
entry dacl13 {
if match all {
ethernet-destination-address 00:01:05:00:00:00 ;
} then {
count c13 ;
redirect ;
} }


This command was first available in ExtremeXOS 10.1.

The aclname option was removed in ExtremeXOS 11.1.

The ingress, egress, any, ports, and vlan options were added in ExtremeXOS 11.3.

Platform Availability

This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.