Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
181
Views
0
Helpful
5
Replies

find access-lists assigned to Interfaces

ralpho1
Level 1
Level 1

‎11-06-2025 02:38 AM

Hello,

we have a lot of Cisco switches many in stacks with a lot interfaces. I overtake the stuff from a College witch has left. I see there are some access-lists created but I won´t to know on which Interface there are assigned. I can run "show run" and view all the interfaces puhh but waste a lot of time. I tried "sho ip interface | inc line protocol|access-group" Then I find that there are active but not on which Interface. I tried "show run | inc access-group" same result. Is there a easy was to find the Interfaces directly which have assigned the access-lists? 

any help would be appreciate

Regards Ralph

 

Labels:
0 Helpful
5 Replies 5

David Ruess
VIP
VIP

‎11-06-2025 03:00 AM

Hello,

The command “show up interface <interface>” should show you ACLs applied on interfaces. That’s individually. You could leave off the Cisco interface and | for “access-list” and try to gauge which interfaces have an ACL. I don’t recall there being a list type view (I wish there was for this specific reason).

Hope that helps

-David

0 Helpful

pieterh
VIP
VIP

‎11-06-2025 03:23 AM

I don't know about an easy command to find where an access-list/group (which could occur multiple times) is referenced

but you coud try if "show running-config | sect interface | include |interface|access-group|....." 
(or filter on part of the interface names . use multiple stings like giga, fast, teng, ethernet etc. including capitals where necessary.)

make it a general command that can be executed on all device models.
then you get a list with all interfaces. followed by the access-group where applied

of course this list is longer than you need because all the interfaces including those with no access-list applied are in the list but you can quickly locate the interesting interfaces in this output

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-06-2025 05:32 AM

I believe both @David Ruess and @pieterh are on the correct track using regex but what might be needed is full piping support so you could pass regex against a prior regex result.   In lieu of having config file copies on an external system with such piping support, possibly, on a Cisco device, multiple regex passes might be done storing temporary files on flash.  (Possibly a series of such command lines could be placed into a macro command.)

That said, if you did have external config file copies, you could also subject them to a scripting language.

0 Helpful

ralpho1
Level 1
Level 1

‎11-06-2025 06:26 AM

ok, I come closer with some commands posted here. By the way could it be that the Linux Operations like &&, OR etc.. are not working here. I guess I had to copy all of the Running-Configs to Notepad++ ;-( . 

0 Helpful

pieterh
VIP
VIP

‎11-06-2025 07:13 AM

the pipe command does not support the AND operator. You can do multiple OR commands
your own example allready uses the OR syntax 
     "sho ip interface | inc line protocol|access-group"
the first "|" is a real pipe function, the other is an OR function between multiple keywords

if you allready have all configurations on another host (as you mentions Notepad++), you might consider a script there ?
on Linux you can grep on access-group and use -b or option to include a number of lines before the found string in the configuration files (line count before must be enough to include the interface name)

0 Helpful
Customers Also Viewed These Support Documents