Viewing the content of a specific ACL

This command displays a specific ACL configured in the running config file in an easy-to-read tabular format.

NOTE:

This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.

Syntax: 


show access-list <acl-id>

Displays detailed information on the content of a specific ACL configured in the running-config file.

For example, suppose you configured the following two ACLs in the switch:

ACL ID Type Desired Action

1

Standard

  • Deny IP traffic from 18.28.236.77 and 18.29.140.107.

  • Permit IP traffic from all other sources.

105

Extended

  • Permit any TCP traffic from 18.30.133.27 to any destination.

  • Deny any other IP traffic from 18.30.133. (1-255).

  • Permit all other IP traffic from any source to any destination.

Inspect the ACLs as follows:

Example of a listing a standard ACL
Examples of listings showing the content of standard and extended ACLs
Descriptions of data types included in show access-list <acl-id> output

Field

Description

Name

The ACL identifier. Can be a number from 1 to 199, or a name.

Type

Standard or Extended. The former uses only source IPv4 addressing. The latter uses both source and destination IPv4 addressing and also allows TCP or UDP port specifiers.

Applied

"Yes" means the ACL has been applied to a port or VLAN interface. "No" means the ACL exists in the switch configuration, but has not been applied to any interface, and is therefore not in use.

SEQ

The sequential number of the Access Control Entry (ACE) in the specified ACL.

Entry

Lists the content of the ACEs in the selected ACL.

Action

Permit (forward) or deny (drop) a packet when it is compared to the criteria in the applicable ACE and found to match. Includes the optional log option, if used, in deny actions.

Remark

Displays any optional remark text configured for the selected ACE.

IP

Used for Standard ACLs: The source IPv4 address to which the configured mask is applied to determine whether there is a match with a packet.

Src IP

Used for Extended ACLs: Same as above.

Dst IP

Used for Extended ACLs: The source and destination IPv4 addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.

Mask

The mask configured in an ACE and applied to the corresponding IPv4 address in the ACE to determine whether a packet matches the filtering criteria.

Proto

Used only in extended ACLs to specify the packet protocol type to filter. Must be either IPv4, TCP, or UDP. For TCP protocol selections, includes the established option, if configured.

Port(s)

Used only in extended ACLs to show any TCP or UDP operator and port number(s) included in the ACE.

TOS

Used only in extended ACLs to indicate Type-of-Service setting, if any.

Precedence

Used only in extended ACLs to indicate the IP precedence setting, if any.