Patton electronic 2800 user manual Group-data

Page 88

OnSite 2800 Series User Manual7 • Access control list configuration

Where the syntax is:

Keyword

Meaning

 

 

src

The source address to be included in the rule. An IP address in dotted-decimal-format,

 

e.g. 64.231.1.10.

src-wildcard

A wildcard for the source address. Expressed in dotted-decimal format this value specifies

 

which bits are significant for matching. One-bits in the wildcard indicate that the corre-

 

sponding bits are ignored. An example for a valid wildcard is 0.0.0.255, which speci-

 

fies a class C network.

 

 

any

Indicates that IP traffic to or from all IP addresses is to be included in the rule.

host src

The address of a single source host.

 

 

eq port

Optional. Indicates that a packets port must be equal to the specified port in order to

 

match the rule.

lt port

Optional. Indicates that a packets port must be less than the specified port in order to

 

match the rule.

 

 

gt port

Optional. Indicates that a packets port must be greater than the specified port in order to

 

match the rule

range from to

Optional. Indicates that a packets port must be equal or greater than the specified from

 

port and less than the specified to port to match the rule.

 

 

dest

The destination address to be included in the rule. An IP address in dotted-decimal-for-

 

mat, e.g. 64.231.1.10.

dest-wildcard

A wildcard for the destination address. See src-wildcard.

 

 

host dest

The address of a single destination host.

cos

Optional. Specifies that packets matched by this rule belong to a certain Class of Service

 

(CoS). For detailed description of CoS configuration refer to chapter 8, “Link scheduler

 

configuration” on page 93.

 

 

cos-rtp

Optional. Specifies that the rule is intended to filter RTP/RTCP packets. In this mode you

 

can specify different CoS groups for data packets (even port numbers) and control pack-

 

ets (odd port numbers). Note: this option is only valid when protocol UDP is selected.

group

CoS group name.

 

 

group-data

CoS group name for RTP data packets. Only valid when the rtp option has been specified

group-ctrl

CoS group name for RTCP control packets. Only valid when the rtp option has been spec-

 

ified.

 

 

Example: Create TCP or UDP access control list entries

Select the access-list profile named WanRx and create the rules for:

Permitting any TCP traffic to host 193.14.2.10 via port 80, and permitting UDP traffic from host 62.1.2.3 to host 193.14.2.11 via any port in the range from 1024 to 2048.

2800(cfg)#profile acl WanRx 2800(pf-acl)[WanRx]#permit tcp any host 193.14.2.10 eq 80

2800(pf-acl)[WanRx]#permit udp host 62.1.2.3 host 193.14.2.11 range 1024 2048 2800(pf-acl)[WanRx]#exit

