Verifying ACLs

Verifying ACLs

Several basic commands are useful in confirming that ACLs are in place and doing their jobs. Those commands include the following:

  • Show run

  • Show access lists

  • Show IP interfaces

Show Run Command

One way to see your access lists and how they’re applied is to use the show run command to see the active configuration. The next lines show the output of a show run command with some of the unrelated lines removed:

 Rtr1#show run
hostname Rtr1
interface Ethernet0
 ip address
 ip access-group 50 out
interface Serial0
 ip address
 ip access-group 75 in
access-list 50 deny ?? 
access-list 50 permit any
access-list 75 deny ??
access-list 75 deny ??
access-list 75 permit any

This shows that ACL 50 is applied to Ethernet 0 as an inbound access list and ACL 75 is applied to Serial 0 as an outbound list. It also shows the order of the ACL statements.

Show Access-Lists Command

The show access-lists command displays all access lists on the router, but doesn’t show if or where they’re applied. Another command—show ip access-lists—would include only IP access lists, which, in this case, would be exactly the same display. Both commands allow specifying an ACL number or name after the command, such as show ip access-lists 50, to display only that ACL.

 Rtr1#show access-lists
Standard IP access list 50
 ???deny ?? log (23 matches) check=321
 ???permit any (298 matches)
Standard IP access list 75
 ???deny ?? (36 matches) check=194
 ???deny ?? (16 matches) check=158
 ???permit any (142 matches)

If the ACL has used the results since the last time the counters were cleared, the number of matches will display after each line. The command to clear the results is clear access-list counters {acl-num | acl-name}, like clear access-list counters 50.

Show IP Interfaces Command

The show ip interface command can be used to tell if an inbound or an outbound access list has been applied to an interface. Rows 9 and 10 of the following output contain the information. The rest of the lines don’t pertain to ACLs, so they’ve been omitted. You should recall that the show ip interface command displays all interfaces, but adding the interface ID, such as show ip interface s0/0, to the end of the command limits the output to that interface.

Rtr1#show ip interface
Ethernet0 is up, line protocol is up
 ?Internet address is
 ?Broadcast address is
 ?Address determined by non-volatile memory
 ?MTU is 1500 bytes
 ?Helper address is not set
 ?Directed broadcast forwarding is disabled
 ?Multicast reserved groups joined:
  Outgoing access list is 50 ???????????????<-Outbound ACL 50 applied
  Inbound ?access list is not set ??????????<-No inbound ACL is applied
  Proxy ARP is enabled.

Part III: Virtual Private Networks (VPNs)