Полезная информация

cc/td/doc/product/software/ios112/112cg_cr
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Traffic Filter Commands

Traffic Filter Commands

This chapter describes the commands used to configure Lock-and-key security (IP only).

Other traffic filter commands are protocol-specific, and are therefore described in the appropriate protocol-specific chapters in the Cisco IOS command references. You should refer to these protocol-specific chapters to find detailed information about traffic filter commands for each protocol. (Many of these protocols refer to the filters as "access lists.")

Specific information about configuring traffic filters (access lists) for these protocols can be found in protocol-specific chapters in the Cisco IOS configuration guides. General guidelines for using access lists can be found in the "Configuring Traffic Filters" chapter of the Security Configuration Guide.

Lock-and-key security is implemented with extended IP dynamic access lists. Lock-and-key security is available only for IP traffic, but provides more security functions than traditional static traffic filters.

access-enable

To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command.

access-enable [host] [timeout minutes]
Syntax Description
host (Optional) Tells the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network.
timeout minutes (Optional) Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently. We recommend that this value equal the idle timeout set for the WAN connection.
Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command enables the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session.

Example

The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted.

autocommand access-enable host timeout 2
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

access-list (extended) +
autocommand +

access-template

To manually place a temporary access list entry on a router to which you are connected, use the access-template EXEC command.

access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes]
Syntax Description
access-list-number Number of the dynamic access list.
name Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
dynamic-name (Optional) Name of a dynamic access list.
source (Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.
destination (Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.
timeout minutes (Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.
Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command provides a way to enable the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session.

Example

In the following example, the software enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded.

access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

access-list (extended) +
autocommand
+
clear access-template

clear access-template

To manually clear a temporary access list entry from a dynamic access list, use the clear access-template EXEC command.

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]
Syntax Description
access-list-number (Optional) Number of the dynamic access list from which the entry is to be deleted.
name Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
dynamic-name (Optional) Name of the dynamic access list from which the entry is to be deleted.
source (Optional) Source address in a temporary access list entry to be deleted.
destination (Optional) Destination address in a temporary access list entry to be deleted.
Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.

Example

The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:

clear access-template vendor 172.20.1.12
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

access-list (extended) +
access-template

show ip accounting

To display the active accounting or checkpointed database or to display access-list violations, use the show ip accounting privileged EXEC command.

show ip accounting [checkpoint] [output-packets | access-violations]
Syntax Description
checkpoint (Optional) Indicates that the checkpointed database should be displayed.
output-packets (Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. This is the default value if neither output-packets nor access-violations is specified.
access-violations (Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed.
Defaults

If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

To use this command, you must first enable IP accounting on a per-interface basis.

Sample Displays

Following is sample output from the show ip accounting command:

Router# show ip accounting
   Source           Destination              Packets               Bytes     
 172.30.19.40     172.30.67.20                     7                 306
 172.30.13.55     172.30.67.20                    67                2749
 172.30.2.50      172.30.33.51                    17                1111
 172.30.2.50      172.30.2.1                       5                 319
 172.30.2.50      172.30.1.2                     463               30991
 172.30.19.40     172.30.2.1                       4                 262
 172.30.19.40     172.30.1.2                      28                2552
 172.30.20.2     172.30.6.100                    39                2184
 172.30.13.55    172.30.1.2                      35                3020
 172.30.19.40    172.30.33.51                  1986               95091
 172.30.2.50     172.30.67.20                   233               14908
 172.30.13.28    172.30.67.53                   390               24817
 172.30.13.55    172.30.33.51                214669             9806659
 172.30.13.111   172.30.6.23                  27739             1126607
 172.30.13.44    172.30.33.51                 35412             1523980
 172.30.7.21     172.30.1.2                      11                 824
 172.30.13.28    172.30.33.2                     21                1762
 172.30.2.166    172.30.7.130                   797              141054
 172.30.3.11     172.30.67.53                     4                 246
 172.30.7.21     172.30.33.51                 15696              695635
 172.30.7.24     172.30.67.20                    21                 916
 172.30.13.111   172.30.10.1                     16                1137

Table 8 describes fields shown in the display.


Table 8: Show IP Accounting Field Descriptions
Field Description
Source Source address of the packet
Destination Destination address of the packet
Packets Number of packets transmitted from the source address to the destination address
Bytes Number of bytes transmitted from the source address to the destination address

Following is sample output from the show ip accounting access-violations command. (The following displays information pertaining to packets that failed access lists and were not routed.)

Router# show ip accounting access-violations
  Source          Destination        Packets        Bytes      ACL   172.30.19.40   172.30.67.20       7              306        77
  172.30.13.55   172.30.67.20       67             2749       185
  172.30.2.50    172.30.33.51       17             1111       140
  172.30.2.50    172.30.2.1         5              319        140
  172.30.19.40   172.30.2.1         4              262        77
Accounting data age is 41

Table 9 describes fields shown in the display.


Table 9: Show IP Accounting Access-Violation Field Descriptions
Field Description
Source Source address of the packet
Destination Destination address of the packet
Packets For accounting keyword, number of packets transmitted from the source address to the destination address

For access-violations keyword, number of packets transmitted from the source address to the destination address that violated the access control list

Bytes For accounting keyword, number of bytes transmitted from the source address to the destination address

For access-violations keyword, number of bytes transmitted from the source address to the destination address that violated the access-control list

ACL Number of the access list of the last packet transmitted from the source to the destination that failed an access list
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

clear ip accounting +
ip accounting +
ip accounting-list
+
ip accounting
-threshold +
ip accountin
g-transits +

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.