Access Lists: New Features in IOS 11.2

Peter J. Welcher

We're getting to the point where some sites are beginning to think about using Cisco IOS 11.2 for production use. So it seems like a good time to cover some new features you might find useful. In this article we'll look at new goodies for access list users.

Release 11.2 introduced named IP access lists and "plain English" IPX access lists.
Release 11.2F delivers IPX named access lists (for early adopters).

IP Named Access Lists

Named access lists use text names instead of numbers in the range 1 to 199. So we can immediately see one win: using names allows more access lists, if they are needed.

The name, if chosen carefully, will shed light on what the purpose of the access list is. It could be the name of the user (per-user access lists!), or it could be the purpose of the access list (a route filter, a internet packet filter, etc.).

The way the named access lists are entered is a bit different. Start by referring to the access list you wish to configure by name and type:

ip access-list standard stdpacketfilter001

or perhaps

ip access-list extended extpacketfilter002

Be careful: unlike prior access-list commands, this starts with the protocol, ip.

Entering this command puts you into access-list configuration mode. The prompt changes to

rome(config-std-nacl)#

tokyo(config-ext-nacl)#

Within this mode, enter permit or deny statements until you're done. When done, type exit to get out of access-list configuration mode.

As far as the permit and deny statements, they're the same as what you're already doing, without the words "access-list" and number at the front end.

Here's what that might look like for a standard access list:

ip access-list standard stdpacketfilter001
permit 131.108.10.0 0.0.0.255
permit host 192.1.2.3
deny any

And here's the extended version, showing several of the different forms the commands can take:

ip access-list extended extpacketfilter002
permit ip any any established
permit ip 131.108.10.0 0.0.0.255 156.7.8.0 0.0.0.255
permit ip host 192.1.2.3 156.7.8.0 0.0.0.255
permit tcp any any eq http
deny any any log

Note the log keyword in the last line, which causes logging of packets that match that access list entry. If you want, this can go to a syslog server (or the Cisco Micro WebServer as syslog server), for security reporting. Just use the logging command with the IP address of the syslog server:

logging 1.2.3.4

By the way, with named access lists you can use selective no commands to delete specific entries from the access list. You cannot make specific insertions. As with older access lists, insertions go at the end of the named access list.

The access lists are applied just like the numbered ones, substituting the name for a number. This might look like:

interface serial 0
ip access-group extpacketfilter002 out

Cautions

Named access lists are unknown in earlier releases. If you use them, you cannot easily revert to an earlier IOS release.

Only IP packet and route filters can currently use named access lists.

The name must be unique. A standard and an extended access list cannot have the same name, nor can an IP and an IPX named access list.

The name must start with an alphabetic character to avoid ambiguity. No spaces or quotation marks are allowed in the name.

Plain English IPX Access Lists

The "Plain English" feature of IPX access lists is parser trickery: you can use English names for protocols and sockets, instead of numbers (much like the named ports for IP access lists). Internally, they're just numbers, but the syntax is much more readable when we look at the router configuration. This is with IPX extended access lists, by the way. It does not appear to be appropriate for IPX standard access lists, and does not seem to be implemented (yet) for SAP filter lists.

Here are the keywords available for the IPX protocol, and their numeric equivalents:

any            -1

rip             1

sap             4

spx             5

ncp            17

netbios        20

And here are the keywords for important sockets:

all             0 (any socket)

cping           2

ncp           451

sap           452

rip           453

netbios       455

diagnostic    456

-             457 (Novell serialization; no Cisco name equivalent)

eigrp        85BE

nlsp         9001

nping        9086

By the way, IOS 11.2 also allows the log option in IPX access lists.

So the IPX extended access list might now look like:

access-list 901 permit rip -1 -1
access-list 901 permit sap -1 -1

access-list 901 permit any diagnostic diagnostic

access-list 901 deny netbios -1 -1 log

This looks like it's potentially a really useful feature.

Cautions

The new keywords are of course not understood by earlier IOS releases.

There don't seem to be keywords for SAP filters, yet. Unfortunately.

IPX Named Access Lists

These were introduced with 11.2(4) F. They are available for the following types of access lists:

IPX standard
IPX extended

Cautions

IPX named access lists require 11.2(4) F or later.

IPX named access lists can only currently be used for packet and route filters.

Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has nine CCIE's, with expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/welcher . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to pjw@netcraftsmen.net .