Access List Commands

Command
show access-lists

Description Displays all access lists and their parameters configured on the router. This command doesn't show which interface the list is configured on. Shows only the parameters for the access list specified. This command does not show you the interface the list is configured on. Shows only the IP access lists configured on the router. Shows only the IPX access lists configured on the router. Shows which interfaces have IP access lists on them. Shows which interfaces have IPX access lists on them. Shows the access lists and which interfaces have access lists set. Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host) Clears extended access lists counter of the number of matches per line of the access list. Applies to any IPX network or any protocol when used in extended IPX access lists. Used for all sockets in extended IPX access lists. Applies an IP access list to an interface. Applies an IPX access list to an interface. Applies an inbound IPX SAP filter to an interface. Applies an outbound IPX SAP filter to an interface. Access List Ranges Access List Type Number 1-99

show access-list [list #]

show ip access-list show ipx access-list show ip interface show ipx interface show running-config

any

host

clear access-list counter [list#] -1

0 ip access-group ipx access-group ipx input-sap-filter ipx output-sap-filter

Standard IP Access Lists

Extended IP Access Lists Standard IPX Access Lists Extended IPX Access Lists IPX SAP Filters Standard Access List Syntax

100-199 800-899 900-999 1000-1099

IP
access-list 1-99 {permit|deny} address mask

Variable
1-99

Definition Standard IP access lists are represented by a number ranging from 199 or text names with IOS 11.2 or greater. Used to specify the nature of the access list, either a permit or deny statement. The IP address of the source. A wildcard mask, or inverse mask, applied to determine which bits of source address are significant.

{permit|deny}

address mask

IPX
access-list 800-899 {deny|permit} source-network[.source-address[sourcemask]] destination-network[.destination-address[destinationmask]]

Variable
800-899

Definition Standard IPX access lists are represented by a number ranging from 800-899. Used to specify the nature of the access list either a permit or deny statement. The IPX address of the source network or node. The IPX address of the destination network or node.

{deny|permit}

source-network[.source-address[sourcemask]] destination-network[.destinationaddress[destination-mask]]

Extended Access List Syntax

IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq] [source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log]

Variable
100-199

Definition Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.2 or greater. Used to specify the nature of the access list either a permit or deny statement. The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP,UDP,ICMP,or others. The IP address of the source A wildcard mask, or inverse mask, applied to determine which bits of source address are significant. Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports. If necessary, the source port number of the protocol to be filtered. The IP address of the destination A wildcard mask, or inverse mask, applied to determine which bits of destination address are significant. Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number or range of ports. If necessary, the destination port number of the protocol to be filtered. Turns on logging of access list activity.

{permit|deny}

{ip|tcp|udp|icmp}

source source-mask

[lt|gt|eq|neq]

[source-port]

destination dest-mask

[lt|gt|eq|neq]

[dest-port]

[log]

IPX

access-list 900-999 {deny|permit} protocol source-network.[source-address[sourcemask]] socket destination-network.[destination-address[dest-mask]] destinationsocket

Variable
900-999

Definition Extended IPX access lists are represented by a number ranging from 900-999. Used to specify the nature of the access list either a permit or deny statement. IPX protocol, a -1 specifies all IPX protocols. The IPX address of the source network or node. Source socket similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets. The IPX address of the destination network or node. Destination socket, similar to the port value in IP access lists, points to a particular service, a 0 specifies all sockets.

{deny|permit}

protocol source-network.[sourceaddress[source-mask]] socket

destinationnetwork.[destinationaddress[dest-mask]] socket

SAP Filters

SAP
access-list 1000-1099 {permit|deny} network.[address] [service-type]

Variable
1000-1099

Definition IPX SAP filters are represented by a number in the range of 1000-1099. Used to specify the nature of the access list either a permit or deny statement. The IPX address of the source network or node. IPX services such as print services, file services, or directory services, a 0 is for all services.

{permit|deny}

network.[address] [service-type]