Config Router

You are here: Home / CCNA / Verifying Access Lists

Verifying Access Lists

by

Verifying Access Lists

Objectives:

  • Verify and monitor ACLs in a network environment
  • Troubleshoot ACL issues

You can use three commands to verify your access list configuration. These commands are show running-config, show ip interface, and show access-lists.

show running-config

Although this command can be used to verify nearly any configuration on your Cisco router, it is especially useful when you are working with access lists. There is no other command that can quickly show you where access lists are applied without requiring you to weed through excessive amounts of output. The following output has been trimmed down for brevity.

Marge#sh running-config
Building configuration...
Current configuration : 1867 bytes
!
version 12.3
service telnet-zeroidle
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Marge
!
 interface Serial 1/0
ip address dhcp
ip access-group 170 in
!
access-list 170 permit tcp any any established

show ip interface

This command shows you where your access lists are applied, as long as you are patient enough to weed through the excessive amounts of output. The following command views the access lists applied to interface serial 1/0. Pay particular attention to lines 10 and 11.

Marge#show ip interface serial 1/0
Serial0/1 is up, line protocol is up
Internet address is 10.152.19.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
Peer address is 10.152.19.2
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 170
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled

show ip access-lists

Initially, this command might look like a concise version of show running-config. However, it has one very handy feature that the other show commands lack: the capability to show how many packets have matched a given line in an access-list. This capability can be critical in times of troubleshooting and verification. In the following example, you can see that there is a single access list (30) that has three lines. Next to each line, the number of packets that have matched those entries is displayed.

Marge#show ip access-lists
Standard IP access list 30
permit 10.0.0.0, wildcard bits 0.255.255.255 (94 matches)
permit 172.16.0.0, wildcard bits 0.0.255.255 (82 matches)
deny any (250 matches)