BACK
Access List Commands
| Command |
Description |
| show access-lists |
Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on. |
| show access-list [list #] |
Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on. |
| show ip access-list |
Shows only the IP access lists configured on the router. |
| show ipx access-list |
Shows only the IPX access lists configured on the router. |
| show ip interface |
Shows which interfaces have IP access lists on them. |
| show ipx interface |
Shows which interfaces have IPX access lists on them. |
| show running-config |
Shows the access lists and which interfaces have access lists set. |
| any |
Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. |
| host |
Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host) |
| clear access-list counter [list#] |
Clears extended access lists counter of the number of matches per line of the access list. |
| -1 |
Applies to any IPX network or any protocol when used in extended IPX access lists. |
| 0 |
Used for all sockets in extended IPX access lists. |
| ip access-group |
Applies an IP access list to an interface. |
| ipx access-group |
Applies an IPX access list to an interface. |
| ipx input-sap-filter |
Applies an inbound IPX SAP filter to an interface. |
| ipx output-sap-filter |
Applies an outbound IPX SAP filter to an interface. |
Access List Ranges
| Access List Type |
Number |
| Standard IP Access Lists |
1-99 |
| Extended IP Access Lists |
100-199 |
| Standard IPX Access Lists |
800-899 |
| Extended IPX Access Lists |
900-999 |
| IPX SAP Filters |
1000-1099 |
Standard Access List Syntax
IP
access-list 1-99 {permit|deny} address mask
| Variable |
Definition |
| 1-99 |
Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater. |
| {permit|deny} |
Used to specify the nature of the access list, either a permit or deny statement. |
| address |
The IP address of the source. |
| mask |
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant. |
IPX
access-list 800-899 {deny|permit} source-network[.source-address[source-mask]]
destination-network[.destination-address[destination-mask]]
| Variable |
Definition |
| 800-899 |
Standard IPX access lists are represented by a number ranging from 800-899. |
| {deny|permit} |
Used to specify the nature of the access list either a permit or deny statement. |
| source-network[.source-address[source-mask]] |
The IPX address of the source network or node. |
| destination-network[.destination-address[destination-mask]] |
The IPX address of the destination network or node. |
Extended Access List Syntax
IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq]
[source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log]
| Variable |
Definition |
| 100-199 |
Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater. |
| {permit|deny} |
Used to specify the nature of the access list either a permit or deny statement. |
| {ip|tcp|udp|icmp} |
The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others. |
| source |
The IP address of the source |
| source-mask |
A wildcard mask, or inverse mask, applied to determine which bits of source address are significant. |
| [lt|gt|eq|neq] |
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports. |
| [source-port] |
If necessary, the source port number of the protocol to be filtered. |
| destination |
The IP address of the destination |
| dest-mask |
A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant. |
| [lt|gt|eq|neq] |
Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports. |
| [dest-port] |
If necessary, the destination port number of the protocol to be filtered. |
| [log] |
Turns on logging of access list activity. |
IPX
access-list 900-999 {deny|permit} protocol source-network.[source-address[source-mask]] socket
destination-network.[destination-address[dest-mask]] destination-socket
| Variable |
Definition |
| 900-999 |
Extended IPX access lists are represented by a number ranging from 900-999. |
| {deny|permit} |
Used to specify the nature of the access list either a permit or deny statement. |
| protocol |
IPX protocol, a -1 specifies all IPX protocols. |
| source-network.[source-address[source-mask]] |
The IPX address of the source network or node. |
| socket |
Source socket similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets. |
| destination-network.[destination-address[dest-mask]] |
The IPX address of the destination network or node. |
| socket |
Destination socket, similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets. |
SAP Filters
SAP
access-list 1000-1099 {permit|deny} network.[address] [service-type]
| Variable |
Definition |
| 1000-1099 |
IPX SAP filters are represented by a number in the range of 1000-1099. |
| {permit|deny} |
Used to specify the nature of the access list either a permit or deny statement. |
| network.[address] |
The IPX address of the source network or node. |
| [service-type] |
IPX services such as print services, file services, or directory services, a 0 is for all services. |
BACK |
