Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Again, it’s always good to be able to verify a router’s configuration. Table 7.1 lists the commands
that can be used to verify the configuration.
We’ve already used the show running-config command to verify that a named access list
was in the router as well as a MAC access list on a layer 2 switch. So, now let’s take a look
at the output from some of the other commands.
TABLE 7 . 1 Commands Used to Verify Access List Configuration
Command Effect
show access-list Displays all access lists and their parameters configured on the
router. This command does not show you which interface the list
is set on.
show access-list 110 Shows only the parameters for the access list 110. This command
does not show you the interface the list is set on.
show ip access-list Shows only the IP access lists configured on the router.
show ip interface Shows which interfaces have access lists set.
show running-config Shows the access lists and which interfaces have access lists set.
Show mac access-group Displays MAC access lists applied to all layer 2 interfaces or the
specified layer 2 interface (used on layer 2 switches only).
338 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
The show access-list command will list all access lists on the router, whether they’re
applied to an interface or not:
Lab_A#show access-list
Standard IP access list 10
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Standard IP access list BlockSales
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Extended IP access list 110
deny tcp any host 172.16.30.5 eq ftp
deny tcp any host 172.16.30.5 eq telnet
permit ip any any
Lab_A#
First, notice that both access list 10 and our named access list appear on this list. Second,
notice that even though I entered actual numbers for TCP ports in access list 110, the show
command gives us the protocol names rather than TCP ports for readability. (Hey, not everyone
has them all memorized!)
Here’s the output of the show ip interface command:
Lab_A#show ip interface e1
Ethernet1 is up, line protocol is up
Internet address is 172.16.30.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is BlockSales
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Null turbo vector
IP multicast fast switching is disabled
7. 4 Verify and monitor ACLs in a network environment 339
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
Web Cache Redirect is disabled
BGP Policy Mapping is disabled
Lab_A#
Be sure to notice the bold line indicating that the outgoing list on this interface is BlockSales
but the inbound access list isn’t set. One more verification command and then we’ll move on
to using the SDM to configure firewall security.
As I’ve already mentioned, you can use the show running-config command to see any
and all access lists. However, on a layer 2 switch, you can verify your interface configurations
with the show mac access-group command:
S1#sh mac access-group
Interface FastEthernet0/1:
Inbound access-list is not set
Outbound access-list is not set
Interface FastEthernet0/2:
Inbound access-list is not set
Outbound access-list is not set
S1#
Depending on how many interfaces you set your MAC access lists on, you can use the
interface command to view individual interfaces:
S1#sh mac access-group interface f0/6
Interface FastEthernet0/6:
Inbound access-list is Todd_MAC_List
Outbound access-list is not set
Exam Objectives
Remember the command to verify an access list on an interface. To see whether an access
list is set on an interface and in which direction it is filtering, use the show ip interface command.
This command will not show you the contents of the access list, merely which access
lists are applied on the interface.
340 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
Remember the command to verify the access lists configuration. To see the configured
access lists on your router, use the show access-list command. This command will not
show you which interfaces have an access list set.
No comments:
Post a Comment