Академический Документы
Профессиональный Документы
Культура Документы
Access Control
Doc. DM752-I Rev. 10.62
September, 2008
INDEX
- ii -
j) ENTRY <id> PRECEDENCE................................................................................. 24
k) ENTRY <id> TCP-SPECIFIC ESTABLISHED ...................................................... 24
l) ENTRY <id> TOS-OCTET ..................................................................................... 25
m) ENTRY <id> CONNECTION ................................................................................. 25
n) ENTRY <id> DESCRIPTION................................................................................. 25
5.3. LIST ........................................................................................................................ 26
a) LIST ALL-ENTRIES ................................................................................................ 26
b) LIST ADDRESS-FILTER-ENTRIES........................................................................ 26
c) LIST ENTRY............................................................................................................ 26
5.4. MOVE-ENTRY ...................................................................................................... 27
5.5. DESCRIPTION....................................................................................................... 27
5.6. NO........................................................................................................................... 28
a) NO ENTRY .............................................................................................................. 28
b) NO DESCRIPTION................................................................................................. 28
5.7. EXIT ....................................................................................................................... 28
6. Show Config....................................................................................................................... 29
7. Practical Example............................................................................................................... 30
• Creating the access control lists................................................................... 30
• Associating the access List to the IPSec Protocol........................................ 31
Chapter 3 Monitoring .......................................................................................................33
1. Monitoring Commands ...................................................................................................... 34
1.1. ? (HELP) ................................................................................................................. 34
1.2. LIST ........................................................................................................................ 35
a) LIST ALL................................................................................................................. 35
• LIST ALL ALL-ACCESS-LISTS ............................................................... 35
• LIST ALL ADDRESS-FILTER-ACCESS-LISTS ...................................... 36
• LIST ALL ACCESS-LIST .......................................................................... 37
b) LIST CACHE........................................................................................................... 37
• LIST CACHE ALL-ACCESS-LISTS ......................................................... 37
• LIST CACHE ADDRESS-FILTER-ACCESS-LISTS ................................ 38
• LIST CACHE ACCESS-LIST..................................................................... 38
c) LIST ENTRIES ........................................................................................................ 39
• LIST ENTRIES ALL-ACCESS-LISTS....................................................... 39
• LIST ENTRIES ADDRESS-FILTER-ACCESS-LISTS ............................. 40
• LIST ENTRIES ACCESS-LIST.................................................................. 40
1.3. CLEAR-CACHE..................................................................................................... 40
1.4. SET-CACHE-SIZE................................................................................................. 41
1.5. SHOW-HANDLES................................................................................................. 41
1.6. HIDE-HANDLES ................................................................................................... 41
Chapter 4 Appendix ..........................................................................................................42
1. Reserved Ports.................................................................................................................... 43
2. Reserved Protocols............................................................................................................. 44
- iii -
Chapter 1
Introduction
1. Access Control Lists
The routers use access control lists (ACL) to identify traffic passing through them.
The access lists can filter the packet or routes flow passing through the router interfaces.
An IP access list is a sequential list of permission or negation conditions which are applied to source
or destination IP addresses, source or destination ports or to higher layer IP protocols such as IP, TCP
etc.
These can separate the traffic into different queues according to priority.
Types of access lists:
Standard (1 – 99): checks the source addresses of those packets requesting routing.
Extended (100 – 1999): checks both the source and destination addresses of each packet.
This can also verify specific protocols, number of ports and other parameters.
The access lists can be applied at both the input (so avoiding router overload) as well as the output.
An access control list itself does not imply a filter to limit the packet flow in the router. The Access
Control Lists must be associated to a protocol. The protocol used by an Access Control List is used as
a tool permitting traffic filters to be established. The protocols allow Access Control List management
incorporating commands which permit the protocol to be associated to the said Lists. Typical
protocols managing Access Control Lists are, among others: BRS, IPSec, Policy Routing, RIP.
A particularly interesting set of protocols are the routing protocols, most important of which are RIP,
OSPF and BGP. These protocols use the Access Control Lists, either directly or through Route Maps
(please see manual Dm764-I “Route Mapping”), to control the routes installed in the routing table or
that are distributed to other devices. There are also other very similar tools to Access Lists which are
specially orientated to route filtering such as Prefix Lists (see manual Dm780-I “Prefix Lists”).
