Table Of Contents

Configuration Mode Commands

(config) aaa accounting default

(config) aaa authentication login

(config) aaa group server

(config) access-group

(config) access-list ethertype

(config) access-list extended

(config) access-list remark

(config) access-list resequence

(config) action-list type modify http

(config) arp

(config) banner

(config) boot system image:

(config) class-map

(config) clock timezone

(config) clock summer-time

(config) config-register

(config) context

(config) crypto authgroup

(config) crypto chaingroup

(config) crypto crl

(config) crypto csr-params

(config) domain

(config) end

(config) exit

(config) ft auto-sync

(config) ft group

(config) ft interface vlan

(config) ft peer

(config) ft track host

(config) ft track hsrp

(config) ft track interface

(config) hostname

(config) hw-module

(config) interface

(config) ip dhcp relay

(config) ip domain-list

(config) ip domain-lookup

(config) ip domain-name

(config) ip name-server

(config) ip route

(config) kalap udp

(config) ldap-server host

(config) ldap-server port

(config) ldap-server timeout

(config) line console

(config) line vty

(config) login timeout

(config) logging buffered

(config) logging console

(config) logging device-id

(config) logging enable

(config) logging facility

(config) logging fastpath

(config) logging history

(config) logging host

(config) logging message

(config) logging monitor

(config) logging persistent

(config) logging queue

(config) logging rate-limit

(config) logging reject-newconn

(config) logging standby

(config) logging supervisor

(config) logging timestamp

(config) logging trap

(config) object-group

(config) parameter-map type

(config) peer hostname

(config) peer shared-vlan-hostid

(config) policy-map

(config) probe

(config) radius-server attribute nas-ipaddr

(config) radius-server deadtime

(config) radius-server host

(config) radius-server key

(config) radius-server retransmit

(config) radius-server timeout

(config) resource-class

(config) role

(config) rserver

(config) script file

(config) serverfarm

(config) service-policy

(config) shared-vlan-hostid

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server engineid

(config) snmp-server host

(config) snmp-server location

(config) snmp-server trap link ietf

(config) snmp-server trap-source vlan

(config) snmp-server user

(config) ssh key

(config) ssh maxsessions

(config) ssl-proxy service

(config) static

(config) sticky http-content

(config) sticky http-cookie

(config) sticky http-header

(config) sticky ip-netmask

(config) sticky layer4-payload

(config) sticky radius framed-ip

(config) sticky rtsp-header

(config) sticky sip-header

(config) tacacs-server deadtime

(config) tacacs-server host

(config) tacacs-server key

(config) tacacs-server timeout

(config) telnet maxsessions

(config) timeout xlate

(config) udp

(config) username

Configuration Mode Commands

Configuration mode commands allow you to configure global ACE parameters that affect the following contexts:

•All contexts, when configured in the Admin context

•A single user context, when configured in that context

Configuration mode also allows you to access all the ACE subordinate configuration modes. These modes provide parameters to configure the major features of the ACE, including access control lists (ACLs), application protocol inspection, fragmentation and reassembly, interfaces, Network Address Translation (NAT), persistence (stickiness), protocols, redundancy, routing, scripts, Secure Sockets Layer (SSL), server load balancing (SLB), TCP/IP normalization, users, and virtualization.

To access configuration mode, use the config command. The CLI prompt changes to (config).

See the individual command descriptions of all the configuration mode commands on the following pages.

Command Modes

Exec mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires one or more features assigned to your user role that allow configuration, such as AAA, interface, or fault-tolerant. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

Examples

To access configuration mode, enter:

host1/Admin# config 

host1/Admin(config)#

Related Commands

show running-config
show startup-config

(config) aaa accounting default

To configure the default accounting method, use the aaa accounting default command. You specify either a previously created AAA server group that identifies separate groups of Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) servers or the local database on the ACE. Use the no form of this command to remove the accounting method.

aaa accounting default {group group_name} {local} {none}

no aaa accounting default {group group_name} {local} {none}

Syntax Description

group group_name	Associates the accounting method with a TACACS+ or RADIUS server defined previously through the aaa group server command. The server group name is a maximum of 64 alphanumeric characters.
local	Specifies to use the local database on the ACE as the accounting method.
none	Specifies that the ACE does not perform password verification, which disables password verification. If you configure this option, users can log in without providing a valid password. Note Only users with an Admin role can configure the none keyword.

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

Examples

To enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method, enter:

host1/Admin(config)# aaa accounting default group TacServer local

Related Commands

show aaa

show accounting log

(config) aaa authentication login

(config) aaa group server

(config) aaa authentication login

To configure the authentication method used for login to the ACE CLI, use the aaa authentication login command. Use the no form of this command to disable the authentication method.

aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable

no aaa authentication login {{console | default} {{group group_name} {local} {none}}} | error-enable

Syntax Description

console	Specifies the console port login authentication method, identified by the specified server group.
default	Specifies the default login authentication method (Telnet or Secure Shell [SSH] login) that is identified by the specified server group.
group group_name	Associates the login authentication process with a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server defined through the aaa group server command. The server group name is a maximum of 64 alphanumeric characters.
local	Specifies to use the local database on the ACE as the login authentication method. If the server does not respond, then the local database is used as the fallback authentication method.
none	Specifies that the ACE does not perform password verification. If you configure this option, users can log in to the ACE without providing a valid password. Note Only users with an Admin role can configure the none keyword.
error-enable	Enables the display of the login error message when the remote AAA servers fail to respond.

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

Use the error-enable option cautiously. If you specify none, any user will be able to access the ACE at any time.

To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the ACE processes the login sequence by switching to local user database.

Examples

To enable console authentication using the TACSERVER server group, followed by local login as the fallback method, enter:

host1/Admin(config)# aaa authentication login console group TACSERVER local

Password verification remains enabled for login authentication.

To turn off password validation, enter:

host1/Admin(config)# aaa authentication login console group TACSERVER local none

Related Commands

show aaa

(config) aaa accounting default

(config) aaa group server

(config) aaa group server

To configure independent server groups of Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) servers, use the aaa group server command. Use the no form of this command to remove a server group.

aaa group server {ldap | radius | tacacs+} group_name

no aaa group server {ldap | radius | tacacs+} group_name

Syntax Description

ldap	Specifies an LDAP directory server group. For information about the commands in the LDAP server configuration mode, see the "LDAP Configuration Mode Commands" section.
radius	Specifies a RADIUS server group. For information about the commands in the RADIUS server configuration mode, see the "RADIUS Configuration Mode Commands" section.
tacacs+	Specifies a TACACS+ server group. For information about the commands in the TACACS+ server configuration mode, see the "TACACS+ Configuration Mode Commands" section.
group_name	Name for the LDAP, RADIUS, or TACACS+ server group. The server group name is a maximum of 64 alphanumeric characters.

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

A server group is a list of server hosts of a particular type. The ACE allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.

You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login or the aaa accounting default commands.

To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.

Examples

To create a RADIUS server group and add a previously configured RADIUS server, enter:

(config)# aaa group server radius RAD_Server_Group1 

host1/Admin(config-radius)# server 192.168.252.1

host1/Admin(config-radius)# server 192.168.252.2

host1/Admin(config-radius)# server 192.168.252.3

Related Commands

show aaa

show running-config

(config) aaa accounting default

(config) aaa authentication login

(config) access-group

To apply an access control list (ACL) to the inbound direction on all VLAN interfaces in a context and make the ACL active, use the access-group command. Use the no form of this command to remove an ACL from all interfaces in a context.

access-group input acl_name

no access-group input acl_name

Syntax Description

input	Specifies the inbound direction of all interfaces in a context on which you want to apply the ACL
acl_name	Identifier of an existing ACL that you want to apply to an interface

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

You must apply an ACL to an interface to allow the passing of traffic on that interface. This command enables you to apply an ACL to all interfaces in a context in the inbound direction only and to allow traffic on all interfaces simultaneously. The following considerations apply:

•You can use the access-group command in configuration mode only if there are no interfaces in the context to which you have applied an ACL previously using the (config-if) access-group command in interface configuration mode.

•If you have applied an ACL globally to all interfaces in a context, you cannot apply an ACL to an individual interface using the (config-if) access-group command in interface configuration mode.

•You can apply one Layer 2 ACL and one Layer 3 ACL globally to all interfaces in a context.

•You can apply both a Layer 3 and a Layer 2 ACL to all Layer 2 bridge-group virtual interfaces (BVIs) in a context.

•You can apply only a Layer 3 ACL to all Layer 3 virtual LANs (VLANs) in a context.

For complete details on ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.

Examples

To apply an ACL named INBOUND to the inbound direction of all interfaces in the Admin context, enter:

host1/Admin(config)# access-group input INBOUND

To remove an ACL from all interfaces in the Admin context, enter:

host1/Admin(config)# no access-group input INBOUND

Related Commands

(config-if) access-group

show access-list

(config) access-list ethertype

To configure an EtherType access control list (ACL), use the access-list ethertype command. Use the no form of this command to remove the ACL from the configuration.

access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}

no access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
ethertype	Specifies a subprotocol of type: any, bpdu, ipv6, or mpls.
deny	Blocks connections on the assigned interface.
permit	Allows connections on the assigned interface.
any	Specifies any EtherType.
bpdu	Specifies bridge protocol data units.
ipv6	Specifies Internet Protocol version 6.
mpls	Specifies Multiprotocol Label Switching.

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. Bridge protocol data units (BPDUs) are exceptions because they are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.

You can configure an EtherType ACL only on a Layer 2 interface in the inbound direction.

When you specify the mpls keyword in an EtherType ACL, the ACE denies or permits both MPLS-unicast and MPLS-multicast traffic.

Examples

To configure an ACL that controls traffic based on its EtherType, enter:

(config)#  access-list INBOUND ethertype permit mpls

Related Commands

clear access-list

show access-list

(config) access-list extended

To create an extended ACL, use the access-list extended command. The two major types of extended ACLs are as follows:

•Non-ICMP ACLs

•ICMP ACLs

Use the no form of this command to delete the ACL.

For a Non-ICMP extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{protocol {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} [operator port3 [port4]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

For an ICMP-extended ACL, the syntax is as follows:

access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

no access-list name [line number] extended {deny | permit}
{icmp {any | host src_ip_address | src_ip_address netmask | object_group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object_group network_obj_grp_name} [icmp_type [code operator code1 [code2]]]}
|{object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
line number	(Optional) Specifies the line number position where you want the entry that you are configuring to appear in the ACL. The position of an entry affects the lookup order of the entries in an ACL. If you do not configure the line number of an entry, the ACE applies a default increment and a line number to the entry and appends it at the end of the ACL.
extended	Specifies an extended ACL. Extended ACLs allow you to specify the destination IP address and subnet mask and other parameters not available with a standard ACL.
deny	Blocks connections on the assigned interface.
permit	Allows connections on the assigned interface.
protocol	Name or number of an IP protocol. Enter a protocol name or an integer from 0 to 255 that represents an IP protocol number from the following: •ah—(51) Authentication Header •eigrp—(88) Enhanced IGRP •esp—(50) Encapsulated Security Payload •gre—(47) Generic Routing Encapsulation •icmp—(1) Internet Control Message Protocol (See Table 2-1 for optional ICMP messaging types) •igmp—(2) Internet Group Management Protocol •ip—(0) Internet Protocol •ip-in-ip—(4) IP-in-IP Layer 3 tunneling protocol •ospf—(89) Open Shortest Path First •pim—(103) Protocol Independent Multicast •tcp—(6) Transmission Control Protocol •tcp-udp—(6 and 17) Transmission Control Protocol and User Datagram Protocol •udp—(17) User Datagram Protocol
any	Specifies the network traffic from any source.
host src_ip_address	Specifies the IP address of the host from which network traffic originates. Use this keyword and argument to specify the network traffic from a single IP address.
src_ip_address netmask	Traffic from a source defined by the IP address and the network mask. Use these arguments to specify the network traffic from a range of source IP addresses.
object-group network_obj_grp_ name	Specifies the identifier of an existing source network object group. To use object groups in an ACL, replace the normal network (source_address, mask, and so on), service (protocol operator port) or ICMP type (icmp_type) arguments with an object-group name.
operator	(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows: •eq—Equal to. •gt—Greater than. •lt—Less than. •neq—Not equal to. •range—An inclusive range of port values. If you entered the range operator, enter a second port number value to define the upper limit of the range.
port1 [port2]	TCP or UDP source port name or number from which you permit or deny services access. Enter an integer from 0 to 65535. To enter an inclusive range of ports, enter two port numbers. Port2 must be greater than or equal to port1. See Table 2-2 for a list of well-known TCP port names and numbers and Table 2-3 for a list of well-known UDP port names and numbers.
dest_ip_address netmask	Specifies the IP address of the network or host to which the packet is being sent and the network mask bits that are to be applied to the destination IP address. Use these arguments to specify a range of destination IP addresses.
any	Specifies the network traffic going to any destination.
host destination_ address	Specifies the IP address and subnet mask of the destination of the packets in a flow. Use this keyword and argument to specify the network traffic destined to a single IP address.
operator	(Optional) Operand used to compare source and destination port numbers for TCP, TCP-UDP, and UDP protocols. The operators are as follows: •lt—Less than. •gt—Greater than. •eq—Equal to. •neq—Not equal to. •range—An inclusive range of port values. If you enter this operator, enter a second port number value to define the upper limit of the range.
port3 [port4]	TCP or UDP destination port name or number to which you permit or deny access to services. To enter an optional inclusive range of ports, enter two port numbers. Port4 must be greater than or equal to port3. See Table 2-2 for a list of well-known ports.
icmp_type	(Optional) Type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP types as described in Table 2-1.
code	(Optional) Specifies that a numeric operator and ICMP code follows.
operator	An operator that the ACE applies to the ICMP code number that follows. Enter one of the following operators: •lt—Less than. •gt—Greater than. •eq—Equal to. •neq—Not equal to. •range—An inclusive range of ICMP code values. When you use this operator, specify two code numbers to define the range.
code1, code2	ICMP code number that corresponds to an ICMP type. See Table 2-2. If you entered the range operator, enter a second ICMP code value to define the upper limit of the range.

