Display Dynamic Access Lists

Display Dynamic Access Lists

Displaying a temporary access list is much like any other access list using the show access-list [acl# | acl-name] or show ip access-list [acl# | acl-name] commands from Privilege Exec mode. The trick is this: the temporary access-list lines are only present when they’re in use. After the absolute or idle timeout parameter has activated, the temporary entries are cleared. The number of matches displayed indicates the level of activity for that statement since the last time the counters were cleared.

Rtr1#sho access-lists
Extended IP access list filter-in
    permit tcp any host 199.45.5.7 eq telnet (66 matches)
    permit tcp any any established (232 matches)
    permit udp any any eq rip (44 matches)
    Dynamic allow-in permit ip any any log
      permit ip host 192.168.0.14 any log (21 matches) (time left 253)
Rtr1#
00:36:10: %SEC-6-IPACCESSLOGP: list filter-in permitted tcp 192.168.0.14(1107) -
> 192.168.2.1(2001), 2 packets
Rtr1#

Line seven identifies the host that authenticated and specifies that 21 packets were permitted. The time left is 253 seconds. Each time another match is made, the idle timer is reset to 300, the five minutes specified in the autocommand access-enable host timeout 5 command.