show access-list
Syntax
Syntax that filters by ACLs applied to an interface or VLAN:
show access-list [interface <IF-NAME>|vlan <VLAN-ID>] [ip|ipv6|mac] [in|out]
[commands] [configuration] [vsx-peer]
Syntax that filters by the named ACL:
show access-list [ip|ipv6|mac] [<ACL-NAME>]
[commands] [configuration] [vsx-peer]
Description
Shows information about your defined ACLs and where they have been applied. When
show access-list
is entered without parameters, information for all ACLs is shown. The parameters filter the list of ACLs for which information is shown.
The content of a specific ACL.
All ACLs of a specific type.
All ACLs applied to a specific interface (port or LAG).
All ACLs applied to a specific VLAN.
All ACLs applied in a particular direction.
Command context
Operator (>
) or Manager (#
)
Parameters
interface <IF-NAME>
Specifies the interface name (port or LAG).
vlan <VLAN-ID>
Specifies the VLAN.
in|out
Selects the traffic direction on which the ACL is applied.
ip|ipv6|mac
Specifies the ACL type:
ip
for IPv4,ipv6
for IPv6, ormac
for MAC.<ACL-NAME>
Specifies the ACL name.
commands
Specifies that the ACL definition is to be shown as the commands and parameters used to create it rather than in tabular form.
configuration
Specifies that the user-configured ACLs be shown as entered, even if the ACLs are not active due to ACE-definition command issues or hardware issues. This parameter is useful if there is a mismatch between the entered configuration and the previous successfully programmed (active) ACLs configuration.
[vsx-peer]
Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed. This parameter is available on switches that support VSX.
Authority
Operators or Administrators or local user group members with execution rights for this command. Operators can execute this command from the operator context (>) only.
Examples
On the 6400 Switch Series, interface identification differs.
Showing an IPv4 ACL:
switch# show access-list ip MY_ACL Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------ IPv4 MY_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0//255.255.255.0 any syn ack dscp 10 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------
Showing an IPv4 ACL as commands:
switch# show access-list ip MY_ACL commands access-list ip MY_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 gt 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any syn ack dscp 10 40 deny any any any count
Showing IPv4 ACLs applied to VLAN 10:
switch# show access-list vlan 10 ip in Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------ IPv4 My_ip_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0//255.255.255.0 any syn ack dscp 10 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------
switch# show access-list interface lag128 ipv6 in Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------ IPv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1/128 > 1023 any 30 permit tcp 2001:2011::1/64 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------
switch# show access-list ipv6 MY_IPV6_ACL commands access-list ipv6 MY_IPV6_ACL 10 permit udp any 2001::1/64 20 permit tcp 2001:2001::2:1/128 gt 1023 any 40 deny any any any count
switch# show access-list interface 1/1/1 in mac MY_MAC_ACL Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------ MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------
switch# show access-list mac MY_MAC_ACL commands access-list mac MY_MAC_ACL 10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6 20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4 30 deny any any any count