Verifying ACLs
Several basic commands are useful in confirming that ACLs
are in place and doing their jobs. Those commands include the following:
-
Show run
-
Show access lists
-
Show IP interfaces
Show Run
Command
One way to see your access lists and how they’re applied is
to use the show run command to see the active configuration.
The next lines show the output of a show run command with some
of the unrelated lines removed: Rtr1#show run
hostname Rtr1
!
interface Ethernet0
ip address 192.168.5.1 255.255.255.0
ip access-group 50 out
!
interface Serial0
ip address 192.168.96.2 255.255.255.0
ip access-group 75 in
!
access-list 50 deny 192.168.1.10
access-list 50 permit any
access-list 75 deny 192.168.17.123
access-list 75 deny 192.168.1.10
access-list 75 permit any
!
This shows that ACL 50 is applied to Ethernet 0 as an inbound
access list and ACL 75 is applied to Serial 0 as an outbound list. It also shows
the order of the ACL statements.
Show
Access-Lists Command
The show access-lists command displays all
access lists on the router, but doesn’t show if or where they’re applied.
Another command—show ip access-lists—would include only IP
access lists, which, in this case, would be exactly the same display. Both
commands allow specifying an ACL number or name after the command, such as show ip access-lists 50, to display only that ACL. Rtr1#show access-lists
Standard IP access list 50
deny 192.168.1.10 log (23 matches) check=321
permit any (298 matches)
Standard IP access list 75
deny 192.168.17.123 (36 matches) check=194
deny 192.168.1.10 (16 matches) check=158
permit any (142 matches)
Rtr1#
If the ACL has used the results since the last time the
counters were cleared, the number of matches will display after each line. The
command to clear the results is clear access-list counters {acl-num | acl-name}, like clear access-list counters 50.
Show IP
Interfaces Command
The show ip interface command can be used
to tell if an inbound or an outbound access list has been applied to an
interface. Rows 9 and 10 of the following output contain the information. The
rest of the lines don’t pertain to ACLs, so they’ve been omitted. You should
recall that the show ip interface command displays all
interfaces, but adding the interface ID, such as show ip interface
s0/0, to the end of the command limits the output to that interface.
Rtr1#show ip interface
Ethernet0 is up, line protocol is up
Internet address is 192.168.5.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 50 <-Outbound ACL 50 applied
Inbound access list is not set <-No inbound ACL is applied
Proxy ARP is enabled.
2727 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
