Keyword Alternatives


Most networking professionals know some of the more commonly used TCP port numbers, and maybe a few UDP port numbers. Fewer can say what the ICMP type is for a ping or a destination unreachable, much less what the ICMP codes are for destination unreachable types. Beginning with IOS 10.3, access lists can be configured with keywords in place of many port, type, or code numbers. Using keywords, the access lists 110 and 111 from Figure B-10 are displayed in Example B-19.

Example B-19. Keywords can replace port numbers in access lists.
access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established access-list 110 permit tcp any host 172.22.15.83 eq smtp access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq telnet access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq tftp access-list 110 permit udp any host 172.22.15.85 eq domain access-list 110 permit udp any any eq snmp ! access-list 111 deny icmp 172.22.0.0 0.0.255.255 any echo-reply access-list 111 deny icmp 172.22.0.0 0.0.255.255 any net-unreachable administratively-prohibited access-list 111 deny icmp 172.22.0.0 0.0.255.255 any host-unreachable administratively-prohibited access-list 111 permit ip any any

A word of caution: If you upgrade a router from a pre-10.3 image, the new IOS, upon bootup, will rewrite the access lists in the configuration file to the new syntax, including keywords. If you subsequently need to reload the original pre-10.3 image, the revised access lists will not be understood. Always upload a copy of the original configuration file to a TFTP server before upgrading.




CCIE Professional Development Routing TCP/IP (Vol. 12005)
Routing TCP/IP, Volume 1 (2nd Edition)
ISBN: 1587052024
EAN: 2147483647
Year: 2005
Pages: 233

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net