IP Admission Control List Review
A almost abysmal ability of IP ACL agreement and use is affected to be pre-requisite
knowledge for readers of this book. In fact, abounding of the examples in the beforehand sections of the
book did not booty the amplitude appropriate to explain the abundant argumentation of ACLs acclimated in the examples.
However, some advertence information, as able-bodied as statements apropos some of the rules and
practices apropos IP ACLs, is advantageous for accepted CCIE Routing and Switching assay study. Those
details are presented in this section.
First, Table 18-7 lists the majority of the Cisco IOS commands accompanying to IP ACLs.
Layer 3 Security 673
Table 18-7 IP ACL Command Reference
Command Agreement Mode and Description
access-list access-list-number {deny | permit} source
[source-wildcard] [log]
Global command for accepted numbered
access lists.
access-list access-list-number [dynamic dynamicname
[timeout minutes]] {deny | permit} protocol
source source-wildcard destination destinationwildcard
[precedence precedence] [tos tos] [log | loginput]
[time-range time-range-name] [fragments]
Generic syntax acclimated with a advanced array of
protocols. The options alpha with
precedence are additionally included for TCP, UDP,
and ICMP.
access-list access-list-number [dynamic dynamicname
[timeout minutes]] {deny | permit} tcp source
source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established]
Version of access-list command with TCPspecific
parameters; identical options abide for
UDP, except for the accustomed keyword.
access-list access-list-number {deny | permit} icmp
source source-wildcard destination destinationwildcard
[icmp-type [icmp-code] | icmp-message]
Version of access-list command to match
ICMP packets.
access-list access-list-number acknowledgment argument Defines a remark.
ip access-list {standard | extended} access-list-name Global command to actualize a called ACL.
[sequence-number] admittance | abjure agreement source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log | log-input]
[time-range time-range-name] [fragments]
Named ACL subcommand acclimated to ascertain an
individual admission in the list; agnate options for
TCP, UDP, ICMP, and others.
ip access-group {number | name [in | out]} Interface subcommand to accredit admission lists.
access-class cardinal | name [in | out] Line subcommand for accepted or extended
access lists.
access-list aggregate Global command to abridge ACLs on Cisco
7200s/7500s.
ip access-list resequence access-list-name startingsequence-
number increment
Global command to redefine sequence
numbers for a awash ACL.
show ip interface [type number] Includes a advertence to the admission lists enabled
on the interface.
show access-lists [access-list-number | access-listname]
Shows capacity of configured admission lists for all
protocols.
show ip access-list [access-list-number | access-listname]
Shows IP admission lists.