Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4
IP Access List Features Roadmap
Downloads: This chapterpdf (PDF - 90.0KB) The complete bookPDF (PDF - 3.31MB) | Feedback

IP Access List Features Roadmap

Table Of Contents

IP Access List Features Roadmap


IP Access List Features Roadmap


First Published: August 18, 2006
Last Updated: August 18, 2006

This roadmap lists the access list features documented in the Cisco IOS Security Configuration Guide and maps them to the modules in which they appear.

Feature and Release Support

Table 1 lists access list feature support for the Cisco IOS software releases 12.2S, 12.3T, and 12.4T.

Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table. Not all features may be supported in your Cisco IOS software release.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 1 Supported Access List Features 

Release
Feature Name
Feature Description
Where Documented
Cisco IOS Releases 12.2S, 12.3T, and 12.4T

12.3(4)T
12.2(25)S

ACL Support for Filtering IP Options

This feature allows you to filter packets having IP Options, in order to prevent routers from becoming saturated with spurious packets.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.3(4)T
12.2(25)S

ACL TCP Flags Filtering

This feature provides a flexible mechanism for filtering on TCP flags. Before Cisco IOS Release 12.3(4)T, an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.3(7)T
12.2(25)S

ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

This feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.4(2)T

ACL Support for Filtering on TTL Value

You may use extended IP access lists (named or numbered) to filter packets based on their time-to-live (TTL) value, from 0 to 255. This filtering enhances your control over which packets reach a router.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.4(6)T

ACL Manageability

The ACL Manageability feature enables users to display and clear Access Control Entry (ACE) statistics per interface and per incoming or outgoing traffic direction for access control lists (ACLs).

Displaying and Clearing IP Access List Data Using ACL Manageability