Cisco MWR 1941-DC - 1941 Mobile Wireless Router Software Configuration Manual page 155

Chapter 6 Configuring the MWR 1941-DC in a Cell Site DCN
•
Note Release 11.1 introduced substantial changes to IP access lists. These extensions are backward
compatible; migrating from a release earlier than Release 11.1 to the current release will convert your
access lists automatically. However, the current implementation of access lists is incompatible with
Cisco IOS Release 11.1 or earlier. If you create an access list using the current Cisco IOS release and
then load older Cisco IOS software, the resulting access list will not be interpreted correctly. This
condition could cause you severe security problems. Save your old configuration file before booting
Release 11.1 or earlier images.
To create a standard access list, use the following commands in global configuration mode:
Command
Step 1
Router(config)# access-list access-list-number remark
remark
Step 2
Router(config)# access-list access-list-number {deny |
permit} source [source-wildcard] [log]
or
Router(config)# access-list access-list-number {deny |
permit} any [log]
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
The Cisco IOS software can provide logging messages about packets permitted or denied by a standard
IP access list. That is, any packet that matches the access list will cause an informational logging
message about the packet to be sent to the console. The level of messages logged to the console is
controlled by the logging console global configuration command.
The first packet that triggers the access list causes an immediate logging message, and subsequent
packets are collected over 5-minute intervals before they are displayed or logged. The logging message
includes the access list number, whether the packet was permitted or denied, the source IP address of the
packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
However, you can use the ip access-list log-update command to set the number of packets that, when
match an access list (and are permitted or denied), cause the system to generate a log message. You might
want to do this to receive log messages more frequently than at 5-minute intervals.
If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching
Caution
it; every packet that matches an access list causes a log message. A setting of 1 is not recommended
because the volume of log messages could overwhelm the system.
OL-11503-01
Reflexive access lists that allow IP packets to be filtered based on session information. Reflexive
access lists contain temporary entries, and are nested within an extended, named IP access list. For
information on reflexive access lists, refer to the "Configuring IP Session Filtering (Reflexive
Access Lists)" chapter in the Cisco IOS Security Configuration Guide and the "Reflexive Access
List Commands" chapter in the Cisco IOS Security Command Reference.
Cisco MWR 1941-DC Mobile Wireless Edge Router Software Configuration Guide
Filtering IP Packets Using Access Lists
Purpose
Indicates the purpose of the deny or permit
1
statement.
Defines a standard IP access list using a source
address and wildcard.
Defines a standard IP access list using an
abbreviation for the source and source mask of
0.0.0.0 255.255.255.255.
6-47