show access-list no matches ?

Unanswered Question
May 17th, 2007
User Badges:


I am a new cisco 3750G-48TS-E administrator.

To learn, I have created a simple access-list to pass all on an interface.

But when I execute : show access-list, I never see matches.

I receive :

10 permit

and never "(xxx matches)" after that line !

Is there something I must configure to see the matches ?

Thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 05/17/2007 - 06:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


In addition to showing us the content of the access list it would be helpful if you would show us the specifics of how you apply the access list.

Also this appears to be a standard access list which examines the source address of packets. So are you sure that there were packets with source address of



iesncisco Thu, 05/17/2007 - 07:08
User Badges:

Thank you for this very speedy response.

I did :

bb-3750(config)#access-list 50 permit any

bb-3750(config)#int gi2/0/14

bb-3750(config-if)#ip access-group 50 in


bb-3750#sh access-lists

Standard IP access list 50

10 permit any

I also have in running-config :

interface GigabitEthernet2/0/14

switchport access vlan 222

switchport mode access

ip access-group 50 in

I then make a ping from (witch is a pc on the gigabit 2/0/14 interface) to another pc ( and another ping in the other direction.

But, after that, no matches for show access-list !

jmd Thu, 05/17/2007 - 07:15
User Badges:
  • Silver, 250 points or more

I think the problem is the this port configured as layer2 port and not layer3.

You have two options:

Configure it as layer3 port and give an IP address to that (no switchport command and ip address x.x.x.x y.y.y.y)

Or creat an SVI (if you don't have yet)

interface vlan222

ip address x.x.x.x y.y.y.y

and assign the access-list to this interface

Is the host connected to this switch too?

Hope it helps,


Richard Burts Thu, 05/17/2007 - 07:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I believe that Krisztian has it exactly right. In fact I am surprised that there was not an error when you configured the ip access-group on a layer 2 port.

But certainly for the access-group and the access list to work the access-group must be assigned on a working layer 3 interface (either make the port a layer 3 interface or use the VLAN interface).



iesncisco Thu, 05/17/2007 - 07:56
User Badges:

Ok, I apply the access-list to vlan222 (already created with ip and not to the interface.

But I have stranged results with show access-list :

ONLY a ping from host (linked to the interface gi2/0/14) to the interface address itself ( show the matches (4)

and no other pings.

The host is on another subnet on a 3com L3 switch linked to the cisco 3750 by (for my beginning tests) the default vlan 1.

I suppose I must re-read and learn better the ios documentation. Probably there are things

I have not yet understood.



This Discussion