The Access Control Lists indicate to the associated protocol the entry search results. The reception
search result for a packet can be:
Access List
Permitted
Found
Denied
IP Packet
The associated protocol determines what should happen to the IP packet in accordance with the Access
List application result.
Each entry in the list is a block of sentences and an action which is identified by a unique number (the
entry identifier or ID field). The sentence block is made up of a source IP address (or range of
addresses), a destination IP address (or range of destination IP addresses), a protocol (or range of
protocols), source and destination ports (or range of ports), IP service byte values and the identifier for
connection between interfaces that the packet passes through. It’s unnecessary to specify all of them,
only those required. The action represents the process assigned to the packets coinciding with the
associated block of sentences: PERMIT or DENY.
A standard or extended access control list is made up of a series of entries which define the properties
that a packet must have in order to pertain to this entry and consequently this list. Subsequently, this
standard access control list is assigned to a protocol.
List 1
Action
Sentence A
Entry 1 Sentence B
|
Sentence Z
Action
Sentence A
Entry 2 Sentence B
|
Sentence Z
Action
Sentence A
Entry n Sentence B
|
Sentence Z
An Access Control List itself does not imply a filter to limit packet flow in the router.
The Access Control Lists must be associated to a protocol.
The Access Control Lists indicate the entry search results to the associated protocol.
The search result can have the following values: Not Found, Permit or Deny. The
associated protocol determines what to do with a packet according to the result given by
the Access Control List.
Operations to create, modify or eliminate access lists are executed from a specific menu where you can
also view the created lists.
In the router configuration structure, the Access Controls are organized as a feature (FEATURE). To
view the features permitting you to configure the router, enter the feature command followed by a
question mark (?).
Example:
Config>feature ?
access-lists Access generic access lists configuration
environment
bandwidth-reservation Bandwidth-Reservation configuration environment
control-access Control-access configuration environment
dns DNS configuration environment
frame-relay-switch Frame Relay Switch configuration environment
ip-discovery TIDP configuration environment
ldap LDAP configuration environment
mac-filtering Mac-filtering configuration environment
nsla Network Service Level Advisor configuration
nsm Network Service Monitor configuration environment
ntp NTP configuration environment
prefix-lists Access generic prefix lists configuration
environment
radius RADIUS protocol configuration environment
route-map Route-map configuration environment
scada-forwarder SCADA Forwarder configuration environment
sniffer Sniffer configuration environment
stun Stun facility configuration environment
syslog Syslog configuration environment
tms TMS configuration environment
vlan IEEE 802.1Q switch configuration environment
vrf VRF configuration environment
wrr-backup-wan WRR configuration environment
wrs-backup-wan WRS configuration environment
Config>
To access the Access Controls configuration menu, introduce, from the configuration root menu
(PROCESS 4), the word feature, followed by access-lists.
Example:
Config>feature access-lists
By doing this you access the main Access Controls functionality configuration menu. Here you can
create, eliminate and view the access lists.
Each access control list is made up of entries, where you can indicate criteria and the parameters
permitting or limiting access.
There are two types of access control lists: Standard and Extended.
Very few parameters are used in the Standard lists to define the characteristics of each Access Control
entry. Contrariwise, the Extended lists permit you to define a larger number of selection parameters.
There are two submenus within the main Access Lists menu, one for each type of list. Accessing each
submenu is produced when editing a specific list, depending on whether the type selected is Extended
or Standard.
You can create and eliminate lists from the main Access Control configuration menu. You can also
view the configuration of the created lists.
An Access List consists of a series of entries. Each entry in the list is a block of sentences and an
action. Each entry is identified by a unique number (the entry identifier or ID field). The sentence
block is made up of a source IP address (or range of addresses), a destination IP address (or range of
destination IP addresses), a protocol (or range of protocols), source and destination ports (or range of
ports) and the identifier for connection between interfaces that the packet passes through. The action
determines the criteria applied to the IP packets fulfilling the condition indicated by the sentences.
The action can be one of two types, permit or deny.
