Use the following four commands to view
previously configured access lists:
-
show access-list
-
show ip access-list
[access-list-number]
clear access-list counters
[access-list-number]
show line
Use the show access-list
command to display access
lists from all protocols.
Use the show ip access-list
command to display IP access
lists.
The system counts how many packets pass each line of an access
list; the counters are displayed by the
show access-list
command. Use the clear access-list counters
command in
EXEC mode to clear the counters of an access list.
Use the show line
command to display information
about terminal lines.
The output from the
show ip access-lists
command displays the
contents of previously defined IP access lists.
For example, consider the following results:
p1r1#show access-lists
xtended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet (3 matches)
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (629 matches)
Notice that three packets have matched the filter defined for
Telnet sessions and 629 packets have been allowed to pass
through.
Access lists have overhead, especially if the list is long and is
placed on busy backbone routers. Such access lists could become
performance concerns. Although the underlying technology of
access-list processing is efficient, in a few cases an alternative
can be used to avoid access lists altogether. The next section
covers such an alternative.
|