Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
1
Helpful
6
Replies

็How to find out what interface is ACL applied to?

WINCis
Level 1
Level 1

‎11-13-2023 07:41 PM

yes. I know that run command "show ip int" will work. but do i have to scroll down through a bunch of interface till i find what i looking for? is there another way to filterd base on specific acl?

thanks.

Labels:
0 Helpful
6 Replies 6

Arne Bier
VIP
VIP

‎11-13-2023 09:27 PM - edited ‎11-13-2023 09:34 PM

You can try this little regular expression  -I was looking for the interfaces that had ingress ACL "PREAUTH_ACL" applied. Sadly, IOS regular expressions are not like the unix "grep" command - grep has an option to print the preceding line that matched your regular expression - that would have given us the cleaner output.

 

SW1#show ip interface | include PREAUTH_ACL$|Ethernet

GigabitEthernet0/0 is administratively down, line protocol is down
GigabitEthernet1/0/1 is up, line protocol is up
GigabitEthernet1/0/2 is up, line protocol is up
GigabitEthernet1/0/3 is up, line protocol is up
GigabitEthernet1/0/4 is up, line protocol is up
GigabitEthernet1/0/5 is up, line protocol is up
GigabitEthernet1/0/6 is up, line protocol is up
GigabitEthernet1/0/7 is up, line protocol is up
GigabitEthernet1/0/8 is up, line protocol is up
GigabitEthernet1/0/9 is up, line protocol is up
GigabitEthernet1/0/10 is up, line protocol is up
GigabitEthernet1/0/11 is up, line protocol is up
GigabitEthernet1/0/12 is up, line protocol is up
GigabitEthernet1/0/13 is up, line protocol is up
GigabitEthernet1/0/14 is up, line protocol is up
GigabitEthernet1/0/15 is up, line protocol is up
GigabitEthernet1/0/16 is up, line protocol is up
GigabitEthernet1/0/17 is up, line protocol is up
GigabitEthernet1/0/18 is up, line protocol is up
GigabitEthernet1/0/19 is up, line protocol is up
GigabitEthernet1/0/20 is down, line protocol is down
  Inbound  access list is PREAUTH_ACL
GigabitEthernet1/0/21 is up, line protocol is up
GigabitEthernet1/0/22 is down, line protocol is down
  Inbound  access list is PREAUTH_ACL
GigabitEthernet1/0/23 is up, line protocol is up
GigabitEthernet1/0/24 is up, line protocol is up
GigabitEthernet1/1/1 is down, line protocol is down
GigabitEthernet1/1/2 is down, line protocol is down
GigabitEthernet1/1/3 is down, line protocol is down
GigabitEthernet1/1/4 is down, line protocol is down
TenGigabitEthernet1/1/1 is up, line protocol is up
TenGigabitEthernet1/1/2 is up, line protocol is up
TenGigabitEthernet1/1/3 is up, line protocol is up
TenGigabitEthernet1/1/4 is up, line protocol is up
TenGigabitEthernet1/1/5 is administratively down, line protocol is down
TenGigabitEthernet1/1/6 is administratively down, line protocol is down
TenGigabitEthernet1/1/7 is administratively down, line protocol is down
TenGigabitEthernet1/1/8 is up, line protocol is up
FortyGigabitEthernet1/1/1 is down, line protocol is down
FortyGigabitEthernet1/1/2 is down, line protocol is down
AppGigabitEthernet1/0/1 is up, line protocol is up

 

FWIW, an example out from a standard unix grep command

ArneBier_0-1699939947174.png

Perhaps there is some hope with the IOS pipe format command.  I have not tried that.

SW01#show ip interface | ?
  append    Append redirected output to URL (URLs supporting append operation only)
  begin     Begin with the line that matches
  count     Count number of lines which match regexp
  exclude   Exclude lines that match
  format    Format the output using the specified spec file
  include   Include lines that match
  redirect  Redirect output to URL
  section   Filter a section of output
  tee       Copy output to URL

 

0 Helpful

Arne Bier
VIP
VIP

‎11-13-2023 09:55 PM - edited ‎11-13-2023 10:19 PM

Turns out, you can enable grep on Cisco IOS. Who knew!   I tried it, but sadly, Cisco IOS grep doesn't contain that killer feature I was talking about

But if you want to pull out all the stops, and have IOS-XE 16.6 and later, you can enable guest shell - then you have the full Linux power.

 

[guestshell@guestshell ~]$ dohost "show ip interface" | grep -B1 PREAUTH
GigabitEthernet1/0/20 is down, line protocol is down
  Inbound  access list is PREAUTH_ACL
--
GigabitEthernet1/0/22 is down, line protocol is down
  Inbound  access list is PREAUTH_ACL
[guestshell@guestshell ~]$

 

0 Helpful

WINCis
Level 1
Level 1
In response to Arne Bier

‎11-14-2023 08:09 AM

that's sound good. it's never cross my mind that we can enable linux trick on cisco.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-14-2023 12:30 AM

show ip interface | include line protocol | acl-name

This can give you some hint 

0 Helpful

WINCis
Level 1
Level 1
In response to MHM Cisco World

‎11-14-2023 08:10 AM

yep. it did give me a hint.
thanks a lot.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to WINCis

‎11-14-2023 08:11 AM

You are welcome 

Customers Also Viewed These Support Documents