show access-list

Displays ACL information for an ACL type and inbound and outbound directions. You can show information for a specific ACL or only for that ACL on a specific interface. You can also display information for all ACLs bound to an interface.

Syntax

show access-list { ip | ipv6 | mac }

show access-list { ip | ipv6 | mac } acl-name { in | out }

show access-list interface { ethernet slot / port | port-channel index | ve vlan_id | vlan vlan_id } { in | out }

show access-list interface management mgmt-id in

show access-list mac acl-name interface { ethernet slot / port | port-channel index | vlan vlan_id } { in | out }

show access-list { ip | ipv6 } acl-name interface { ethernet slot / port | port-channel index | ve vlan_id } { in | out }

show access-list { ip | ipv6 } acl-name interface management mgmt-id in

show access-list global-subnet-broadcast ip acl-name

show access-list subnet-broadcast ip [ acl-name[ interface { ethernet slot / port | ve vlan-id } ] ]

show access-list receive { ip | ipv6 } acl-name

Parameters

ip

Specifies the IPv4 Layer 3 network protocol.

ipv6

Specifies the IPv6 Layer 3 network protocol.

mac

Specifies the medium access control (MAC) Layer 2 network protocol.

uda

(Not supported) Specifies user-defined ACLs, which are supported only under Network Packet Broker (NPB).

in

Specifies the incoming binding direction.

out

Specifies the outgoing binding direction.

acl-name

Specifies the ACL name.

interface

Filters by interface.

ethernet

Specifies a physical Ethernet interface.

slot: Specifies a valid slot number. For devices that do not support line cards, specify 0.
port: Specifies a valid port number.

port-channel index

Specifies a port-channel interface.

ve vlan_id

Specifies a virtual Ethernet (VE) interface.

vlan vlan_id

Specifies a VLAN interface.

management mgmt-id

Specifies the management interface. The only supported value is 0.

global-subnet-broadcast ip

Specifies an IP broadcast ACL (bACL) applied at the device level.

subnet-broadcast ip

Specifies an IP broadcast ACL (bACL) applied at the physical-interface or VE level.

receive

Specifies an ACL that applies to device receive-path traffic.

Modes

Privileged EXEC mode

Usage Guidelines

You can show information for a specified ACL or only for that ACL on a specified interface. You can also display information for all ACLs bound to a specified physical interface, port-channel, VLAN or VE.

The command also displays information for receive-path ACLs.

Output

The show access-list command displays the following information:


Output field	Description
Active	The rule is active and implements the configured action.
Partial	The rule is partially programmed, with the configured action implemented in some cases. This is typically seen for logical interfaces like VLAN, which span multiple hardware resources.
In progress	The rule is currently being programmed into the hardware.
Inactive	The rule is inactive and is not programmed in the hardware. This is typically seen when the hardware resources limit is reached.

Examples

The following example displays the names of IPv4 ACLs applied to the device, interfaces to which they are applied, and the incoming/outgoing direction.

device# show access-list ip
Interface Ve 171
   Inbound access-list is not set
   Outbound access-list is IPV4_ACL_000 (From User)
Interface Ethernet 1/2
   Inbound switched access-list is IP_ACL_STD_EXAMPLE (From User)
   Outbound access-list is IP_ACL_EXT_EXAMPLE (From User)

The following example displays all interfaces on which an IPv4 ACL is applied in the outgoing direction.

device# show access-list ip IPV4_ACL_000 out
ip access-list IPV4_ACL_000 on Ve 171 at Egress (From User)
    seq 10 deny ip host 0.0.0.0 host 10.0.0.0 (Active)

The following example displays all interfaces on which an IPv6 ACL is applied in the incoming direction.

device# show access-list ipv6 distList in
ipv6 access-list distList on Ethernet 1/4 at Ingress (From User)
    seq 10 deny 2001:125:132:35::/64 (Active)
    seq 20 deny 2001:54:131::/64 (Active)
    seq 30 deny 2001:5409:2004::/64 (Active)
    seq 40 permit any (Active)

The following example displays all ACLs applied on a specified interface in the incoming direction.

device# show access-list interface ethernet 1/4 in
ipv6 access-list ipv6-std-acl on Ethernet 1/4 at Ingress (From User)
    seq 10 permit host 0:1::1 (Active)
    seq 20 deny 0:2::/64 (Active)
    seq 30 hard-drop any count (Active)

The following example displays IPv6 receive-path ACL information.

device# show access-list receive ipv6 ipv6_1
ip access-list extended ipv6_1
    seq 10 permit ipv6 any any count (Active)

This example displays permit and deny rules configured for control plane protection.

device# show access-list receive ip ip-ssh
ip access-list extended ip-ssh
    seq 5 deny tcp any 14.14.14.14 0.0.0.0 eq 22 count (Active)
    seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count (Active)
    seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count (Active)
    seq 100 deny tcp any any eq 22 count (Active)