Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4 - IP Access List Features Roadmap [Cisco IOS Software Releases 12.4 Mainline]

Table Of Contents

IP Access List Features Roadmap

IP Access List Features Roadmap

First Published: August 18, 2006

Last Updated: August 18, 2006

This roadmap lists the access list features documented in the Cisco IOS Security Configuration Guide and maps them to the modules in which they appear.

Feature and Release Support

Table 1 lists access list feature support for the Cisco IOS software releases 12.2S, 12.3T, and 12.4T.

Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table. Not all features may be supported in your Cisco IOS software release.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Supported Access List Features

Release

Feature Name

Feature Description

Where Documented

Cisco IOS Releases 12.2S, 12.3T, and 12.4T

12.3(4)T
12.2(25)S

ACL Support for Filtering IP Options

This feature allows you to filter packets having IP Options, in order to prevent routers from becoming saturated with spurious packets.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.3(4)T
12.2(25)S

ACL TCP Flags Filtering

This feature provides a flexible mechanism for filtering on TCP flags. Before Cisco IOS Release 12.3(4)T, an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.3(7)T
12.2(25)S

ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

This feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.4(2)T

ACL Support for Filtering on TTL Value

You may use extended IP access lists (named or numbered) to filter packets based on their time-to-live (TTL) value, from 0 to 255. This filtering enhances your control over which packets reach a router.

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

12.4(6)T

ACL Manageability

The ACL Manageability feature enables users to display and clear Access Control Entry (ACE) statistics per interface and per incoming or outgoing traffic direction for access control lists (ACLs).

Displaying and Clearing IP Access List Data Using ACL Manageability

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.