2800(cfg)#

Access control list configuration task list

88

Page 87 Page 89
Image 88
Page 87 Page 89
Contents Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables Audience About this guideStructure Precautions Impaired functioningSafety when working with electricity General observations Typographical conventions used in this document General conventionsChapter contents General informationOnSite Model 2800 Series overview OnSite Managed VPN Router 2805 shownOnSite 2800 Series detailed description OnSite 2800 Series model codesDMZ OnSite 2800 Series power input connectors Model code extensionsPorts descriptions OnSite 2800 Series rear-panel ports are described in tableApplications overview Corporate multi-function virtual private network Corporate multi-function virtual private networkGeneral information Hardware installation Planning the installation Create a network diagram see section Network information onInstallation checklist Power source Site logNetwork information IP related informationInstalling the VPN router Connecting cablesInstalling the Ethernet cable Location and mounting requirementsInstalling the serial WAN cable Connecting an OnSite 2800 Series device to a hubDCD Hardware installation Rear panel of 2803K/EUI Pins not listed are not used Rear panel of 2803K/UIConnecting to external power source Power connector location on rear panelUI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Configure IP address IntroductionConfigure IP address Power connection and default configurationAll Ethernet interfaces are activated upon power-up Terminal emulation program settings 9600 bps No parity BitLogin Select the context IP mode to configure an IP interfaceStop bit No flow control Changing the IP addressConnect the OnSite VPN Router to the network Load configurationRespectively from the host ping Load configuration Serial port configuration Serial port configuration task list Disabling an interfaceEnabling an interface Example Configuring the serial encapsulation type Configuring the encapsulation for Frame RelayPort Enter Frame Relay mode Configuring the LMI typeConfiguring the keep-alive interval Entering Frame Relay PVC configuration modeConfiguring the PVC encapsulation type Binding the Frame Relay PVC to IP interfaceMode PVC Enabling a Frame Relay PVC Disabling a Frame Relay PVCDisplaying serial port information CRCDisplaying Frame Relay information DlciIntegrated service access Configure the serial interface settings PortConfigure the introduced PVCs Check that the Frame Relay settings are correctT1/E1 port configuration T1/E1 port configuration task list Enable/Disable T1/E1 portMode port e1t1 slot port Configuring T1/E1 port-typeConfiguring T1/E1 clock-mode Configuring T1/E1 line-codeConfiguring T1/E1 framing Configuring T1/E1 line-build-out T1 onlyConfiguring T1/E1 used-connector E1 only Name prt-e1t1 slot/port# framingConfiguring T1/E1 application mode Configuring T1/E1 LOS thresholdConfiguring T1/E1 encapsulation Default short-haulBe used Mode port e1t1 slot port Configuring Channel-Group TimeslotsMode channel-group group-name Configuring Channel-Group EncapsulationConfiguring Hdlc CRC-Type Configuring Hdlc EncapsulationT1/E1 Configuration Examples Default no encapsulationExample 1 Frame Relay without a channel-group Example 3 PPP without a channel-group Example 2 Framerelay with a channel-groupExample 4 PPP with a channel-group VPN configuration Authentication EncryptionTransport and tunnel modes VPN configuration task listCreating an IPsec transformation profile Procedure To create an IPsec policy profile Creating an IPsec policy profileNodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Configuration of an IP interface and the IP router for IPsec Displaying IPsec configuration informationExample Display IPsec transformation profiles Example Display IPsec policy profilesDebugging IPsec Example IPsec Debug OutputOnSite configuration Sample configurationsIPsec tunnel, DES encryption Cisco router configuration Cisco router configuration VPN configuration Access control list configuration What access lists do About access control listsWhy you should configure access lists When to configure access lists Features of access control listsAccess control list configuration task list Mapping out the goals of the access control listNodepf-acl name#permit ip src src-wildcard any Where the syntax is Src-wildcardNodepf-acl name#permit icmp src src-wildcard any Type type type type code code cos groupNodepf-acl name#deny icmp src src-wildcard Any host src dest dest-wildcard any host destWhere the syntax is as following Msg nameNodepf-acl name#permit tcp udp sctp src src-wild Card any host src eq port gt port lt port rangePort lt port range from to cos group cos-rtp group Nodepf-acl name#deny tcp udp sctp src srcGroup-data Where the syntax is Displaying an access control list profile Unbind an access control list profile from an interfaceDebugging an access control list profile Control list profile shall be debugged Examples Denying a specific subnetLink scheduler configuration Configuring access control lists Using traffic classes Configuring quality of service QoSApplying scheduling at the bottleneck Introduction to Scheduling Weighted fair queuing WFQPriority Burst tolerant shaping or wfq ShapingHierarchy Quick references Setting the modem rateSome explanations Link scheduler configuration task list Command cross referenceDefining the access control list profile Packet classificationCreating an access control list Scenario with Web server regarded as a single source hostCreating a service policy profile Nodecfg#profile acl nameNodepf-acl name#permit ip host ip-address any traffic-class Nodepf-acl name#permit ip any anyStructure of a Service-Policy Profile Defining fair queuing weight Specifying the handling of traffic-classesSpecifying the type-of-service TOS field Defining the bit-rateDefining absolute priority Defining the maximum queue lengthSpecifying differentiated services codepoint Dscp marking Specifying the precedence fieldNodesrc name#set ip tos value Nodesrc name#set ip precedence valueNodesrc name#set ip dscp value Specifying layer 2 markingNodesrc name#set layer2 cos value Discarding Excess Load Defining random early detectionNodesrc name#random-detect burst-tolerance Nodeif-ip if-name#use profile service Devoting the service policy profile to an interfacePolicy name in out Displaying link arbitration status Enable statistics gatheringDisplaying link scheduling profile information Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Contact information Warranty coveragePatton Support Headquarters in the USA Out-of-warranty service Returns for creditReturn for credit policy RMA numbersAppendix a Compliance information Safety ComplianceRadio and TV Interference FCC Part CE Declaration of ConformityFCC Part 68 Acta Statement Model 2803 only Authorized European RepresentativeIndustry Canada Notice Model 2803 only Appendix B Specifications Ethernet interfaces Sync serial interfaceT1/E1 interface Model 2803 only PPP supportIP services DimensionsManagement Operating environmentInternal power supply 100-240 VAC, 50/60 Hz, 200 mA Power supplyInternal AC version Appendix C Cabling Connecting a serial terminal Serial consoleEthernet 10Base-T and 100Base-T Ethernet cross-overEthernet straight-through Appendix D Port pin-outs Console port, RJ-45, EIA-561 RS-232 EIA-561 RJ-45 8-pin port RS-232 Console PortEthernet 10Base-T and 100Base-T port Sync serial portEthernet ports are auto-detect MDI-X Serial port21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist
Related manuals
Manual 8 pages 44.23 Kb
Top Page Image Contents