Found a great command for viewing and troubleshooting access-list on the Nexus NX-OS command line.
“show run aclmgr”
The “show run aclmgr” run from a NX-OS switch will show you all the access-list defined on the switch it will also show you the interfaces that they are attached to and the direction which they are applied. Seeing these two pieces of information together really helps in troubleshooting Access Control Lists (ACL).
All I would like to see is the addition of hit counters on the ACLs, but I guess you cannot have it all.
Here is an example of the “show run aclmgr” run on a Nexus Switch:
Pei-Bld-Core01# show run aclmgr
!Command: show running-config aclmgr
!Time: Tue Jul 21 10:14:46 2015
version 5.1(3)N2(1)
ip access-list 25
10 permit ip 10.32.12.0/24 any
ip access-list PEISOURCE-OUTBOUND
3 permit udp any 255.255.255.255/0 eq bootpc
4 permit udp any 255.255.255.255/0 eq bootps
12 permit udp any 255.255.255.255/32 eq bootps
19 permit udp any 10.32.0.40/32 eq bootpc
20 permit udp any 10.32.0.23/32 eq bootpc
ip access-list Inbound-from-PEI
10 remark Allow traffic from production 10.32.13.14
15 permit ip 10.32.13.14/32 10.32.0.121/32
20 permit ip 10.32.13.14/32 10.32.0.31/32
30 permit ip 10.32.13.14/32 10.10.10.117/32
ip access-list Outbound-to-Leadership
10 remark Allow ICMP Rules
20 permit icmp 10.32.0.26/32 10.32.5.0/24 echo
30 permit icmp 10.32.0.81/32 10.32.5.0/24 echo
40 permit icmp 10.32.5.0/24 10.32.5.0/24 echo
50 deny icmp any 10.32.5.0/24 echo
ip access-list Outbound-to-PEI
10 remark Allow traffic to production 10.32.13.14
15 permit ip 10.32.0.121/32 10.32.13.14/32
20 permit ip 10.32.0.31/32 10.32.13.14/32
30 permit ip 10.10.10.117/32 10.32.13.14/32
interface Vlan105
ip access-group Outbound-to-Leadership out
interface Vlan113
ip access-group Inbound-from-PEI in
ip access-group Outbound-to-PEI out
interface Vlan701
ip access-group PEISOURCE-OUTBOUND in
Jason Howe, PEI
