Active ACL configuration versus user-specified configuration
The output of the
show access-list
command displays the active configuration of the product. The active configuration is the ACLs that have been configured and accepted by the system. The active configurations are the interfaces on which the ACLs have successfully been programmed in the hardware.
show access-list
command with the
configuration
parameter, displays the ACLs that have been configured. The output of this command may not be the same as what was programmed in the hardware or what is active on the product. The situation might occur because of one or more of the following:
Unsupported command parameters might have been configured.
Unsupported applications might have been specified
Applying an ACL might have been unsuccessful due to lack of hardware resources.
To determine if a discrepancy exists between what was configured and what is active, run the
show access-list
command with the
configuration
parameter.
If the active ACLs and configured ACLs are not the same, the switch displays a warning message in the output of the show command:
! access-list ip MY_IP_ACL user configuration does not match active configuration. ! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.
If the configured ACL is processing, the switch displays an in-progress warning.
! access-list ip MY_IP_ACL user configuration currently being processed ! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.
If the switch displays a warning message or in-progress message, additional changes can be made until the error message is no longer displayed in the show command, or you can run the
access-list {all|ip
<ACL-NAME>|ipv6
<ACL-NAME>|mac
<ACL-NAME>} reset
command. The
access-list reset
command changes the user-specified configuration to match the active configuration. For details, see
access-list reset.
Examples
Applying an ACL with TCP acknowledgements (ACKs) on egress, which is unsupported by the hardware:
switch(config-acl)# 10 permit tcp 172.16.2.0/16 any ack
Displaying the user-specified configuration:
switch(config)# do show run access-list ip TEST_ACL 10 permit tcp 172.16.2.0/16 any ack interface 1/1/1 ! access-list ip TEST_ACL user configuration does not match active configuration. ! run 'show access-list [commands]' to display active access-list configuration. apply access-list ip TEST_ACL out switch(config)# do show access-list commands access-list ip TEST_ACL 10 permit tcp 172.16.2.0/16 any ack ! access-list ip TEST_ACL user configuration does not match active configuration. ! run 'access-list all reset' to reset all access-lists to match active configuration. switch(config)# do show access-list commands configuration access-list ip TEST_ACL 10 permit tcp 172.16.2.0/16 any ack ! access-list ip TEST_ACL user configuration does not match active configuration. ! run 'access-list all reset' to reset all access-lists to match active configuration. interface 1/1/1 apply access-list ip TEST_ACL out switch(config)# do show access-list commands access-list ip TEST_ACL 10 permit tcp 172.16.2.0/16 any ack switch(config)# do show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 test 10 permit tcp any any ack
switch(config)# access-list all reset
Displaying the updated user-specified configuration:
switch(config)# do show access-list commands configuration access-list ip TEST_ACL 10 permit tcp 172.16.2.0/16 any ack