Courseiva
ACLPrivileged EXEC

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

Syntax·Privileged EXEC
show access-lists

When to Use This Command

  • Verify that an ACL is correctly applied to an interface and that traffic is being matched as expected.
  • Troubleshoot why certain traffic is being blocked or permitted by checking match counters.
  • Review ACL entries before modifying or removing them to avoid disrupting network access.
  • Audit security policies by listing all ACLs and their rules.

Command Examples

View all ACLs with match counters

show access-lists
Extended IP access list 100
    10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches)
    20 deny tcp any any eq 23 (5 matches)
    30 permit ip any any (100 matches)
Extended IP access list INBOUND
    10 permit tcp any host 10.0.0.1 eq 443 (0 matches)
    20 deny ip any any log (3 matches)

Line 1: ACL name/number and type. Lines 2-4: Each entry shows sequence number, action, protocol, source, destination, port, and match count in parentheses. Line 5: Another ACL with different rules. Match counts indicate how many packets matched that entry.

View a specific named ACL

show access-lists INBOUND
Extended IP access list INBOUND
    10 permit tcp any host 10.0.0.1 eq 443 (0 matches)
    20 deny ip any any log (3 matches)

Filters output to only show the named ACL 'INBOUND'. Useful for focusing on a single ACL. Match counters show 0 matches for permit and 3 matches for deny, indicating blocked traffic.

Understanding the Output

The output lists each ACL by name or number, followed by its entries. Each entry shows: sequence number (order of evaluation), action (permit/deny), protocol (ip, tcp, udp, etc.), source and destination addresses with wildcard masks, optional port information, and match count in parentheses. Match counters increment when a packet matches that line; a high count on a deny line may indicate unwanted traffic being blocked. A zero count on a permit line might mean the ACL is not being hit or traffic is being matched earlier. The 'log' keyword indicates logging is enabled for that entry. In a real network, you would use this to verify ACL effectiveness and troubleshoot filtering issues.

CCNA Exam Tips

1.

Remember that ACLs have an implicit deny all at the end, which does not appear in the output but still blocks unmatched traffic.

2.

Match counters reset when the device reloads or when the ACL is edited; they are not persistent.

3.

The order of entries matters: the first match applies. The sequence numbers show the evaluation order.

4.

For the CCNA exam, know that 'show access-lists' is used to verify ACL configuration and check match counts.

Common Mistakes

Assuming that a zero match count means the ACL is not applied; it could be that no matching traffic has passed.

Forgetting that ACLs are processed top-down and the implicit deny at the end blocks all other traffic.

Confusing wildcard masks with subnet masks; wildcard masks use inverted bits (0=must match, 1=don't care).

Related Commands

ip access-group [acl] [in|out]

Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions