BACK

Access List Commands

Command Description
show access-lists Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on.
show access-list [list #] Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on.
show ip access-list Shows only the IP access lists configured on the router.
show ipx access-list Shows only the IPX access lists configured on the router.
show ip interface Shows which interfaces have IP access lists on them.
show ipx interface Shows which interfaces have IPX access lists on them.
show running-config Shows the access lists and which interfaces have access lists set.
any Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list.
host Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host)
clear access-list counter [list#] Clears extended access lists counter of the number of matches per line of the access list.
-1 Applies to any IPX network or any protocol when used in extended IPX access lists.
0 Used for all sockets in extended IPX access lists.
ip access-group Applies an IP access list to an interface.
ipx access-group Applies an IPX access list to an interface.
ipx input-sap-filter Applies an inbound IPX SAP filter to an interface.
ipx output-sap-filter Applies an outbound IPX SAP filter to an interface.

Access List Ranges
Access List Type Number
Standard IP Access Lists 1-99
Extended IP Access Lists 100-199
Standard IPX Access Lists 800-899
Extended IPX Access Lists 900-999
IPX SAP Filters 1000-1099

Standard Access List Syntax

IP

   access-list 1-99 {permit|deny} address mask 

Variable Definition
1-99 Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.2 or greater.
{permit|deny} Used to specify the nature of the access list, either a permit or deny statement.
address The IP address of the source.
mask A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.

IPX

   access-list 800-899 {deny|permit} source-network[.source-address[source-mask]]
                       destination-network[.destination-address[destination-mask]] 

Variable Definition
800-899 Standard IPX access lists are represented by a number ranging from 800-899.
{deny|permit} Used to specify the nature of the access list either a permit or deny statement.
source-network[.source-address[source-mask]] The IPX address of the source network or node.
destination-network[.destination-address[destination-mask]] The IPX address of the destination network or node.

Extended Access List Syntax

IP

 access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq]
 [source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log]
Variable Definition
100-199 Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater.
{permit|deny} Used to specify the nature of the access list either a permit or deny statement.
{ip|tcp|udp|icmp} The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
source The IP address of the source
source-mask A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[source-port] If necessary, the source port number of the protocol to be filtered.
destination The IP address of the destination
dest-mask A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports.
[dest-port] If necessary, the destination port number of the protocol to be filtered.
[log] Turns on logging of access list activity.

IPX

 access-list 900-999 {deny|permit} protocol source-network.[source-address[source-mask]] socket
                     destination-network.[destination-address[dest-mask]] destination-socket 
Variable Definition
900-999 Extended IPX access lists are represented by a number ranging from 900-999.
{deny|permit} Used to specify the nature of the access list either a permit or deny statement.
protocol IPX protocol, a -1 specifies all IPX protocols.
source-network.[source-address[source-mask]] The IPX address of the source network or node.
socket Source socket similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.
destination-network.[destination-address[dest-mask]] The IPX address of the destination network or node.
socket Destination socket, similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.

SAP Filters

SAP

   access-list 1000-1099 {permit|deny} network.[address] [service-type] 

Variable Definition
1000-1099 IPX SAP filters are represented by a number in the range of 1000-1099.
{permit|deny} Used to specify the nature of the access list either a permit or deny statement.
network.[address] The IPX address of the source network or node.
[service-type] IPX services such as print services, file services, or directory services, a 0 is for all services.



BACK