Keyword Alternatives

Most networking professionals know some of the more commonly used TCP port numbers, and maybe a few UDP port numbers. Fewer could say what the ICMP type is for a ping or a destination unreachable, much less what the ICMP codes are for destination unreachable types. Beginning with IOS 10.3, access lists can be configured with keywords in place of many port, type, or code numbers . Using keywords, the access lists 110 and 111 from Figure B.10 are:

 
 access-list110permittcpany172.22.0.00.0.255.255established 
 access-list110permittcpanyhost172.22.15.83eqsmtp 
 access-list110permittcp10.0.0.00.255.255.255172.22.114.00.0.0.255eqtelnet 
 access-list110permitudp10.64.32.00.0.0.255host172.22.15.87eqtftp 
 access-list110permitudpanyhost172.22.15.85eqdomain 
 access-list110permitudpanyanyeqsnmp 
 ! 
 access-list111denyicmp172.22.0.00.0.255.255anyecho-reply 
 access-list111denyicmp172.22.0.00.0.255.255anynet-unreachableadministratively-prohibited 
 access-list111denyicmp172.22.0.00.0.255.255anyhost-unreachableadministratively-prohibited 
 access-list111permitipanyany 
 

A word of caution: If you are upgrading a router from a pre-10.3 image, the new IOS, upon bootup , will rewrite the access lists in the configuration file to the new syntax, including keywords. If you subsequently need to reload the original pre-10.3 image, the revised access lists will not be understood . Always upload a copy of the original configuration file to a TFTP server before upgrading.