Access List Commands
| Command |
Description |
| show access-lists |
Displays all access lists and their parameters
configured on the router. This command doesn't show which
interface the list is configured on. |
| show access-list [list #] |
Shows only the parameters for the access list
specified. This command does not show you the interface the
list is configured on. |
| show ip access-list |
Shows only the IP access lists configured on the router. |
| show ip interface |
Shows which interfaces have IP access lists on them. |
| show running-config |
Shows the access lists and which interfaces have access
lists set. |
| any |
Keyword used to represent all hosts or networks,
replaces 0.0.0.0 255.255.255.255 in access list. |
| host |
Keyword that specifies that an address should have a
wildcard mask of 0.0.0.0 (i.e will match only 1 host) |
| clear access-list counter [list#] |
Clears extended access lists counter of the number of
matches per line of the access list. |
| -1 |
Applies to any IPX network or any protocol when used in
extended IPX access lists. |
| 0 |
Used for all sockets in extended IPX access lists. |
| ip access-group |
Applies an IP access list to an interface. |
Access List Ranges
| Access List Type |
Number |
| Standard IP Access Lists |
1-99 |
| Extended IP Access Lists |
100-199 |
Standard Access List Syntax
IP
access-list 1-99 {permit|deny} address mask
| Variable |
Definition |
| 1-99 |
Standard IP access lists are represented by a number
ranging from 1-99 or text names with IOS 11.2 or greater. |
| {permit|deny} |
Used to specify the nature of the access list, either a
permit or deny statement. |
| address |
The IP address of the source. |
| mask |
A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant. |
Extended Access List Syntax
IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq]
[source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log]
| Variable |
Definition |
| 100-199 |
Extended IP access lists are represented by a number
ranging from 100-199 or text names with IOS 11.2 or greater. |
| {permit|deny} |
Used to specify the nature of the access list either a
permit or deny statement. |
| {ip|tcp|udp|icmp} |
The IP protocol to be filtered can be IP (includes all
protocols in the TCP/IP suite) TCP,UDP,ICMP,or others. |
| source |
The IP address of the source |
| source-mask |
A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant. |
| [lt|gt|eq|neq] |
Can contain lt (less than), gt (greater
than), eq (equal to), or neq (not equal to).
It is used if an extended list filters by a specific port
number or range of ports. |
| [source-port] |
If necessary, the source port number of the protocol to
be filtered. |
| destination |
The IP address of the destination |
| dest-mask |
A wildcard mask, or inverse mask, applied to determine
which bits of destination address are significant. |
| [lt|gt|eq|neq] |
Can contain lt (less than), gt (greater
than), eq (equal to), or neq (not equal to).
It is used if an extended list filters by a specific port
number or range of ports. |
| [dest-port] |
If necessary, the destination port number of the
protocol to be filtered. |
| [log] |
Turns on logging of access list activity. |
|