12.4T Configuration Guides -> Security, Services, and VPN -> Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T -> Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T -> IP Access List Overview
Access lists are a mechanism to permit or deny hosts from being matched against a criteria. This can be used in the of the IOS firewall or route filtering in route-maps, or matching packets for QoS.
There are a number of forms of access lists including;
- Time based
- Authentication Proxy
- Context Based
Standard IP access lists allow you to math against a source host and that is it. Extended access allow you to match against a source and destination as well as additional attributes such as QoS markings, and the TCP state of the packet (Syn, Ack, etc...).
Named access lists allow you to give an access list a logical name to help with maintaining the list. This allows the configuration to document itself to an extent.
Object groups allow you to reduce the complexity of access lists by grouping sets of rules into logical groups instead of writing the same rule several times for a set of hosts.
Dynamic access lists include those rules dynamically generated by the router in lock and key configurations as well as a number of other scenarios.
Context based access control provides a stateful dynamic firewall which will allow traffic that has initiated from an inside interface to have return traffic come back in the outside interface.
Time based access lists allow you to configure rules to be active during certain periods of the day.
The Doc-CD has a good breakdown of the types of access lists and their configuration.
Show ip access-lists
The show ip access-lists command gives you a breakdown of all non-dynamic IPv4 access lists.
R1#sh ip access-lists Standard IP access list 1 10 permit 192.168.200.0, wildcard bits 0.0.0.255 (56324 matches) 20 permit 192.168.202.0, wildcard bits 0.0.0.255 (1424 matches) 30 permit 192.168.203.0, wildcard bits 0.0.0.255
Show ipv6 access-list
The show ipv6 access-list command gives you a breakdown of all non-dynamic IPv6 access lists.
R1#sh ipv6 access-list IPv6 access list MATCH_ICMP permit icmp any any (2127 matches) sequence 10 deny ipv6 any any (8879 matches) sequence 40