Command Modes

Configuration mode

Admin and user contexts

Command History

Release	Modification
3.0(0)A1(2)	This command was introduced.
A2(1.0)	This command was revised with the object-group keyword and associated keywords and arguments.

Usage Guidelines

This command requires the access-list feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination addresses as "any" and do not specify ports in an extended in an extended ACL.

For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.

You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces.

If you create an ICMP extended ACL, you can optionally specify the type of ICMP messaging. Enter either an integer that corresponds to the ICMP code number or one of the ICMP messaging types as described in Table 2-1.

Table 2-1 ICMP Types 

ICMP Code Number	ICMP Type
0	echo-reply
3	unreachable
4	source-quench
5	redirect
6	alternate-address
8	echo
9	router-advertisement
10	router-solicitation
11	time-exceeded
12	parameter-problem
13	timestamp-request
14	timestamp-reply
15	information-request
16	information-reply
17	mask-request
18	mask-reply
30	traceroute
31	conversion-error
32	mobile-redirect

Table 2-2 Well-Known TCP Port Numbers and Key Words 

Keyword	Port Number	Description
aol	5190	America-Online
bgp	179	Border Gateway Protocol
chargen	19	Character Generator
citrix-ica	1494	Citrix Independent Computing Architecture protocol
cmd	514	Same as exec, with automatic authentication
ctiqbe	2748	Computer Telephony Interface Quick Buffer Encoding
daytime	13	Daytime
discard	9	Discard
domain	53	Domain Name System
echo	7	Echo
exec	512	Exec (RSH)
finger	79	Finger
ftp	21	File Transfer Protocol
ftp-data	20	FTP data connections
gopher	70	Gopher
hostname	101	NIC hostname server
http	80	Hyper Text Transfer Protocol
https	443	HTTP over TLS/SSL
ident	113	Ident Protocol
imap4	143	Internet Message Access Protocol, version 4
irc	194	Internet Relay Chat
kerberos	88	Kerberos
klogin	543	Kerberos Login
kshell	544	Kerberos Shell
ldap	389	Lightweight Directory Access Protocol
ldaps	636	LDAP over TLS/SSL
login	513	Login (rlogin)
lotusnotes	1352	IBM Lotus Notes
lpd	515	Printer Service
matip-a	350	Mapping of Airline Traffic over Internet Protocol (MATIP) Type A
netbios-ssn	139	NetBIOS Session Service
nntp	119	Network News Transport Protocol
pcanywhere-data	5631	PC Anywhere data
pim-auto-rp	496	PIM Auto-RP
pop2	109	Post Office Protocol v2
pop3	110	Post Office Protocol v3
pptp	1723	Point-to-Point Tunneling Protocol, RFC 2637
rtsp	554	Real Time Streaming Protocol
sip	5060	Session Initiation Protocol
skinny	2000	Cisco Skinny Client Control Protocol (SCCP)
smtp	25	Simple Mail Transfer Protocol
sqlnet	1521	Structured Query Language Network
ssh	22	Secure Shell
sunrpc	111	Sun Remote Procedure Call
tacacs	49	Terminal Access Controller Access Control System
talk	517	Talk
telnet	23	Telnet
time	37	Time
uucp	540	UNIX-to-UNIX Copy Program
whois	43	Nicname
www	80	World Wide Web (HTTP)