You can configure 1999 access lists in the router. Access lists whose identifiers take a value of
between 1 and 99 are the Standard Access Lists. Those lists taking a value between 100 and 1999 are
the Extended Access Lists.
The 1999 Access Lists are empty by default. An access list is considered empty when it does not
contain any entries.
Depending on the type of created list (Standard/Extended), the entry configurations for each list are
carried out in a submenu pertaining to each and which contains the same parameters for all entries of
the same type. The description of the configuration mode for the parameters contained in these
submenus is explained in the following sections.
Should one of the entry parameters or options in the Access Control Lists not be configured, this will
not be taken into account when checking the access.
The order of the entries in the Access Control List is very important in cases where the
information the sentences refer to, overlap between different entries.
You must bear in mind that the order in which the entries in a list are dealt with is not
defined by the entry identifier number but by the order in which they have been
introduced. This order can be seen through the “list” command and modified by using
the “move-entry” command. I.e. if when moving through the list, beginning with the
first listed element or entry, an element is found matching the search criteria, no
further search is carried out and the action indicated by the said entry is executed.
Please note that the search order among the entries on an Access Control List
DIFFERS from that used in a Prefix List (please see manual Dm780-I “Prefix Listsl”)
where this order is given by the value of the identifier.
The following commands are available in the main Access Control menu:
Command Function
? (help) Lists the available commands or their options.
access-list Configures an access list.
list Displays the configuration of the access lists.
no Negates a command or sets the default value.
Example:
Access Lists config>?
access-list Configure an access-list
list Display access-lists configuration
no Negates a command or sets its defaults
exit
Access Lists config>
3.2. ACCESS-LIST
Use this command to access the submenu permitting you to configure entries in an access list. The
Access Lists are identified by a numerical value which can take values between 1 and 199 i.e. the
router permits you to configure 1999 Access Lists. Access lists whose identifiers take a value of
between 1 and 99 are the Standard Access Lists. Those lists taking a value between 100 and 1999 are
the Extended Access Lists. The Extended Access Lists configuration submenu can configure a larger
number of selection parameters. On introducing this command followed by an identifier, you pass to a
submenu where you can configure the Access List for the said identifier, the Access List type and its
identifier appearing at the new prompt.
Syntax:
Access Lists config>access-list ?
<1..99> Standard Access List number (1-99)
<100..1999> Extended Access List number (100-1999)
Example:
Access Lists config>access-list 101
3.3. LIST
The LIST command displays configuration information on the Access Control Lists feature.
Syntax:
Access Lists config>list ?
all-access-lists Display all access-lists configuration
standard-access-lists Display standard access-lists configuration
extended-access-lists Display extended access-lists configuration
a) LIST ALL-ACCESS-LISTS
Displays ALL the configuration information on the Access Control Lists
Syntax:
Access Lists config>list all-access-lists
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
b) LIST STANDARD-ACCESS-LISTS
Displays the configured Standard Access Control Lists.
Syntax:
Access Lists config>list standard-access-lists
Example:
Access Lists config>list standard-access-lists
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
c) LIST EXTENDED-ACCESS-LISTS
Displays the configured Extended Access Control Lists.
Syntax:
Access Lists config>list extended-access-lists
Example:
Access Lists config>list extended-access-lists
3.4. NO
This command is used to disable functionalities or to set the default values in some parameters.
a) NO ACCESS-LIST
Eliminates the contents of an Access Control List.
Syntax:
Access Lists config>no access-list <ID>
Example:
Access Lists config>no access-list 100
Access Lists config>
3.5. EXIT
Exits the Access Controls feature configuration environment and returns to the general configuration
prompt.
Syntax:
Access Lists config>exit
Example:
Access Lists config>exit
Config>
Access this menu when you wish to edit an Access Control List whose identifier is within value range
1 and 99 i.e. a Standard List.
The new submenu prompt indicates that this is a Standard list and also its Identifier.
Example:
Access Lists config>access-list 1
The Standard Access Control Lists submenu admits the following subcommands:
Command Function
? (help) Lists the available commands or their options.
entry Configures an entry for this access-list.
list Displays the access lists configuration.
description Permits you to insert a textual description of an Access
Control List.
move-entry Changes the order of the entries.
no Negates a command or sets its default value.
