IP Access List Features Roadmap
First Published: August 18, 2006
Last Updated: August 18, 2006
This roadmap lists the access list features documented in the Cisco IOS Security Configuration Guide and maps them to the modules in which they appear.
Feature and Release Support
Table 1 lists access list feature support for the Cisco IOS software releases 12.2S, 12.3T, and 12.4T.
Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table. Not all features may be supported in your Cisco IOS software release.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Supported Access List Features
|
|
|
|
Cisco IOS Releases 12.2S, 12.3T, and 12.4T
|
12.3(4)T 12.2(25)S |
ACL Support for Filtering IP Options |
This feature allows you to filter packets having IP Options, in order to prevent routers from becoming saturated with spurious packets. |
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values |
12.3(4)T 12.2(25)S |
ACL TCP Flags Filtering |
This feature provides a flexible mechanism for filtering on TCP flags. Before Cisco IOS Release 12.3(4)T, an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security. |
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values |
12.3(7)T 12.2(25)S |
ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry |
This feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports. |
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values |
12.4(2)T |
ACL Support for Filtering on TTL Value |
You may use extended IP access lists (named or numbered) to filter packets based on their time-to-live (TTL) value, from 0 to 255. This filtering enhances your control over which packets reach a router. |
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values |
12.4(6)T |
ACL Manageability |
The ACL Manageability feature enables users to display and clear Access Control Entry (ACE) statistics per interface and per incoming or outgoing traffic direction for access control lists (ACLs). |
Displaying and Clearing IP Access List Data Using ACL Manageability |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.