Displays ACL information for an ACL type and inbound and outbound directions. You can show information for a specific ACL or only for that ACL on a specific interface. You can also display information for all ACLs bound to an interface.
Privileged EXEC mode
You can show information for a specified ACL or only for that ACL on a specified interface. You can also display information for all ACLs bound to a specified physical interface, port-channel, VLAN or VE.
The command also displays information for receive-path ACLs.
The show access-list command displays the following information:
Output field | Description |
---|---|
Active | The rule is active and implements the configured action. |
Partial | The rule is partially programmed, with the configured action implemented in some cases. This is typically seen for logical interfaces like VLAN, which span multiple hardware resources. |
In progress | The rule is currently being programmed into the hardware. |
Inactive | The rule is inactive and is not programmed in the hardware. This is typically seen when the hardware resources limit is reached. |
device# show access-list ip Interface Ve 171 Inbound access-list is not set Outbound access-list is IPV4_ACL_000 (From User) Interface Ethernet 1/2 Inbound switched access-list is IP_ACL_STD_EXAMPLE (From User) Outbound access-list is IP_ACL_EXT_EXAMPLE (From User)
device# show access-list ip IPV4_ACL_000 out ip access-list IPV4_ACL_000 on Ve 171 at Egress (From User) seq 10 deny ip host 0.0.0.0 host 10.0.0.0 (Active)
device# show access-list ipv6 distList in ipv6 access-list distList on Ethernet 1/4 at Ingress (From User) seq 10 deny 2001:125:132:35::/64 (Active) seq 20 deny 2001:54:131::/64 (Active) seq 30 deny 2001:5409:2004::/64 (Active) seq 40 permit any (Active)
device# show access-list interface ethernet 1/4 in ipv6 access-list ipv6-std-acl on Ethernet 1/4 at Ingress (From User) seq 10 permit host 0:1::1 (Active) seq 20 deny 0:2::/64 (Active) seq 30 hard-drop any count (Active)
device# show access-list receive ipv6 ipv6_1 ip access-list extended ipv6_1 seq 10 permit ipv6 any any count (Active)
device# show access-list receive ip ip-ssh ip access-list extended ip-ssh seq 5 deny tcp any 14.14.14.14 0.0.0.0 eq 22 count (Active) seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count (Active) seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count (Active) seq 100 deny tcp any any eq 22 count (Active)The following example displays an ACL definition that supports filtering non-fragmented packets.
device# show access-list interface ethernet 0/7 in ip access-list new_acl on Ethernet 0/7 at Ingress (From User) seq 10 permit ip any any non-fragment count (Active)The following example displays an ACL definition that supports filtering fragmented packets.
device# show access-list int eth 0/8 in ip access-list test on Ethernet 0/8 at Ingress (From User) seq 10 permit ip any any fragment (Active)
device# show access-list int eth 0/2 in ip access-list mac1 on Ethernet 0/2 at Ingress (From User) seq 10 permit any host 1111.2222.3333 count mirror (Active) seq 20 permit host 4444.5555.6666 any count (Active)
device# show access-list int eth 0/1 out ip access-list mac1 on Ethernet 0/1 at Egress (From User) seq 10 permit any host 1111.2222.3333 count mirror (Active) seq 20 permit host 4444.5555.6666 any count (Active)