After you have configured all your access lists, it is important that you review your entries and determine whether you are filtering traffic in the manner intended. Many different methods exist to monitor and verify access lists. For the scope of this book and the CCNA exam, we will illustrate only two of the more basic methods. Refer to the Cisco Command Reference to identify some of the other methods used to monitor access lists. To determine which access lists you have applied to specific interfaces, use the show ip interface command as follows : NFLD# show ip interface Ethernet 0 is up, line protocol is up Internet address is 172.16.4.4, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255 Address determined by non-volatile memory No helper address No secondary address Outgoing access list 5 is set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled NFLD# The entry identifying the outbound access list is highlighted. To get a more detailed look at the type of access lists you have applied, use the show access-lists command as follows: NFLD>show access-lists Standard IP access list 5 permit 172.16.14.0, wildcard bits 0.0.0.255 deny 172.16.3.5, wildcard bits 0.0.0.0 permit 172.16.4.0, wildcard bits 0.0.0.255 permit 172.16.12.4, wildcard bits 0.0.0.0 Extended IP access list 105 permit tcp 172.16.14.0 0.0.0.255 172.16.4.0 eq 23 permit udp host 172.16.14.2 host 172.16.4.4 eq 69 permit tcp host 172.16.14.3 any any deny 0.0.0.0 255.255.255.255 NFLD>
|