Verifying Access Lists
Objectives:
- Verify and monitor ACLs in a network environment
- Troubleshoot ACL issues
You can use three commands to verify your access list configuration. These commands are show running-config, show ip interface, and show access-lists.
show running-config
Although this command can be used to verify nearly any configuration on your Cisco router, it is especially useful when you are working with access lists. There is no other command that can quickly show you where access lists are applied without requiring you to weed through excessive amounts of output. The following output has been trimmed down for brevity.
Marge#sh running-config Building configuration... Current configuration : 1867 bytes ! version 12.3 service telnet-zeroidle service tcp-keepalives-in service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Marge ! interface Serial 1/0 ip address dhcp ip access-group 170 in ! access-list 170 permit tcp any any established
show ip interface
This command shows you where your access lists are applied, as long as you are patient enough to weed through the excessive amounts of output. The following command views the access lists applied to interface serial 1/0. Pay particular attention to lines 10 and 11.
Marge#show ip interface serial 1/0 Serial0/1 is up, line protocol is up Internet address is 10.152.19.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory Peer address is 10.152.19.2 MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 170 Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Feature Fast switching turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is enabled, interface in domain outside WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled
show ip access-lists
Initially, this command might look like a concise version of show running-config. However, it has one very handy feature that the other show commands lack: the capability to show how many packets have matched a given line in an access-list. This capability can be critical in times of troubleshooting and verification. In the following example, you can see that there is a single access list (30) that has three lines. Next to each line, the number of packets that have matched those entries is displayed.
Marge#show ip access-lists Standard IP access list 30 permit 10.0.0.0, wildcard bits 0.255.255.255 (94 matches) permit 172.16.0.0, wildcard bits 0.0.255.255 (82 matches) deny any (250 matches)