4.1. ? (HELP)
This command is used to list the valid commands at the level the router is programmed. You can also
use this command after a specific command to list the available options.
Syntax:
Standard Access List #>?
Example:
Standard Access List 1>?
entry Configure an entry for this access-list
list Display this access-list configuration
move-entry move an entry within an access-list
description Configure a description for this access-list
no Negates a command or sets its defaults
exit
Standard Access List 1>
4.2. ENTRY
Permits you to create and modify an entry or element in an Access Control List.
This command must always be introduced followed by the identifier of the register number and a
sentence.
With the aim that the user understands the concepts regarding the wildcard configuration, the
positions of the mask bits whose values are 0 must also be 0 in the address. Contrariwise, the
device will give an error and suggest an address that adapts to the provided mask (that the user must
evaluate to see if it corresponds to the required configuration).
Consequently, for example, if you try to enter address 172.24.155.130 in the command with mask
255.255.254.255, the device gives an error as in the third octet in the mask (254), the last bit doesn’t
correspond with its equal in the address (155). In this case the device will suggest address
172.24.154.130.
In cases of configuring an IP address, you must introduce the IP address and the mask. In cases of
configuring an Interface, you must introduce its number.
b) Interface
Standard Access List #>entry <id> source address <interface>
Example:
a) IP Address
Standard Access List 1>entry 3 source address 192.168.4.5 255.255.255.255
Standard Access List 1>
b) Interface
Standard Access List 1>entry 3 source address serial0/0
Standard Access List 1>
4.3. LIST
The LIST command displays the information on the Access Control List configuration which is being
edited i.e. the information whose identifier is indicated at the menu prompt.
Syntax:
Standard Access List #>list ?
all-entries Display any entry of this access-list
address-filter-entries Display the entries that match an ip address
entry Display one entry of this access-list
a) LIST ALL-ENTRIES
Displays all the Access Control List configuration entries i.e. the whole configuration.
Syntax:
Standard Access List #>list all-entries
2 PERMIT SRC=0.0.0.0/0
b) LIST ADDRESS-FILTER-ENTRIES
Displays the Access Control List configuration entries containing a specific IP address.
Syntax:
Standard Access List #>list address-filter-entries <address> <subnet>
Example:
Standard Access List 1>list address-filter-entries 192.60.1.24 255.255.255.255
c) LIST ENTRY
Displays a configuration entry from the Access Control List whose identifier is indicated after the
command.
Syntax:
Standard Access List #>list entry <id>
Example:
Standard Access List 1>list entry 1
4.4. MOVE-ENTRY
Modifies the priority of an entry. This option permits you to place a specific entry in front of another
indicated entry within the Access Control List.
This command is introduced followed by the identifier of the entry you wish to modify and
subsequently introducing the identifier for the position in front of which you wish to place the entry.
When you wish to place an entry at the end of the list i.e. this takes the least priority, you need to
specify the end option.
Syntax:
Standard Access List #>move-entry <entry_to_move> {<entry_destination> | end}
1 DENY SRC=0.0.0.0/0
2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
1 DENY SRC=0.0.0.0/0
4.5. DESCRIPTION
Use this command to insert a textual description on an access list. This serves to better understand its
purpose or function later on.
Syntax:
Standard Access List #>description ?
<1..64 chars> Description text
Example:
Standard Access List 1>description “lista para ipsec”
Standard Access List 1>list all
4.6. NO
Use this command to disable functionalities or to set default values in some parameters.
Syntax:
Standard Access List #>no ?
entry Configure an entry for this access-list
description Configure a description for this access-list
a) NO ENTRY
Eliminates an entry from the Access Control List. To do this, enter the identifier from the list you
wish to eliminate.
Syntax:
Standard Access List #>no entry <id>
b) NO DESCRIPTION
Eliminates the textual description associated to the Access Control List.
Syntax:
Standard Access List #>no descripition
Example:
Standard Access List 1>no description
Standard Access List 1>
4.7. EXIT
Exits the Standard Access Control list configuration environment and returns to the main Access
Control menu prompt.
