Active ACL configuration versus user-specified configuration
The
show access-list command shows the active configuration of the switch. The active configuration is the ACLs that have been configured and accepted by the system. The active configurations are the interfaces on which the ACLs have successfully been programmed in the hardware.
show access-list command with the
configuration parameter shows the ACLs that have been configured. The output of this command may not be the same as what was programmed in the hardware or what is active on the switch. The situation might occur because of one or more of the following:
Unsupported command parameters might have been configured.
Unsupported applications might have been specified.
Applying an ACL might have been unsuccessful due to lack of hardware resources.
To determine if a discrepancy exists between what was configured and what is active, run the
show access-list command with the
configuration parameter.
If the active ACLs and configured ACLs are not the same, the switch shows a warning message in the output of the show command:
! access-list ip MY_IP_ACL user configuration does not match active configuration. ! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.
If the configured ACL is processing, the switch shows an in-progress warning.
! access-list ip MY_IP_ACL user configuration currently being processed ! run 'access-list TYPE NAME reset' to reset access-list to match active configuration.
If the switch shows a warning message or in-progress message, additional changes can be made until the error message is no longer shown in the show command, or you can run the
access-list {all|ip
<ACL-NAME>|ipv6
<ACL-NAME>|mac
<ACL-NAME>} reset command. The
access-list reset command changes the user-specified configuration to match the active configuration. For details, see
access-list reset.
The
show running-config command also shows a warning about ACLs that are in progress or failed.
Examples
Applying an ACL with TCP acknowledgments (ACKs) on egress, which is unsupported by the hardware:
switch(config-acl)# 10 permit tcp 172.16.2.0/16 any ack
Showing the user-specified configuration:
switch(config)# do show access-list ip TEST_ACL
10 permit tcp 172.16.2.0/16 any ack
interface 1/1/1
! access-list ip TEST_ACL user configuration does not match active configuration.
! run 'show access-list [commands]' to display active access-list configuration.
apply access-list ip TEST_ACL out
switch(config)# do show access-list commands
access-list ip TEST_ACL
10 permit tcp 172.16.2.0/16 any ack
! access-list ip TEST_ACL user configuration does not match active configuration.
! run 'access-list all reset' to reset all access-lists to match active configuration.
switch(config)# do show access-list commands configuration
access-list ip TEST_ACL
10 permit tcp 172.16.2.0/16 any ack
! access-list ip TEST_ACL user configuration does not match active configuration.
! run 'access-list all reset' to reset all access-lists to match active configuration.
interface 1/1/1
apply access-list ip TEST_ACL out
switch(config)# do show access-list
Type Name
Sequence Comment
Action L3 Protocol
Source IP Address Source L4 Port(s)
Destination IP Address Destination L4 Port(s)
Additional Parameters
-------------------------------------------------------------------------------
IPv4 TEST_ACL
10 permit tcp
172.16.2.0/16
any
ack
switch(config)# access-list all reset
Showing the updated user-specified configuration:
switch(config)# do show access-list commands configuration
access-list ip TEST_ACL
10 permit tcp 172.16.2.0/16 any ack