Courseiva
ACLPrivileged EXEC

show ip access-lists

Displays the contents of all current IP access lists or a specific access list, including the number of matches for each entry, used to verify and troubleshoot ACL configuration and traffic filtering.

Syntax·Privileged EXEC
show ip access-lists

When to Use This Command

  • Verify that an ACL is correctly filtering traffic by checking hit counts after applying it to an interface.
  • Troubleshoot why certain traffic is being blocked or allowed unexpectedly by examining the order and matches of ACL entries.
  • Confirm the sequence numbers and content of a named or numbered ACL before making modifications.
  • Audit ACLs for security compliance by reviewing the rules and their match counts.

Command Examples

View all IP access lists

show ip access-lists
Extended IP access list 101
    10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches)
    20 deny tcp any any eq 23 (5 matches)
    30 permit ip any any (100 matches)
Extended IP access list BLOCK_SSH
    10 deny tcp any 10.0.0.0 0.255.255.255 eq 22 (3 matches)
    20 permit ip any any (200 matches)

Line 1: Access list type (Extended IP) and identifier (101 or BLOCK_SSH). Each entry: Sequence number (10,20,30), action (permit/deny), protocol, source/destination with wildcard mask, optional port (eq 80), and match count in parentheses. Match count shows how many packets have matched that line since the last clear or reload.

View a specific named access list

show ip access-lists BLOCK_SSH
Extended IP access list BLOCK_SSH
    10 deny tcp any 10.0.0.0 0.255.255.255 eq 22 (3 matches)
    20 permit ip any any (200 matches)

Only the specified ACL is displayed. The output shows two entries: the first denies SSH traffic to the 10.0.0.0/8 network (3 matches), and the second permits all other traffic (200 matches).

Understanding the Output

The output lists each configured IP access list (both numbered and named) with its type (Standard or Extended). For each ACL, entries are shown in order with their sequence number, action (permit/deny), protocol (ip, tcp, udp, etc.), source and destination addresses with wildcard masks, and optional port information. The most critical field is the match count in parentheses after each entry, which increments every time a packet matches that line. A high match count on a deny entry may indicate blocked traffic that should be allowed, while a low or zero match count on a permit entry could mean the ACL is not being applied correctly or the traffic is not reaching the router. The order of entries is important because ACLs are processed top-down; once a match occurs, no further entries are checked. If no matches appear on any entry, the ACL might not be applied to an interface, or the implicit deny at the end is blocking all traffic (which does not show a match count). Use this command to verify ACL logic and troubleshoot filtering issues.

CCNA Exam Tips

1.

Remember that the implicit deny at the end of every ACL does not show a match count; if no matches appear, the implicit deny is likely blocking traffic.

2.

The sequence numbers (10,20,30) are used for editing ACLs; the exam may test that you can insert or delete entries using these numbers.

3.

Match counts reset after a reload or after using the 'clear access-list counters' command; be aware of this when troubleshooting.

4.

Named ACLs are displayed with their name; the exam may ask you to differentiate between numbered and named ACLs.

Common Mistakes

Assuming that a zero match count means the ACL is not working; it could mean the traffic is not hitting the router or the ACL is applied to the wrong interface/direction.

Forgetting that ACLs are processed top-down and that a permit entry later in the list will never be reached if a deny entry above it matches.

Misinterpreting the wildcard mask; the output shows the wildcard mask used in the ACL, not the subnet mask.

Related Commands

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions