show access-list

Displays ACL information for an ACL type and inbound and outbound directions. You can show information for a specific ACL or only for that ACL on a specific interface. You can also display information for all ACLs bound to an interface.

Syntax

show access-list { ip | ipv6 | mac }
show access-list { ip | ipv6 | mac } acl-name { in | out }
show access-list interface { ethernet slot / port | port-channel index | ve vlan_id | vlan vlan_id } { in | out }
show access-list interface management mgmt-id in
show access-list mac acl-name interface { ethernet slot / port | port-channel index | vlan vlan_id } { in | out }
show access-list { ip | ipv6 } acl-name interface { ethernet slot / port | port-channel index | ve vlan_id } { in | out }
show access-list { ip | ipv6 } acl-name interface management mgmt-id in
show access-list global-subnet-broadcast ip acl-name
show access-list subnet-broadcast ip [ acl-name[ interface { ethernet slot / port | ve vlan-id } ] ]
show access-list receive { ip | ipv6 } acl-name

Parameters

ip
Specifies the IPv4 Layer 3 network protocol.
ipv6
Specifies the IPv6 Layer 3 network protocol.
mac
Specifies the medium access control (MAC) Layer 2 network protocol.
in
Specifies the incoming binding direction.
out
Specifies the outgoing binding direction.
acl-name
Specifies the ACL name.
interface
Filters by interface.
ethernet
Specifies a physical Ethernet interface.
slot
Specifies a valid slot number. For devices that do not support line cards, specify 0.
port
Specifies a valid port number.
port-channel index
Specifies a port-channel interface.
ve vlan_id
Specifies a virtual Ethernet (VE) interface.
vlan vlan_id
Specifies a VLAN interface.
management mgmt-id
Specifies the management interface. The only supported value is 0.
global-subnet-broadcast ip
Specifies an IP broadcast ACL (bACL) applied at the device level.
subnet-broadcast ip
Specifies an IP broadcast ACL (bACL) applied at the physical-interface or VE level.
receive
Specifies an ACL that applies to device receive-path traffic.

Modes

Privileged EXEC mode

Usage Guidelines

You can show information for a specified ACL or only for that ACL on a specified interface. You can also display information for all ACLs bound to a specified physical interface, port-channel, VLAN or VE.

The command also displays information for receive-path ACLs.

Output

The show access-list command displays the following information:

Output field Description
Active The rule is active and implements the configured action.
Partial The rule is partially programmed, with the configured action implemented in some cases. This is typically seen for logical interfaces like VLAN, which span multiple hardware resources.
In progress The rule is currently being programmed into the hardware.
Inactive The rule is inactive and is not programmed in the hardware. This is typically seen when the hardware resources limit is reached.

Examples

The following example displays the names of IPv4 ACLs applied to the device, interfaces to which they are applied, and the incoming/outgoing direction.
device# show access-list ip
Interface Ve 171
   Inbound access-list is not set
   Outbound access-list is IPV4_ACL_000 (From User)
Interface Ethernet 1/2
   Inbound switched access-list is IP_ACL_STD_EXAMPLE (From User)
   Outbound access-list is IP_ACL_EXT_EXAMPLE (From User)
The following example displays all interfaces on which an IPv4 ACL is applied in the outgoing direction.
device# show access-list ip IPV4_ACL_000 out
ip access-list IPV4_ACL_000 on Ve 171 at Egress (From User)
    seq 10 deny ip host 0.0.0.0 host 10.0.0.0 (Active)
The following example displays all interfaces on which an IPv6 ACL is applied in the incoming direction.
device# show access-list ipv6 distList in
ipv6 access-list distList on Ethernet 1/4 at Ingress (From User)
    seq 10 deny 2001:125:132:35::/64 (Active)
    seq 20 deny 2001:54:131::/64 (Active)
    seq 30 deny 2001:5409:2004::/64 (Active)
    seq 40 permit any (Active)
The following example displays all ACLs applied on a specified interface in the incoming direction.
device# show access-list interface ethernet 1/4 in
ipv6 access-list ipv6-std-acl on Ethernet 1/4 at Ingress (From User)
    seq 10 permit host 0:1::1 (Active)
    seq 20 deny 0:2::/64 (Active)
    seq 30 hard-drop any count (Active)
The following example displays IPv6 receive-path ACL information.
device# show access-list receive ipv6 ipv6_1
ip access-list extended ipv6_1
    seq 10 permit ipv6 any any count (Active)
This example displays permit and deny rules configured for control plane protection.
device# show access-list receive ip ip-ssh
ip access-list extended ip-ssh
    seq 5 deny tcp any 14.14.14.14 0.0.0.0 eq 22 count (Active)
    seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count (Active)
    seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count (Active)
    seq 100 deny tcp any any eq 22 count (Active)
The following example displays an ACL definition that supports filtering non-fragmented packets.
device# show access-list interface ethernet 0/7 in
ip access-list new_acl on Ethernet 0/7 at Ingress (From User)
    seq 10 permit ip any any non-fragment count (Active)
The following example displays an ACL definition that supports filtering fragmented packets.
device# show access-list int eth 0/8 in
ip access-list test on Ethernet 0/8 at Ingress (From User)
seq 10 permit ip any any fragment (Active)

Example

The following example displays an ACL definition that supports flow based ingress miroring.
device# show access-list int eth 0/2 in
ip access-list mac1 on Ethernet 0/2 at Ingress (From User)
    seq 10 permit any host 1111.2222.3333 count mirror (Active)
    seq 20 permit host 4444.5555.6666 any count (Active)

Example

The following example displays an ACL definition that supports flow based egress miroring.
device# show access-list int eth 0/1 out
ip access-list mac1 on Ethernet 0/1 at Egress (From User)
    seq 10 permit any host 1111.2222.3333 count mirror (Active)
    seq 20 permit host 4444.5555.6666 any count (Active)