show access-list

Syntax

show access-list [interface <ID>]  [{in|out}] [{ip|ipv6|mac}] [<ACL-NAME>] [commands] [configuration] [vsx-peer]

Description

Shows various aspects of ACLs and their current usage.

You can show different ACL-related details including:
  • The content of a specific ACL.

  • All ACLs of a specific type.

  • All ACLs applied to a specific port.

  • All ACLs applied in a particular direction.

Command context

Operator (>) or Manager (#)

Parameters

All parameters are optional.

interface <ID>

Specifies the display ACL information for a specific interface.

in|out

Selects in to limit the display to inbound (ingress) ACLs or out to limit the display to outbound (egress) ACLs.

ip|ipv6|mac

Selects to limit the display to an ACL type: ip for IPv4, ipv6 for IPv6, or mac for MAC ACLs.

<ACL-NAME>

Specifies display information matching this ACL name.

commands

Specifies output as the CLI commands showing the configured access control entries.

configuration

Specifies to display user-configured ACLs, even if they are not active due to command parameter or hardware issues. This parameter is useful if there is a mismatch between the entered configuration and the previous successfully programmed (active) ACLs.

[vsx-peer]

Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed.

Authority

Operators or Administrators. Users without administrator authority can execute this command from the operator context (>) only.

Examples

Displaying IPv4 ACL information:

switch# show access-list ip
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv4       MY_ACL
        10 permit                          udp
           any
           172.16.1.0/24
        20 permit                          tcp
           172.16.2.0/16                    >  1023
           any
        30 permit                          tcp
           172.26.1.0/24
           any
           syn
           ack
           dscp 10
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------

Displaying IPv4 ACLs as commands:

switch# show access-list ip commands
access-list ip MY_ACL
    10 permit udp any 172.16.1.0/24
    20 permit tcp 172.16.2.0/16 gt 1023 any
    30 permit tcp 172.26.1.0/24 any syn ack dscp 10
    40 deny any any any count
Displaying IPv6 ACLs applied to LAG 128, inbound:
switch# show access-list interface lag128 ipv6 in
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
------------------------------------------------------------------------------
IPv6       MY_IPV6_ACL
        10 permit                          udp
           any
           2001::1/64
        20 permit                          tcp
           2001:2001::2:1/128               >  1023
           any
        30 permit                          tcp
           2001:2011::1/64
        40 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Displaying IPv6 ACLs as commands:
switch# show access-list ipv6 commands
access-list ipv6 MY_IPV6_ACL
    10 permit udp any 2001::1/64
    20 permit tcp 2001:2001::2:1/128 gt 1023 any
    40 deny any any any count
Displaying MAC ACLs applied to interface 1/1/1, inbound:
switch# show access-list interface 1/1/1 mac in
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 deny                            any
           any
           any
           Hit-counts: enabled
------------------------------------------------------------------------------
Displaying MAC ACLs as commands:
switch# show access-list mac commands
access-list mac MY_MAC_ACL
    10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6
    20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4
    30 deny any any any count