Monitoring Access Lists
Again, it’s always good to be able to verify a router’s configuration. Table 7.12 lists the
commands you can use:
You’ve already seen how to use the show running-config command to verify that a
named access list was in the router as well as a MAC access list on a layer-2 switch. So now
I’ll show the output from some of the other commands.
The show access-list command will list all access lists on the router, whether they’re
applied to an interface:
Lab_A#show access-list
Standard IP access list 10
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Standard IP access list BlockSales
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Extended IP access list 110
deny tcp any host 172.16.30.5 eq ftp
deny tcp any host 172.16.30.5 eq telnet
permit ip any any
Lab_A#
First, notice that both access list 10 and the named access list appear on this list. Second,
notice that even though I entered actual numbers for TCP ports in access list 110, the show
command gives you the protocol names rather than TCP ports for readability (hey, not everyone
has them all memorized!).
Here’s the output of the show ip interface command:
Lab_A#show ip interface e1
Ethernet1 is up, line protocol is up
Internet address is 172.16.30.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is BlockSales
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
Web Cache Redirect is disabled
BGP Policy Mapping is disabled
Lab_A#
Be sure to notice the bold line indicating that the outgoing list on this interface is Block-
Sales, but the inbound access list isn’t set.
As I’ve already mentioned, you can use the show running-config command to see all
access lists. However, on a layer-2 switch, you can verify your interface configurations with
the show mac access-group command:
S1#sh mac access-group
Interface FastEthernet0/1:
Inbound access-list is not set
Outbound access-list is not set
Interface FastEthernet0/2:
Inbound access-list is not set
Outbound access-list is not set
S1#
Depending on how many interfaces you set your MAC access lists on, you can use the interface
command to view individual interfaces:
S1#sh mac access-group interface f0/6
Interface FastEthernet0/6:
Inbound access-list is Todd_MAC_List
Outbound access-list is not set