ACLEXEC

show ip access-lists

Displays the contents of all IPv4 and IPv6 access control lists (ACLs) configured on the device, including statistics for each entry.

Overview

The 'show ip access-lists' command is a fundamental tool for verifying and troubleshooting Access Control Lists (ACLs) on Cisco NX-OS devices. ACLs are used to filter traffic based on IP addresses, protocols, and ports, and are applied to interfaces to control inbound or outbound traffic. This command displays all configured IPv4 and IPv6 ACLs, their entries, and match statistics. In NX-OS, ACLs are processed in order of sequence numbers, and the first matching entry determines the action (permit or deny). The command is essential for network engineers to confirm that ACLs are correctly implemented, to identify which rules are being hit, and to detect any misconfigurations that could lead to security breaches or connectivity issues. It is commonly used during initial deployment, after changes, and during troubleshooting of traffic flow problems. NX-OS also supports hardware-accelerated ACLs, and the 'hardware' keyword provides insight into whether the ACL is offloaded to the forwarding hardware.

Syntax·EXEC
show ip access-lists [<acl-name>] [summary] [interface <interface>] [hardware] [brief]

When to Use This Command

  • Verify ACL configuration after applying changes to ensure rules are correctly ordered.
  • Troubleshoot traffic filtering issues by checking hit counts on ACL entries.
  • Audit ACLs for security compliance before a network change window.
  • Compare hardware and software ACL statistics to identify forwarding inconsistencies.

Parameters

ParameterSyntaxDescription
acl-nameWORDName of a specific ACL to display. If omitted, all ACLs are shown.
summarykeywordDisplays a summary of the ACL including total entries, total matches, and time since last match.
interfaceinterface <interface>Shows ACLs applied to a specific interface, including direction and statistics.
hardwarekeywordDisplays hardware-specific ACL statistics, useful for verifying hardware offload.
briefkeywordDisplays a condensed output with fewer details.

Command Examples

Display all IPv4 ACLs

show ip access-lists
IP access list ACL-1
    10 permit ip 10.1.1.0/24 any (10 matches)
    20 deny tcp any any eq 80 (5 matches)
    30 permit ip any any (100 matches)
IP access list ACL-2
    10 deny ip 192.168.1.0/24 any (0 matches)
    20 permit ip any any (50 matches)

Each ACL is listed with its name and entries. The sequence number, action, protocol, source, destination, and match count are shown. 'matches' indicates how many packets have matched that entry.

Display a specific ACL with summary

show ip access-lists ACL-1 summary
IP access list ACL-1
  Total entries: 3
  Total matches: 115
  Last match: 00:01:23 ago

Summary shows total number of entries, total matches across all entries, and time since last match.

Understanding the Output

The output of 'show ip access-lists' lists each configured ACL by name. Under each ACL, entries are displayed in order of sequence number. Each line shows the sequence number, action (permit/deny), protocol, source and destination networks/ports, and a match count in parentheses. The match count increments each time a packet matches that entry. A high match count on a deny entry may indicate blocked traffic; a low or zero count on a permit entry may suggest the ACL is not being hit or is misconfigured. The 'summary' option provides aggregate statistics. In NX-OS, the output also includes hardware and software counters when the 'hardware' keyword is used, which is useful for verifying that ACLs are programmed in hardware.

Configuration Scenarios

Verifying ACL Applied to an Interface

After applying an ACL to an interface, verify it is correctly filtering traffic.

Topology

[Internet] -- [Nexus-1] -- [Internal Network]

Steps

  1. 1.Configure ACL on Nexus-1.
  2. 2.Apply ACL to interface Ethernet1/1 inbound.
  3. 3.Use 'show ip access-lists interface ethernet 1/1' to verify.
Configuration
! ACL configuration
ip access-list ACL-1
  10 permit ip 10.1.1.0/24 any
  20 deny ip any any
! Apply to interface
interface ethernet 1/1
  ip access-group ACL-1 in

Verify: show ip access-lists interface ethernet 1/1 Output shows ACL name, direction, and match counts.

Watch out: Ensure the ACL is applied in the correct direction (in/out). A common mistake is applying inbound when outbound is needed.

Troubleshooting with This Command

When troubleshooting traffic issues with ACLs on NX-OS, start by using 'show ip access-lists' to view match counts. A zero match count on a permit entry may indicate that traffic is not reaching the ACL or is being matched by an earlier deny entry. Compare hardware and software counters using the 'hardware' keyword to ensure the ACL is programmed in hardware; if software counters increment but hardware counters do not, the ACL may be processed in software, causing performance issues. Use the 'interface' option to see which ACLs are applied and their direction. If an ACL is not being hit, check interface statistics with 'show interface' to confirm traffic is flowing. Also, verify that the ACL does not have an implicit deny blocking desired traffic. For complex ACLs, use 'show ip access-lists summary' to get a quick overview of total matches and last match time. Remember that NX-OS ACLs are stateless, so return traffic must be explicitly permitted if needed.

CCNA Exam Tips

1.

Remember that ACLs are processed top-down; the first match applies. Sequence numbers determine order.

2.

On NX-OS, ACLs are stateful for certain protocols like TCP? No, they are stateless; know the difference from reflexive ACLs.

3.

Be able to interpret match counts: a zero match count on a deny entry might indicate the rule is redundant or traffic is not hitting it.

Common Mistakes

Forgetting that ACLs have an implicit deny at the end; not including a permit any any can block all traffic.

Misreading match counts: a high count on a deny entry is expected if blocking malicious traffic, but a low count on a permit entry may indicate a problem.

Assuming ACL order is alphabetical; it is by sequence number, not name.

Platform Notes

On Cisco NX-OS, ACLs are similar to IOS but with some differences. NX-OS uses sequence numbers for entries, and the 'show ip access-lists' output includes match counts by default. The 'hardware' keyword is NX-OS specific and provides insight into hardware offload. On IOS, the equivalent command is 'show access-lists', which also shows match counts but may not have the 'hardware' option. NX-OS also supports object-group-based ACLs, which are not available in classic IOS. For IPv6 ACLs, use 'show ipv6 access-lists'. In NX-OS, ACLs can be applied to VLAN interfaces, port-channels, and other interface types. Version differences: NX-OS 7.x and later support additional features like ACL logging and statistics per entry.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions