General Security Commands
16-88 Configuring Security
Examples
Thefollowingexampleallowsaccessonlytothosehostsonthethreespecifiednetworks.The
wildcardbitsapplytothehostportionsofthenetworkaddresses.Anyhostwithasourceaddress
thatdoesnotmatchtheaccessliststatementswillberejected.
XSR(config)#access-list 1 permit 192.5.34.0 0.0.0.255
XSR(config)#access-list 1 permit 128.88.0.0 0.0.255.255
XSR(config)#access-list 1 permit 36.0.0.0 0.255.255.255
Thefollowingexamplereplacesentry88withthefollowingentry:
XSR(config)#access-list 57 replace 88 deny host 1.2.1.2
Theexamplebelowremovesentries16,17and18fromACL87:
XSR(config)#no access-list 87 16 18
ThefollowingexampleremovestheentireACL57:
XSR(config)#no access-list 57
Thenextexamplemovesentries16‐18fromACL57toitsstart:
XSR(config)#access-list 57 move 1 16 18
Theexamplebelowmovesentry2totheendofACL57:
XSR(config)#access-list 57 move 999 2

access-list log-update-threshold

ThiscommandpublishesanACLviolationslogwhenaspecifiednumberofpacketstheXSR
processesismet.ACLviolationsloggingisupdatedeveryfiveminutessoregardlessofhowyou
specifythiscommand,thefiveminutetimerremainsineffect.Thecommandfunctionsasfollows:
•ACLalarmsdisplaythe:ACLgroupnumber,permitordenyclause,sourceIPaddressandnumber
ofpacketsloggedinthelastfiveminutes.
•Alarmsaresettomediumseveritylevelbydefault.
•SettingthealarmseverityleveltohighwiththeloggingcommanddisablesallACLalarms.
•Afteranupdateisreported,thelogisclearedfortheentrywiththatsourceIPandACLgroup.
StandardandextendedACLsaresupported.
•Ifreportingisenabledforeverypacket,toomanypacketsmaylogmessagesresultinginsome
messagelossduetopacketflooding.
Forassociatedinformationonthisfuntionality,refertotheaccess-listcommandsonpage1684
andpage1686,show access-list log-update-thresholdcommandonpage1692,and
loggingcommandonpage388.
Syntax
access-list log-update-threshold <number-of-packets>
Caution: If the threshold is 1 packet, you may flood the XSR and generate alarms.
<number-of-packets>Packets,rangingfrom1to2,147,483,647.