1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Verifying ACLs

Verifying ACLs

Several basic commands are useful in confirming that ACLs are in place and doing their jobs. Those commands include the following:

  • Show run

  • Show access lists

  • Show IP interfaces

Show Run Command

One way to see your access lists and how they’re applied is to use the show run command to see the active configuration. The next lines show the output of a show run command with some of the unrelated lines removed:

 Rtr1#show run
hostname Rtr1
!
interface Ethernet0
 ip address 192.168.5.1 255.255.255.0
 ip access-group 50 out
!
interface Serial0
 ip address 192.168.96.2 255.255.255.0
 ip access-group 75 in
!
access-list 50 deny ??192.168.1.10 
access-list 50 permit any
access-list 75 deny ??192.168.17.123
access-list 75 deny ??192.168.1.10
access-list 75 permit any
!

This shows that ACL 50 is applied to Ethernet 0 as an inbound access list and ACL 75 is applied to Serial 0 as an outbound list. It also shows the order of the ACL statements.

Show Access-Lists Command

The show access-lists command displays all access lists on the router, but doesn’t show if or where they’re applied. Another command—show ip access-lists—would include only IP access lists, which, in this case, would be exactly the same display. Both commands allow specifying an ACL number or name after the command, such as show ip access-lists 50, to display only that ACL.

 Rtr1#show access-lists
Standard IP access list 50
 ???deny ??192.168.1.10 log (23 matches) check=321
 ???permit any (298 matches)
Standard IP access list 75
 ???deny ??192.168.17.123 (36 matches) check=194
 ???deny ??192.168.1.10 (16 matches) check=158
 ???permit any (142 matches)
Rtr1#

If the ACL has used the results since the last time the counters were cleared, the number of matches will display after each line. The command to clear the results is clear access-list counters {acl-num | acl-name}, like clear access-list counters 50.

Show IP Interfaces Command

The show ip interface command can be used to tell if an inbound or an outbound access list has been applied to an interface. Rows 9 and 10 of the following output contain the information. The rest of the lines don’t pertain to ACLs, so they’ve been omitted. You should recall that the show ip interface command displays all interfaces, but adding the interface ID, such as show ip interface s0/0, to the end of the command limits the output to that interface.

Rtr1#show ip interface
Ethernet0 is up, line protocol is up
 ?Internet address is 192.168.5.1/24
 ?Broadcast address is 255.255.255.255
 ?Address determined by non-volatile memory
 ?MTU is 1500 bytes
 ?Helper address is not set
 ?Directed broadcast forwarding is disabled
 ?Multicast reserved groups joined: 224.0.0.9
  Outgoing access list is 50 ???????????????<-Outbound ACL 50 applied
  Inbound ?access list is not set ??????????<-No inbound ACL is applied
  Proxy ARP is enabled.



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Access List Basics
Standard Access Lists
Verifying ACLs
Extended Access Lists
Named Access Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars