Table Of Contents
IP Addressing and Services Commands
access-class
access-list (IP extended)
access-list (IP standard)
access-list compiled
access-list remark
accounting (DHCP)
advertise
agent
arp (global)
arp (interface)
arp timeout
bindid
bootfile
clear access-list counters
clear arp interface
clear arp-cache
clear host
clear ip accounting
clear ip dhcp binding
clear ip dhcp conflict
clear ip dhcp server statistics
clear ip dhcp subnet
clear ip drp
clear ip nat translation
clear ip nhrp
clear ip route dhcp
clear ip route
clear ip slb
clear ip snat sessions
clear ip snat translation distributed
clear ip snat translation peer
clear ip wccp
clear tcp statistics
clear time-range ipc
client
client-identifier
client-name
crypto ipsec
IP Addressing and Services Commands
access-class
To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
access-class access-list-number {in [vrf-also] | out}
no access-class access-list-number {in | out}
Syntax Description
access-list-number
|
Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
|
in
|
Restricts incoming connections between a particular Cisco device and the addresses in the access list.
|
vrf-also
|
Accepts incoming connections from interfaces that belong to a VRF.
|
out
|
Restricts outgoing connections between a particular Cisco device and the addresses in the access list.
|
Defaults
No access lists are defined.
Command Modes
Line configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2
|
The vrf-also keyword was added.
|
Usage Guidelines
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255
The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
Related Commands
Command
|
Description
|
show line
|
Displays the parameters of a terminal line.
|
access-list (IP extended)
To define an extended IP access list, use the extended version of the access-list command in global configuration mode. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name] [fragments]
no access-list access-list-number
Internet Control Message Protocol (ICMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log | log-input] [time-range
time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]
[fragments]
Transmission Control Protocol (TCP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established] [precedence precedence] [tos tos] [log | log-input]
[time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
udp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range
time-range-name] [fragments]
Syntax Description
access-list-number
|
Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
|
dynamic dynamic-name
|
(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
|
timeout minutes
|
(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
protocol
|
Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.
|
source
|
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part dotted decimal format.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
|
source-wildcard
|
Wildcard bits to be applied to source. Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be considered a match to this access list entry.
There are three alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part dotted decimal format. Place 1s in the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0.64 would be valid.
|
destination
|
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part dotted decimal format.
• Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part dotted decimal format. Place 1s in the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
precedence precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."
|
tos tos
|
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility may drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
|
log-input
|
(Optional) Includes the input interface and source MAC address or VC in the logging output.
|
time-range time-range-name
|
(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
|
operator
|
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
|
port
|
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
|
established
|
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
|
Defaults
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
10.3
|
The following keywords and arguments were added:
• source
• source-wildcard
• destination
• destination-wildcard
• precedence precedence
• icmp-type
• icmp-code
• icmp-message
• igmp-type
• operator
• port
• established
|
11.1
|
The dynamic dynamic-name keyword and argument were added.
|
11.1
|
The timeout minutes keyword and argument were added.
|
11.2
|
The log-input keyword was added.
|
12.0(1)T
|
The time-range time-range-name keyword and argument were added.
|
12.0(11)
|
The fragments keyword was added.
|
12.2(13)T
|
The non500-isakmp keyword was added to the list of UDP port names. The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.
|
Usage Guidelines
You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the type of service (ToS) value, or the precedence of the packet.
Note
After a numbered access list is created, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list.
The following is a list of precedence names:
•
critical
•
flash
•
flash-override
•
immediate
•
internet
•
network
•
priority
•
routine
The following is a list of ToS names:
•
max-reliability
•
max-throughput
•
min-delay
•
min-monetary-cost
•
normal
The following is a list of ICMP message type names and ICMP message type and code names:
•
administratively-prohibited
•
alternate-address
•
conversion-error
•
dod-host-prohibited
•
dod-net-prohibited
•
echo
•
echo-reply
•
general-parameter-problem
•
host-isolated
•
host-precedence-unreachable
•
host-redirect
•
host-tos-redirect
•
host-tos-unreachable
•
host-unknown
•
host-unreachable
•
information-reply
•
information-request
•
mask-reply
•
mask-request
•
mobile-redirect
•
net-redirect
•
net-tos-redirect
•
net-tos-unreachable
•
net-unreachable
•
network-unknown
•
no-room-for-option
•
option-missing
•
packet-too-big
•
parameter-problem
•
port-unreachable
•
precedence-unreachable
•
protocol-unreachable
•
reassembly-timeout
•
redirect
•
router-advertisement
•
router-solicitation
•
source-quench
•
source-route-failed
•
time-exceeded
•
timestamp-reply
•
timestamp-request
•
traceroute
•
ttl-exceeded
•
unreachable
The following is a list of IGMP message names:
•
dvmrp
•
host-query
•
host-report
•
pim
•
trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.
•
bgp
•
chargen
•
daytime
•
discard
•
domain
•
echo
•
finger
•
ftp
•
ftp-data
•
gopher
•
hostname
•
irc
•
klogin
•
kshell
•
lpd
•
nntp
•
pop2
•
pop3
•
smtp
•
sunrpc
•
syslog
•
tacacs-ds
•
talk
•
telnet
•
time
•
uucp
•
whois
•
www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.
•
biff
•
bootpc
•
bootps
•
discard
•
dnsix
•
domain
•
echo
•
mobile-ip
•
nameserver
•
netbios-dgm
•
netbios-ns
•
non500-isakmp
•
ntp
•
rip
•
snmp
•
snmptrap
•
sunrpc
•
syslog
•
tacacs-ds
•
talk
•
tftp
•
time
•
who
•
xdmcp
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has...
|
Then..
|
...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,
|
For an access-list entry containing only Layer 3 information:
• The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.
For an access list entry containing Layer 3 and Layer 4 information:
• The entry is applied to nonfragmented packets and initial fragments.
– If the entry is a permit statement, the packet or fragment is permitted.
– If the entry is a deny statement, the packet or fragment is denied.
• The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and
– If the entry is a permit statement, the noninitial fragment is permitted.
– If the entry is a deny statement, the next access-list entry is processed.
Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
|
...the fragments keyword, and assuming all of the access-list entry information matches,
|
The access-list entry is applied only to noninitial fragments.
Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
|
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
The fragments keyword cannot solve all cases involving access lists and IP fragments.
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists. Prefix or mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example uses a time range to deny HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:
periodic weekdays 8:00 to 18:00
access-list 101 deny tcp any any eq http time-range no-http
Related Commands
Command
|
Description
|
access-class
|
Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.
|
access-list (IP standard)
|
Defines a standard IP access list.
|
access-list remark
|
Writes a helpful comment (remark) for an entry in a numbered IP access list.
|
clear access-template
|
Clears a temporary access list entry from a dynamic access list.
|
delay (tracking)
|
Sets conditions under which a packet does not pass a named access list.
|
distribute-list in (IP)
|
Filters networks received in updates.
|
distribute-list out (IP)
|
Suppresses networks from being advertised in updates.
|
ip access-group
|
Controls access to an interface.
|
ip access-list
|
Defines an IP access list by name.
|
ip accounting
|
Enables IP accounting on an interface.
|
logging console
|
Controls which messages are logged to the console, based on severity.
|
match ip address
|
Distributes any routes that have a destination network number address that is permitted by a standard or extended access list.
|
permit (IP)
|
Sets conditions under which a packet passes a named access list.
|
remark
|
Writes a helpful comment (remark) for an entry in a named IP access list.
|
show access-lists
|
Displays the contents of current IP and rate-limit access lists.
|
show ip access-list
|
Displays the contents of all current IP access lists.
|
time-range
|
Specifies when an access list or other feature is in effect.
|
access-list (IP standard)
To define a standard IP access list, use the standard version of the access-list command in global configuration mode. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard] [log]
no access-list access-list-number
Syntax Description
access-list-number
|
Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
source
|
Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
|
source-wildcard
|
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
|
Defaults
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
11.3(3)T
|
The log keyword was added.
|
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Caution 
Enhancements to this command are backward compatible; migrating from releases prior to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly.
This condition could cause you severe security problems. Save your old configuration file before booting these images.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit 128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3 0.0.0.0
Related Commands
Command
|
Description
|
access-class
|
Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.
|
access-list (IP extended)
|
Defines an extended IP access list.
|
access-list remark
|
Writes a helpful comment (remark) for an entry in a numbered IP access list.
|
deny (IP)
|
Sets conditions under which a packet does not pass a named access list.
|
distribute-list in (IP)
|
Filters networks received in updates.
|
distribute-list out (IP)
|
Suppresses networks from being advertised in updates.
|
ip access-group
|
Controls access to an interface.
|
permit (IP)
|
Sets conditions under which a packet passes a named access list.
|
remark (IP)
|
Writes a helpful comment (remark) for an entry in a named IP access list.
|
show access-lists
|
Displays the contents of current IP and rate-limit access lists.
|
show ip access-list
|
Displays the contents of all current IP access lists.
|
access-list compiled
To enable the Turbo Access Control Lists (Turbo ACL) feature, use the access-list compiled command in global configuration mode. To disable the Turbo ACL feature, use the no form of this command.
access-list compiled
no access-list compiled
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(6)S
|
This command was introduced.
|
12.1(1)E
|
This command was introduced for Cisco 7200 series routers.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Usage Guidelines
By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, normal ACL processing is enabled, and no ACL acceleration occurs.
When the Turbo ACL feature is enabled using the access-list compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs.
Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompilation of that ACL.
When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation.
Examples
The following example enables the Turbo ACL feature:
access-list remark
To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark command in global configuration mode. To remove the remark, use the no form of this command.
access-list access-list-number remark remark
no access-list access-list-number remark remark
Syntax Description
access-list-number
|
Number of an IP access list.
|
remark
|
Comment that describes the access list entry, up to 100 characters long.
|
Defaults
The access list entries have no remarks.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(2)T
|
This command was introduced.
|
Usage Guidelines
The remark can be up to 100 characters long; anything longer is truncated.
If you want to write a comment about an entry in a named access list, use the remark command.
Examples
In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13
Related Commands
Command
|
Description
|
access-list (IP extended)
|
Defines an extended IP access list.
|
access-list (IP standard)
|
Defines a standard IP access list.
|
ip access-list
|
Defines an IP access list by name.
|
remark
|
Writes a helpful comment (remark) for an entry in a named IP access list.
|
accounting (DHCP)
To enable DHCP accounting, use the accounting command in DHCP pool configuration mode. To disable DHCP accounting for the specified server group, use the no form of this command.
accounting server-group-name
no accounting server-group-name
Syntax Description
server-group-name
|
Name of a server group to apply DHCP accounting. The server group can have one or more members. The server group is defined in the configuration of the aaa group server and aaa accounting commands.
|
Defaults
No default behavior or values
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
The accounting DHCP pool configuration command is used to enable the DHCP accounting feature by sending secure DHCP START accounting messages when IP addresses are assigned to DHCP clients, and secure DHCP STOP accounting messages when DHCP leases are terminated. A DHCP lease is terminated when the client explicitly releases the lease, when the session times out, and when the DHCP bindings are cleared from the DHCP database. DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis.
The accounting command can be used only to network pools in which bindings are created automatically and destroyed upon lease termination (or when the client sends a DHCP RELEASE message). DHCP bindings are also destroyed when the clear ip dhcp binding or no service dhcp command is issued. These commands should be used with caution if an address pool is configured with DHCP accounting.
AAA and RADIUS must be configured before this command can be used to enable DHCP accounting. A server group must be defined with the aaa group server command. START and STOP message generation is configured with the aaa accounting command. The aaa accounting command can be configured to enable the DHCP accounting to send both START and STOP messages or STOP messages only.
Examples
The following example configures DHCP accounting START and STOP messages to be sent if RADIUS-GROUP1 is configured as a start-stop group. STOP messages will only be sent if RADIUS-GROUP1 is configured as a stop-only group.
Router(config)# ip dhcp pool WIRELESS-POOL
Router(dhcp-config)# accounting RADIUS-GROUP1
Router(dhcp-config)# exit
Related Commands
Command
|
Description
|
aaa accounting
|
Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
|
aaa group server
|
Groups different server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
aaa session-id
|
Specifies whether the same session ID will be used for each AAA accounting service type within a call or whether a different session ID will be assigned to each accounting service type.
|
clear arp-cache
|
Deletes all dynamic entries from the ARP cache.
|
clear ip dhcp binding
|
Deletes an automatic address binding from the Cisco IOS DHCP server database.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
ip radius source-interface
|
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
|
radius-server host
|
Specifies a RADIUS server host.
|
radius-server retransmit
|
Specifies the number of times that IOS will look for RADIUS server hosts.
|
service dhcp
|
Enables the Cisco IOS DHCP server and relay agent features.
|
show ip dhcp binding
|
Displays address bindings on the Cisco IOS DHCP server.
|
show ip dhcp server statistics
|
Displays Cisco IOS DHCP server statistics.
|
update arp
|
Secures the MAC address of the authorized client interface to the DHCP binding.
|
advertise
To control the installation of a static route to the Null0 interface for a virtual server address, use the advertise SLB virtual server configuration command. To prevent the installation of a static route for the virtual server IP address, use the no form of this command.
advertise
no advertise
Syntax Description