Syntax:
Standard Access List #>exit
Example:
Standard Access List 1>exit
Access Lists config>
Access this menu when you wish to edit an Access Control List whose identifier is within value range
100 and 1999 i.e. an Extended List
The new submenu prompt indicates that this is an Extended list and also its identifier.
Example:
Access Lists config>access-list 100
The Extended Access Control Lists submenu admits the following subcommands:
Command Function
? (help) Lists the available commands or their options.
entry Configures an entry for this access-list.
list Displays the access lists configuration.
move-entry Changes the order of the entries.
description Permits you to insert a textual description on an Access
Control List.
no Negates a command or sets its default value.
5.1. ? (HELP)
This command is used to list the valid commands at the level the router is programmed. You can also
use this command after a specific command to list the available options.
Syntax:
Extended Access List #>?
Example:
Extended Access List 100>?
entry Configure an entry for this access-list
list Display this access-list configuration
move-entry move an entry within an access-list
description Configure a description for this access-list
no Negates a command or sets its defaults
exit
Extended Access List 100>
5.2. ENTRY
Permits you to create and modify an entry or element in an Access Control List.
This command must always be introduced followed by the identifier of a sentence register number.
A new entry is created every time you introduce this command, followed by an identifier that is not in
the list. Introducing an already existing identifier means that the introduced parameter value will be
modified.
Example 1:
Extended Access List 100>entry 3 source port-range 2 4
Extended Access List 100>
This entry matches all TCP or UDP packets whose source port is between 2 and 4 (inclusive).
Example 2:
Extended Access List 100>entry 3 protocol icmp
Extended Access List 100>entry 3 source port-range 3 3
Extended Access List 100>
This entry matches all type 3 ICMP packets (destination unreachable), regardless of its code.
e) ENTRY <id> DESTINATION
Establishes the IP parameters sentence in the messages ‘destination’ addressing.
Syntax:
Extended Access List #>entry <id> destination <parameter> [options]
The following options can be introduced in the IP destination sentence:
Extended Access List #>entry <id> destination ?
address IP address and mask of the source subnet
port-range source port range
With the aim that the user understands the concepts regarding the wildcard configuration, the
positions of the mask bits whose values are 0 must also be 0 in the address. Contrariwise, the
device will give an error and suggest an address that adapts to the provided mask (that the user must
evaluate to see if it corresponds to the required configuration).
Consequently, for example, if you try to enter address 172.24.155.130 in the command with mask
255.255.254.255, the device gives an error as in the third octet in the mask (254), the last bit doesn’t
correspond with its equal in the address (155). In this case the device will suggest address
172.24.154.130.
In cases of configuring an IP address, you must introduce the IP address and the mask. In cases of
configuring an Interface, you must introduce its number.
Syntax:
a) IP Address
Extended Access List #>entry <id> destination address <address> <mask>
b) Interface
Extended Access List #>entry <id> destination address interface <interface>
Example:
a) IP Address
Extended Access List 100>entry 3 destination address 192.168.4.5 255.255.255.255
Extended Access List 100>
This entry matches all type 3 ICMP packets (destination unreachable), whose code is between 1 and 5
(inclusive).
f) ENTRY <id> PROTOCOL
Establishes the IP packet protocol sentence. This command must be followed by the protocol number
(value between 0 and 255) or name. If you specify IP protocol, any protocol is admitted.
This command permits or denies access to distinct protocols.
Syntax:
Extended Access List #>entry <id> protocol ?
<0..255> An IP protocol number
esp Encapsulation Security Payload
gre Generic Routing Encapsulation
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Example:
Extended Access List 100>entry 3 protocol icmp
Extended Access List 100>
Syntax:
Extended Access List #>entry <id> tcp-specific established-state
Example:
The following configuration shows an access list where all the TCP sessions established in entry 1
match.
This identifies a specific connection, between a router’s local address and a remote (the rest of the
parameters are not considered). We will now define an entry in the Access Control List, using the
identifier for this connection ( 1 ) as a sentence:
Extended Access List 100>entry 10 connection 1
a) LIST ALL-ENTRIES
Displays all the Access Control List configurations entries i.e. the whole configuration.
Syntax:
Extended Access List #>list all-entries
Example:
Extended Access List 100>list all-entries
b) LIST ADDRESS-FILTER-ENTRIES
Displays the Access Control List configuration entries which contain a specific IP address.