Table 2-3 Well-Known UDP Key Words and Port Numbers 

Keyword	Port Number	Description
biff	512	Mail notification
bootpc	68	Bootstrap Protocol client
bootps	67	Bootstrap Protocol server
discard	9	Discard
dnsix	195	DNSIX Security protocol auditing (dn6-nlm-aud)
domain	53	Domain Name System
echo	7	Echo
isakmp	500	Internet Security Association Key Management Protocol
kerberos	88	Kerberos
mobile-ip	434	Mobile IP registration
nameserver	42	Host Name Server
netbios-dgm	138	NetBIOS datagram service
netbios-ns	137	NetBIOS name service
netbios-ssn	139	NetBIOS Session Service
ntp	123	Network Time Protocol
pcanywhere- status	5632	PC Anywhere status
radius	1812	Remote Authentication Dial-in User Service
radius-acct	1813	RADIUS Accounting
rip	520	Routing Information Protocol
snmp	161	Simple Network Management Protocol
snmptrap	162	SNMP Traps
sunrpc	111	Sun Remote Procedure Call
syslog	514	System Logger
tacacs	49	Terminal Access Controller Access Control System
talk	517	Talk
tftp	69	Trivial File Transfer Protocol
time	37	Time
who	513	Who service (rwho)
wsp	9200	Connectionless Wireless Session Protocol
wsp-wtls	9202	Secure Connectionless WSP
wsp-wtp	9201	Connection-based WSP
wsp-wtp-wtls	9203	Secure Connection-based WSP
xdmcp	177	X Display Manager Control Protocol

Examples

To configure a TCP extended ACL, enter:

host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 
255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000 

To remove an entry from an extended ACL, enter:

host1/Admin(config)# no access-list INBOUND line 10

To allow an external host with IP address 192.168.12.5 to be able to ping a host behind the ACE with an IP address of 10.0.0.5, enter:

(config)#  access-list INBOUND extended permit icmp host 192.168.12.5 host 10.0.0.5 echo 
code eq 0

To remove an entry from an ICMP ACL, enter:

(config)#  no access-list INBOUND extended permit icmp host 192.168.12.5 echo

To use object groups for all available parameters, enter:

ISM/Admin(config)# access-list acl_name extended {deny | permit} object-group 
service_grp_name object-group network_grp_name object-group network_grp_name

Related Commands

clear access-list

show access-list

(config) access-list remark

You can add comments about an access control list (ACL) to clarify the function of the ACL. To add a comment to an ACL, use the access-list remark command. You can enter only one comment per ACL and the comment appears at the top of the ACL. Use the no form of this command to remove an ACL remark.

access-list name remark text

no access-list name remark text

Syntax Description

name	Unique identifier of the ACL. Enter an unquoted text string with a maximum of 64 alphanumeric characters.
remark text	Specifies any comments that you want to include about the ACL. Comments appear at the top of the ACL. Enter an unquoted text string with a maximum of 100 alphanumeric characters. You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.