Cisco "show access-lists" Command Explained
show access-lists — displays every ACL on the device with per-line match counters — what your filters are actually catching. Runs in privileged EXEC mode.
Syntax and common variants
| Variant | Purpose |
|---|---|
show access-lists | All ACLs with hit counts |
show access-lists 110 | One ACL |
show ip interface gi0/1 | See which ACL is applied where |
clear access-list counters | Zero the counters for a fresh test |
Reading the output
| Output / element | Meaning |
|---|---|
10 permit tcp … (25 matches) | Line number, rule, and how many packets matched |
(no matches shown) | Line never hit — rule may be shadowed or traffic absent |
When to use it
Counters turn ACL debugging from guesswork into evidence: generate test traffic and watch which line increments. A deny climbing when it shouldn't = ordering problem; nothing incrementing = ACL not applied where you think (verify with show ip interface). Browse more in the command reference or practise in the free labs.
Frequently asked questions
Why is my ACL not blocking anything?
Check it's actually applied to the right interface and direction (show ip interface) — a defined-but-unapplied ACL does nothing.
What does the implicit deny mean here?
Every ACL ends with an invisible deny any — traffic matching no line is dropped, and it won't show a counter.
Can I edit one line of a numbered ACL?
With sequence numbers in named/modern syntax yes (ip access-list …); classic numbered ACLs typically need rebuild — another reason to prefer named ACLs.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.