Syntax:
Extended Access List #>list address-filter-entries <address> <subnet>
Example:
Extended Access List 100>list address-filter-entries 172.25.54.33 255.255.255.255
c) LIST ENTRY
Displays an Access Control List configuration entry, whose identifier is indicated after the command.
Syntax:
Extended Access List #>list entry <id>
Example:
Extended Access List 100>list entry 1
Example:
Extended Access List 100>list all-entries
5.5. DESCRIPTION
Use this command to insert a textual description on an access list. This serves to better understand its
purpose or function later on.
Syntax:
Extended Access List #>description ?
<1..64 chars> Description text
Example:
Extended Access List 1>description “lista para ipsec”
Extended Access List 1>list all
5.6. NO
This command is used to disable functionalities or to set the default values in some parameters.
Syntax:
Extended Access List #>no ?
entry Configure an entry for this access-list
a) NO ENTRY
Eliminates an entry from the Access Control List. You must enter the identifier from list you wish to
remove.
Syntax:
Extended Access List #>no entry <id>
Example:
Extended Access List 100>no entry 3
Extended Access List 100>
b) NO DESCRIPTION
Eliminates the textual description associated to the Access Control List.
Syntax:
Extended Access List #>no description
Example:
Extended Access List 100>no description
Extended Access List 100>
5.7. EXIT
Exits the configuration environment of a General Access Control list and returns to the main Access
Control menu prompt.
Syntax:
Standard Access List #>exit
Example:
Extended Access List 100>exit
Access Lists config>
Show Config is a configuration console tool (PROCESS 4), which permits you to list the commands
required to configure a router from an empty configuration (no conf).
The command can be used both to copy configurations as well as to list them or simply to view them.
The Show Config part of the configuration internally defined by default, generating the commands of
the configuration which differs from this one.
Show Config can incorporate comments, which are placed after a semi-colon (‘;’)
The command can be executed from any menu, displaying the configuration introduced in all the
submenus which hang off the current.
Example:
Access Lists config>show conf
; Showing Menu and Submenus Configuration ...
; C3G IPSec Router 1 29 Version 10.1.xPA
access-list 1
;
entry 1 default
entry 1 permit
entry 1 source address 192.60.1.24 255.255.255.255
;
entry 2 default
entry 2 permit
;
exit
;
access-list 100
;
entry 1 default
entry 1 permit
entry 1 source address 172.34.53.23 255.255.255.255
entry 1 protocol-range 10 255
;
entry 2 default
entry 2 deny
;
exit
;
Access Lists config>
Using the commands list obtained in show config, you can copy, edit and modify it so it can be used as
a basis for subsequent configurations.
The aim here is to create a new virtual private network (VPN) between Host A and Host B. The rest
of the traffic between the private networks will pass normally. We are going to create an IPSec
Tunnel between both Hosts.
To do this, we first need to create the Access Control List that the IPSec will use as a traffic filter.
This example only shows how to create the Access Lists configuration and the association of the IPSec
Tunnel to it.
HOST A HOST B
172.24.51.57 172.60.1.163
200.200.200.1 200.200.200.2
Public Network 1 Public Network Public Network 2
Router 1 Router 2
Config>feature access-lists
Using the SHOW CONFIG command, the configuration can be displayed and be used on another
occasion introducing it in the console as it appears below:
entry 1 default
entry 1 permit
entry 1 source address 172.24.51.57 255.255.255.255
entry 1 destination address 172.60.1.163 255.255.255.255
;
Extended Access List 101>
Config>feature access-lists
Using the SHOW CONFIG command, the configuration can be displayed and be used on another
occasion introducing it in the console as it appears below:
entry 1 default
entry 1 permit
entry 1 source address 172.60.1.163 255.255.255.255
entry 1 destination address 172.24.51.57 255.255.255.255
;
Extended Access List 101>
Using the SHOW CONFIG command, the configuration can be displayed and be used on another
occasion introducing it in the console as it appears below:
assign-access-list 101
;
template 2 default
template 2 manual esp des md5
;
map-template 101 2
IPSec config>
This section is dedicated to the commands permitting you to use the monitoring tools for the Access
Control Lists feature. To introduce these commands you need to access the Access Lists feature
monitoring prompt.
