CLI Guide

Table Of Contents
Security Commands 1163
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
The active management access-list processes IPv4 TCP/UDP packets only.
Packets for certain management protocols are allowed to pass to the CPU
without processing by the management ACL list. Specifically, TCP or UDP
packets addressed to the following destination port numbers are not
processed by the management ACL list: DNS(53), DHCP Server(67), DHCP
Client (68), TFTP(69), telnet(23), HTTP(80), HTTPS(443), SNMP(161),
SSH(22), and JAVA(4242). A rate-limiting egress CPU ACL would be ideal to
mitigate smurf style attacks on these ports.
Only a single management access list can be active at a time. However, it can
have multiple permit/deny conditions.
Example
The following example configures an access-list called mlist as the
management access-list.
console(config)# management access-class mlist
management access-list
Use the management access-list command in Global Configuration mode to
define an access list for management, and enter the access-list configuration
mode for editing the access list conditions. Once in access-list configuration
mode, access conditions are configured with the deny and permit commands.
To remove an access list, use the no form of this command.
Syntax
management access-list name
no management access-list name
name — The access list name. (Range: 1–32 printable characters)