Patton electronic 2800 user manual Nodepf-acl name#permit ip src src-wildcard any

Page 83

OnSite 2800 Series User Manual

7 • Access control list configuration

 

 

Before you begin to enter the commands that create and configure the IP access control list, be sure that you are clear about what you want to achieve with the list. Consider whether it is better to deny specific accesses and permit all others or to permit specific accesses and deny all others.

Note Since a single access control list can have multiple filtering criteria statements, but editing those entries online can be tedious. Therefore, we recommend editing complex access control lists offline within a configuration file and downloading the configuration file later via TFTP to your OnSite device.

Creating an access control list profile and enter configuration mode

This procedure describes how to create an IP access control list and enter access control list configuration mode

Mode: Administrator execution

Step

Command

Purpose

 

 

 

1node(cfg)#profile acl name Creates the access control list profile name and enters the configura- tion mode for this list

name is the name by which the access list will be known. Entering this command puts you into access control list configuration mode where you can enter the individual statements that will make up the access control list.

Use the no form of this command to delete an access control list profile. You cannot delete an access control list profile if it is currently linked to an interface. When you leave the access control list configuration mode, the new settings immediately become active.

Example: Create an access control list profile

In the following example the access control list profile named WanRx is created and the shell of the access con- trol list configuration mode is activated.

2800>enable

2800#configure 2800(cfg)#profile acl WanRx 2800(pf-acl)[WanRx]#

Adding a filter rule to the current access control list profile

The commands permit or deny are used to define an IP filter rule. This procedure describes how to create an IP access control list entry that permits access

Mode: Profile access control list

Step

Command

Purpose

 

 

 

1

node(pf-acl)[name]#permit ip {src src-wildcard any

Creates an IP access of control list

 

host src} {dest dest-wildcard any host dest} [cos group]

entry that permits access defined

 

 

according to the command

 

 

options

 

 

 

This procedure describes how to create an IP access control list entry that denies access

Access control list configuration task list

83

Image 83
Contents Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables Structure About this guideAudience Impaired functioning PrecautionsSafety when working with electricity General observations General conventions Typographical conventions used in this documentGeneral information Chapter contentsOnSite Managed VPN Router 2805 shown OnSite Model 2800 Series overviewOnSite 2800 Series model codes OnSite 2800 Series detailed descriptionDMZ Model code extensions OnSite 2800 Series power input connectorsOnSite 2800 Series rear-panel ports are described in table Ports descriptionsApplications overview Corporate multi-function virtual private network Corporate multi-function virtual private networkGeneral information Hardware installation Create a network diagram see section Network information on Planning the installationInstallation checklist IP related information Power sourceSite log Network informationLocation and mounting requirements Installing the VPN routerConnecting cables Installing the Ethernet cableConnecting an OnSite 2800 Series device to a hub Installing the serial WAN cableDCD Hardware installation Rear panel of 2803K/EUI Rear panel of 2803K/UI Pins not listed are not usedPower connector location on rear panel Connecting to external power sourceUI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Introduction Configure IP addressTerminal emulation program settings 9600 bps No parity Bit Configure IP addressPower connection and default configuration All Ethernet interfaces are activated upon power-upChanging the IP address LoginSelect the context IP mode to configure an IP interface Stop bit No flow controlRespectively from the host ping Load configurationConnect the OnSite VPN Router to the network Load configuration Serial port configuration Disabling an interface Serial port configuration task listEnabling an interface Port Configuring the encapsulation for Frame RelayExample Configuring the serial encapsulation type Configuring the LMI type Enter Frame Relay modeEntering Frame Relay PVC configuration mode Configuring the keep-alive intervalBinding the Frame Relay PVC to IP interface Configuring the PVC encapsulation typeMode PVC Disabling a Frame Relay PVC Enabling a Frame Relay PVCCRC Displaying serial port informationDlci Displaying Frame Relay informationIntegrated service access Port Configure the serial interface settingsCheck that the Frame Relay settings are correct Configure the introduced PVCsT1/E1 port configuration Enable/Disable T1/E1 port T1/E1 port configuration task listConfiguring T1/E1 line-code Mode port e1t1 slot portConfiguring T1/E1 port-type Configuring T1/E1 clock-modeName prt-e1t1 slot/port# framing Configuring T1/E1 framingConfiguring T1/E1 line-build-out T1 only Configuring T1/E1 used-connector E1 onlyDefault short-haul Configuring T1/E1 application modeConfiguring T1/E1 LOS threshold Configuring T1/E1 encapsulationConfiguring Channel-Group Encapsulation Be used Mode port e1t1 slot portConfiguring Channel-Group Timeslots Mode channel-group group-nameDefault no encapsulation Configuring Hdlc CRC-TypeConfiguring Hdlc Encapsulation T1/E1 Configuration ExamplesExample 1 Frame Relay without a channel-group Example 4 PPP with a channel-group Example 2 Framerelay with a channel-groupExample 3 PPP without a channel-group VPN configuration Encryption AuthenticationCreating an IPsec transformation profile VPN configuration task listTransport and tunnel modes Creating an IPsec policy profile Procedure To create an IPsec policy profileNodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Displaying IPsec configuration information Configuration of an IP interface and the IP router for IPsecExample IPsec Debug Output Example Display IPsec transformation profilesExample Display IPsec policy profiles Debugging IPsecIPsec tunnel, DES encryption Sample configurationsOnSite configuration Cisco router configuration Cisco router configuration VPN configuration Access control list configuration Why you should configure access lists About access control listsWhat access lists do Features of access control lists When to configure access listsMapping out the goals of the access control list Access control list configuration task listNodepf-acl name#permit ip src src-wildcard any Src-wildcard Where the syntax isAny host src dest dest-wildcard any host dest Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Nodepf-acl name#deny icmp src src-wildcardMsg name Where the syntax is as followingNodepf-acl name#deny tcp udp sctp src src Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Port lt port range from to cos group cos-rtp groupGroup-data Where the syntax is Debugging an access control list profile Unbind an access control list profile from an interfaceDisplaying an access control list profile Control list profile shall be debugged Denying a specific subnet ExamplesLink scheduler configuration Configuring access control lists Applying scheduling at the bottleneck Configuring quality of service QoSUsing traffic classes Priority Weighted fair queuing WFQIntroduction to Scheduling Hierarchy ShapingBurst tolerant shaping or wfq Some explanations Setting the modem rateQuick references Command cross reference Link scheduler configuration task listPacket classification Defining the access control list profileScenario with Web server regarded as a single source host Creating an access control listNodepf-acl name#permit ip any any Creating a service policy profileNodecfg#profile acl name Nodepf-acl name#permit ip host ip-address any traffic-classStructure of a Service-Policy Profile Specifying the handling of traffic-classes Defining fair queuing weightDefining the maximum queue length Specifying the type-of-service TOS fieldDefining the bit-rate Defining absolute priorityNodesrc name#set ip precedence value Specifying differentiated services codepoint Dscp markingSpecifying the precedence field Nodesrc name#set ip tos valueNodesrc name#set layer2 cos value Specifying layer 2 markingNodesrc name#set ip dscp value Nodesrc name#random-detect burst-tolerance Defining random early detectionDiscarding Excess Load Policy name in out Devoting the service policy profile to an interfaceNodeif-ip if-name#use profile service Displaying link scheduling profile information Enable statistics gatheringDisplaying link arbitration status Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Patton Support Headquarters in the USA Warranty coverageContact information RMA numbers Out-of-warranty serviceReturns for credit Return for credit policyAppendix a Compliance information CE Declaration of Conformity SafetyCompliance Radio and TV Interference FCC PartIndustry Canada Notice Model 2803 only Authorized European RepresentativeFCC Part 68 Acta Statement Model 2803 only Appendix B Specifications PPP support Ethernet interfacesSync serial interface T1/E1 interface Model 2803 onlyOperating environment IP servicesDimensions ManagementInternal AC version Power supplyInternal power supply 100-240 VAC, 50/60 Hz, 200 mA Appendix C Cabling Serial console Connecting a serial terminalEthernet cross-over Ethernet 10Base-T and 100Base-TEthernet straight-through Appendix D Port pin-outs EIA-561 RJ-45 8-pin port RS-232 Console Port Console port, RJ-45, EIA-561 RS-232Serial port Ethernet 10Base-T and 100Base-T portSync serial port Ethernet ports are auto-detect MDI-X21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist
Related manuals
Manual 8 pages 44.23 Kb