Monitoring and Verifying Access Lists

After you have configured all your access lists, it is important that you review your entries and determine whether you are filtering traffic in the manner intended. Many different methods exist to monitor and verify access lists. For the scope of this book and the CCNA exam, we will illustrate only two of the more basic methods. Refer to the Cisco Command Reference to identify some of the other methods used to monitor access lists. To determine which access lists you have applied to specific interfaces, use the show ip interface command as follows :

 NFLD# show ip interface Ethernet 0 is up, line protocol is up      Internet address is 172.16.4.4, subnet mask is 255.255.255.0      Broadcast address is 255.255.255.255      Address determined by non-volatile memory      No helper address      No secondary address      Outgoing access list 5 is set      Inbound access list is not set      Proxy ARP is enabled      Security level is default      Split horizon is enabled      ICMP redirects are always sent      ICMP unreachables are always sent      ICMP mask replies are never sent      IP fast switching is enabled      Gateway Discovery is disabled      IP accounting is disabled      TCP/IP header compression is disabled NFLD# 

The entry identifying the outbound access list is highlighted. To get a more detailed look at the type of access lists you have applied, use the show access-lists command as follows:

 NFLD>show access-lists Standard IP access list 5 permit 172.16.14.0, wildcard bits 0.0.0.255 deny 172.16.3.5, wildcard bits 0.0.0.0 permit 172.16.4.0, wildcard bits 0.0.0.255 permit 172.16.12.4, wildcard bits 0.0.0.0 Extended IP access list 105 permit tcp 172.16.14.0 0.0.0.255 172.16.4.0 eq 23 permit udp host 172.16.14.2 host 172.16.4.4 eq 69 permit tcp host 172.16.14.3 any any deny 0.0.0.0 255.255.255.255 NFLD> 

Standard access lists apply to a group of things, whereas extended access lists apply to a specific port or user .