How to know that the access list is working
What command can I use to show that the access control list (<a href="http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213757,00.html" target="_blank">ACL</a>) is working?
Software/Hardware used:
Software/Hardware used:
ASKED:
November 7, 2008 9:45 PM
UPDATED:
August 11, 2009 12:47 AM
Answer Wiki:
You can use the “show IP accesslist” command to know how many hits are there.
===============
For more education check out this video on <a href="http://happyrouter.com/happyrouter/free-video-harden-your-cisco-router-with-ios-acls">Hardening your Cisco router with IOS ACL's</a>
You can also use following commands
sho access-list
here is the sample output of this command
MBBM-PRM-3550-AS01#sho access-lists
Standard IP access list 10
10 permit 10.0.0.11 log
20 permit 10.0.0.8 log
30 permit 10.0.0.9 log
40 permit 10.0.0.12 log
50 permit 10.0.0.2 log
60 permit 10.0.0.1 log
70 permit 10.0.0.6 log
80 permit 10.0.0.7 log
90 permit 10.0.0.4 log
100 permit 10.0.0.5 log
110 permit 50.0.0.4 log
120 permit 10.20.0.98 log
130 permit 10.20.0.99 log
140 deny any log
Standard IP access list 11
10 permit 10.0.0.11 log
20 permit 10.0.0.8 log
30 permit 10.0.0.9 log
40 permit 10.0.0.12 log
50 permit 10.0.0.2 log
60 permit 10.0.0.1 log
70 permit 10.0.0.6 log
80 permit 10.0.0.7 log
90 permit 10.0.0.4 log
100 permit 10.0.0.5 log
110 permit 50.0.0.4 log
120 permit 10.20.0.98 log
130 permit 10.20.0.99 log
140 deny any log
Standard IP access list 12
10 permit 10.0.0.11 log
20 permit 10.0.0.8 log
30 permit 10.0.0.9 log
40 permit 10.0.0.12 log
50 permit 10.0.0.2 log
60 permit 10.0.0.1 log
70 permit 10.0.0.6 log
80 permit 10.0.0.7 log (98104 matches)
90 permit 10.0.0.4 log
100 permit 10.0.0.5 log (2418 matches)
110 permit 50.0.0.4 log
120 permit 10.20.0.98 log
130 permit 10.20.0.99 log
140 deny any log
Extended IP access list 102
10 permit tcp host 10.0.0.1 any eq telnet log (236 matches)
20 permit tcp host 10.0.0.2 any eq telnet log
30 permit tcp host 10.0.0.4 any eq telnet log
40 permit tcp host 10.0.0.5 any eq telnet log (4 matches)
50 permit tcp host 10.0.0.6 any eq telnet log
60 permit tcp host 10.0.0.7 any eq telnet log
70 permit tcp host 10.0.0.8 any eq telnet log
80 permit tcp host 10.0.0.9 any eq telnet log
90 permit tcp host 10.0.0.10 any eq telnet log
100 permit tcp host 10.0.0.11 any eq telnet log
110 permit tcp host 10.20.0.98 any eq telnet log
120 permit tcp host 10.20.0.99 any eq telnet log
130 permit tcp host 50.0.0.2 any eq telnet log (4 matches)
140 permit tcp host 50.0.0.4 any eq telnet log
150 permit tcp host 10.50.0.20 any eq telnet log
160 deny ip any any log
To see all answers submitted to the Answer Wiki: View Answer History.
you have collected full of information about how to see ACLs in routers as well as switches.
After putting teh command Sh Access-lists.
If matches are generating in your access-list, it means your access-list is working absolutely fine in the network.
you can check it out in your live network. Please be careful, if you are going to delete access-list in your running network.
Suppose if you want to delect any access-list, so pleas never use no access-list 102 command.
If you will do the same, your entire access-list 102 will delete. So please be cautious & use the command :
Router(config)#ip access-list extended 102
Router(config-list)#no 10 permit tcp host 10.0.0.1 any eq telnet log
Router(config-list)#exit
Then only that sequence no. access-list will go to erase & other will be remain as it was.
For any further query & doubt. Please write me on my email ID : bhupendra_singh007@yahoo.co.in
Thanks & Regards,
Bhupendra Singh