28-39
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter28 Configuring Network Securi ty with ACLs Displaying IPv4 ACL Configuration

ACLs and Multicast Packets

Figure 28-8 shows how ACLs are applied on packets that are replicated for IP multica stin g. A m u ltica st
packet being routed has two different kinds of filters applied: one for destinations that are o th er p orts in
the input VLAN and another for each of the destinations that are in other VLANs to which the packet
has been routed. The packet might be routed to more t h an on e out p ut V L AN, in wh ich case a di fferen t
router output ACL and VLAN map would apply for each destination V LAN .
The final result is that the packet might be permitted in some of the output VL ANs and not in others. A
copy of the packet is forwarded to those destinations where it is permitted. However, if the input VLAN
map (VLAN 10 map in Figure 28-8) drops the packet, no destination re ceives a c opy o f t h e packet .
Figure28-8 Applying ACLs on Multicast Packets
Displaying IPv4 ACL Configuration
You can display the ACLs that are configured on the switch, and you can display the ACLs tha t have
been applied to interfaces and VLANs.
When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3
interface, you can display the access groups on the inter face. You can also display the M AC ACLs
applied to a Layer 2 interface. You can use the privileged EXEC commands as described in Table28-2
to display this information.
VLAN 10
map
Frame
Input
router
ACL
Output
router
ACL
Routing function
VLAN 10 VLAN 20
Host C
(VLAN 10)
Host A
(VLAN 10) Host B
(VLAN 20)
VLAN 20
map
Packet
101360
Table28-2 Commands for Displaying Access Lists and Access Groups
Command Purpose
show access-lists [number | name] Displays the contents of one or all current IP and MAC address access l ists
or a specific access list (numbered or named).
show ip access-lists [number | name] Displays the contents of all current IP access lists or a specific IP access
list (numbered or named).