To access the Access Lists feature monitoring environment, introduce the FEATURE ACCESS
LISTS command at the general monitoring prompt (+).
Example:
+ feature access lists
-- Access Lists user console --
Access Lists>
The router has a cache which maintains all the last found addresses with the aim of minimizing the
search period within the Access Lists. The entries for each list which are introduced in the cache are
indicated in the lists.
The following commands are available within the Access Control List feature monitoring
environment:
Command Function
? (HELP) Lists the available commands or their options.
LIST Displays the access lists configuration.
CLEAR-CACHE Deletes all the entries in the Access Lists cache.
SET-CACHE-SIZE Configures the available number of cache entries.
SHOW-HANDLES Listing this presents the associated handles.
HIDE-HANDLES Listing this hides the associated handles.
1.1. ? (HELP)
This command is used to list the valid commands at the layer where the router is programmed. You
can also use this command after a specific command to list the available options.
Syntax:
Access Lists>?
Example:
Access Lists>?
LIST
CLEAR-CACHE
SET-CACHE-SIZE
SHOW-HANDLES
HIDE-HANDLES
EXIT
Access Lists>
a) LIST ALL
Displays all the entry configurations in the Access Control Lists i.e. all the configuration. The
configured entries are presented together with those that are in the cache. This command should be
followed by other commands in order to specify the information to be displayed in further detail.
Syntax:
Access Lists>list all ?
ALL-ACCESS-LISTS
ADDRESS-FILTER-ACCESS-LISTS
ACCESS-LIST
1 DENY SRC=192.23.0.22/255.255.0.255
Hits: 0
Access Lists>
Access Lists>
b) LIST CACHE
Displays all the configured Access Control Lists and within each displays entries in the cache. This
command should be followed by other commands in order to specify the information to be displayed
in further detail. Only information on the entries in the cache is presented through this command.
Syntax:
Access Lists>list cache ?
ALL-ACCESS-LISTS
ADDRESS-FILTER-ACCESS-LISTS
ACCESS-LIST
Access Lists>
Access Lists>
Access Lists>
c) LIST ENTRIES
Displays Access Control Lists entries which are in the active configuration. This command should be
followed by other commands in order to specify the information to be displayed in further detail. This
command does not present information on the entries in the cache.
Syntax:
Access Lists>list entries ?
ALL-ACCESS-LISTS
ADDRESS-FILTER-ACCESS-LISTS
ACCESS-LIST
1 DENY SRC=192.23.0.22/255.255.0.255
Hits: 0
Access Lists>
Access Lists>
1.3. CLEAR-CACHE
Eliminates all the entries for a specific Access Control List from the cache processing the Access
Control Lists.
Access Lists>
1.4. SET-CACHE-SIZE
Permits you to configure the cache size for an Access Control List. The number of entries the cache
permits defines the size.
Syntax:
Access Lists>set-cache-size <id> <size>
Example:
Access Lists>set-cache-size 100 33
Cache cleared.
Access Lists>
1.5. SHOW-HANDLES
On introducing this command, among the data presented using the LIST command, information
appears to debug in each entry.
1.6. HIDE-HANDLES
On introducing this command, among the data presented using the LIST command, this disables the
command to display information to debug in each entry.
In the TCP and UDP transport layer protocols, widely used over IP version 4 (IPv4) [RFC791], there
is a field known as “port”. This field is made up of 16 bits.
The ports are used by TCP to name the logical connection ends where conversations are maintained.
With the aim of providing services to unknown callers, a contact port is defined for the said service.
There is a list which assigns port numbers which are predetermined for specific services.
For possible expansions, this same port assignation is used with UDP.
The port numbers are divided into three ranges:
- Reserved (0-1023)
- Registered (1024-49151)
- Dynamic or private (49152-65535)
The following list shows some of the most used Reserved Ports:
In IP version 4 (Ipv4) [RFC791], you’ll find a field titled protocol. This identifies the next protocol
layer. The protocol field consists of 8 bits. In IP version 6 (Ipv6) [RFC1883], this field is known as
“Next Header”.
Internet Protocols number assigning: