Use this command to view summary information about all IP ACLs configured on the switch. To view more detailed information about a specific access list, specify the ACL number or name that is used to identify the IP ACL. It displays committed rate, committed burst size, and ACL rule hit count of packets matching the configured ACL rule within an ACL. This counter value rolls-over on reaching the maximum value. There is a dedicated counter for each ACL rule. ACL counters do not interact with PBR counters.
For ACL with multiple rules, once a match occurs at any one specific rule, counters associated with this rule only get incremented for example, consider an ACL with three rules, after matching rule two, counters for rule three would not be incremented).
For ACL counters, if an ACL rule is configured without RATE-LIMIT, the counter value is count of forwarded/discarded packets (for example: If burst of 100 packets sent from IXIA, the Counter value is 100).
If an ACL rule is configured with RATE LIMIT, the counter value will be the MATCHED packet count. If the sent traffic rate exceeds the configured limit, counters will still display matched packet count (despite getting dropped beyond the configured limit since match criteria is met) that would equal the sent rate. For example, if rate limit is set to 10 Kb/s and matching traffic is sent at 100 Kb/s, counters would reflect 100 Kb/s value. If the sent traffic rate is less than the configured limit, counters would display only matched packet count. Either way, only matched packet count is reflected in the counters, irrespective of whether they get dropped or forwarded. ACL counters do not interact with diffserv policies.
The command displays downloadable ACLs. When access-list is configured as downloadable ACL, the show ip access-lists command displays an additional tag (#d) next to the original ACL name. The downloadable IPv4 ACLs are shown only in the show ip access-lists command, and is not displayed in the show running-config command. For example, if the ACL is created with the name dynacl, this command displays the ACL name as dynacl#d.
The output of the show ip access-lists command is enhanced to display up to 255 length character ACL names.
| Format | show ip access-lists [accesslistnumber | name] |
| Mode | Privileged EXEC |
| Term | Definition |
|---|---|
| ACL Counters | Shows whether ACL counters are enabled or disabled. |
| Current number of ACLs | The number of ACLs of any type currently configured on the system. |
| Maximum number of ACLs | The maximum number of ACLs of any type that can be configured on the system. |
| ACL ID/Name | Identifies the configured ACL number or name. |
| Rules | Identifies the number of rules configured for the ACL. |
| Direction | Shows whether the ACL is applied to traffic coming into the interface (inbound/ingress) or leaving the interface (outbound/egress). |
| Interface(s) | The interface(s) to which the ACL is applied (ACL interface bindings). |
| VLAN(s) | The VLANs to which the ACL is applied (ACL VLAN bindings). |
If you specify an IP ACL number or name, the following information displays:
Only the access list fields that you configure are displayed. Thus, the command output varies based on the match criteria configured within the rules of an ACL.
| Term | Definition |
|---|---|
| ACL ID | The user-configured ACL identifier. |
| ACL Counters | Identifies whether the ACL counters are enabled or disabled. |
| Interface(s) | The inbound or outbound interfaces to which the ACL is applied. |
| Sequence Number | The number identifier for each rule that is defined for the IP ACL. |
| Action | The action associated with each rule. The possible values are Permit or Deny. |
| Match All | Indicates whether this access list applies to every packet. Possible values are True or False. |
| Protocol | The protocol to filter for this rule. |
| ICMP Type |
Note:
The ICMP message type for this rule.
This is shown only if the protocol is ICMP. |
| Starting Source L4 port | The starting source layer 4 port. |
| Ending Source L4 port | The ending source layer 4 port. |
| Starting Destination L4 port | The starting destination layer 4 port. |
| Ending Destination L4 port | The ending destination layer 4 port. |
| ICMP Code |
Note:
The ICMP message code for this rule.
This is shown only if the protocol is ICMP. |
| Fragments | If the ACL rule matches on fragmented IP packets. |
| Committed Rate | The committed rate defined by the rate-limit attribute. |
| Committed Burst Size | The committed burst size defined by the rate-limit attribute. |
| Source IP Address | The source IP address for this rule. |
| Source IP Mask | The source IP Mask for this rule. |
| Source L4 Port Keyword | The source port for this rule. |
| Destination IP Address | The destination IP address for this rule. |
| Destination IP Mask | The destination IP Mask for this rule. |
| Destination L4 Port Keyword | The destination port for this rule. |
| IP DSCP | The value specified for IP DSCP. |
| IP Precedence | The value specified IP Precedence. |
| IP TOS | The value specified for IP TOS. |
| Fragments | Specifies whether the IP ACL rule matches on fragmented IP packets is enabled. |
| sFlow Remote Agent | Indicates whether the sFlow sampling action is configured. This action, if configured, copies the packet matching the rule to the remote sFlow agent. |
| TTL Field Value | The value specified for the TTL. |
| Log | Displays when you enable logging for the rule. |
| Assign Queue | The queue identifier to which packets matching this rule are assigned. |
| Mirror Interface | The unit/slot/port to which packets matching this rule are copied. |
| Redirect Interface | The unit/slot/port to which packets matching this rule are forwarded. |
| Time Range Name | Displays the name of the time-range if the IP ACL rule has referenced a time range. |
| Rule Status | Status (Active/Inactive) of the IP ACL rule. |
| ACL Hit Count | The ACL rule hit count of packets matching the configured ACL rule within an ACL. |
Example: The following shows example CLI display output for the command.
(Routing) #show ip access-lists ip1 ACL Name: ip1 ACL Counters: Enabled Inbound Interface(s): 1/0/30 Sequence Number: 1 Action......................................... permit Match All...................................... FALSE Protocol....................................... 1(icmp) ICMP Type.......................................3(Destination Unreachable) Starting Source L4 port.........................80 Ending Source L4 port...........................85 Starting Destination L4 port....................180 Ending Destination L4 port......................185 ICMP Code.......................................0 Fragments.......................................FALSE sflow-remote- agent............................ TRUE Committed Rate................................. 32 Committed Burst Size........................... 16 ACL hit count ..................................0
Example: The following is an example show command for downloadable ACL.
(Routing) #show ip access-lists ACL Counters: Enabled Current number of ACLs: 3 Maximum number of ACLs: 100 ACL ID/Name Rules Direction Interface(s) VLAN(s) ------------------------------- ----- --------- ---------------- ---------- test 1 second 1 dynacl#d 3 inbound 1/0/9
Example: The following example shows sample output of 255 length character ACL name.
(dhcp-10-52-142-182)#show ip access-lists ACL Counters: Enabled Current number of ACLs: 19 Maximum number of ACLs: 100 ACL ID/Name Rules Direction Interface(s) VLAN(s) ------------------------------- ----- --------- ---------------- ---------- 2 1 x-12345678912345678912345678912 3456789123456789123456789123456 7891234567891234567891234567891 2345678912345678912345678912345 6789123456789123456789123456789 1234567891234567891234567891234 5678912345678912345678912345678 9123456789123456789123456789123 4567891 0
