Manuals / Cabletron Systems / Computer Equipment / Network Router

Cabletron Systems SmartSwitch manual Creating and Modifying ACLs, Editing ACLs Offline

Models: SmartSwitch

1 338

Download 338 pages 45.77 Kb

Page 260

Chapter 17: Access Control List Configuration Guide

Otherwise, it will be rejected. To do this, enter the following command in Configure Mode:

Allow TCP responses from external hosts, provided the connection was established internally.

acl <name> permit tcp established

The following ACL illustrates this feature:

acl 101 permit tcp established

acl 101 apply interface int1 input

Any incoming TCP packet on interface int1 is examined, and if the packet is in response to an internal request, it is permitted; otherwise, it is rejected. Note that the ACL contains no restriction for outgoing packets on interface int1, since internal hosts are allowed to access the outside world.

Creating and Modifying ACLs

The SSR provides two mechanisms for creating and modifying ACLs:

•Editing ACLs on a remote host and uploading them to to the SSR using TFTP or RCP

•Using the SSR’s ACL Editor

The following sections describe these methods.

Editing ACLs Offline

You can create and edit ACLs on a remote host and then upload them to the SSR with TFTP or RCP. With this method, you use a text editor on a remote host to edit, delete, replace, or reorder ACL rules in a file. Once the changes are made, you can then upload the ACLs to the SSR using TFTP or RCP and make them take effect on the running system. The following example describes how you can use TFTP to help maintain ACLs on the SSR.

Suppose the following ACL commands are stored in a file on some hosts:

no acl *
acl 101		deny tcp 10.11.0.0/16	10.12.0.0/16
acl	101	permit tcp 10.11.0.0 any
acl	101	apply interface int12	input

The first command, no acl *, negates all commands that start with the keyword, “acl”. This tells the SSR to remove the application and the definition of any ACL. You can be more selective if you want to remove only ACL commands related to, for instance, ACL

260	SmartSwitch Router User Reference Manual

Image 260

Cabletron Systems SmartSwitch Creating and Modifying ACLs, Editing ACLs Offline, Following ACL illustrates this feature

Contents

SmartSwitch Router User Reference Manual 9032578-04SmartSwitch Router User Reference Manual Industry Canada Notice Vcci NoticeCabletron SYSTEMS, INC Program License Agreement SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Cabletron Systems Limited Program License Agreement SmartSwitch Router User Reference Manual Safety Information Laser Radiation and ConnectorsEC Directive 89/336/EEC EC Directive 73/23/EECSmartSwitch Router User Reference Manual Contents Hot Swapping Line Cards and Control Modules SmartTRUNK Configuration Guide Creating a non-IP/non-IPX VlanVrrp Configuration Guide 127 Multicast Routing Configuration Guide 199 IP Multicast Overview 199209 Web Hosting Configuration Guide 233 255 QoS Configuration Guide 283 WAN Configuration Guide 315 Contents How to Use This Manual PrefaceAbout This Manual Who Should Read This Manual?Preface Installing and setting up the SSR Managing the SSR using Cabletron’sRelated Documentation For Information About SeePreface SmartSwitch Router User Reference Manual Chapter SSR Product Overview SSR Hardware and software specificationsFeature Specification IPX RIP, SAP Multicast IGMP, DvmrpSupported Media Encapsulation Type Supported Routing ProtocolsRouting Information Protocol RIP Version 1 Configuring the SmartSwitch RouterUnderstanding the Command Line Interface Basic Line Editing Commands Access ModesCommon CLI key commands Key Sequence CommandUser Mode Enable Mode Exit Configure Mode Boot Prom Mode PvstLoading System Images and Configuration Files Disabling a Function or FeatureBoot and System Image Configuration FilesLoading System Image Software Ssr# system show versionEnter the system image list command to verify the change Loading Boot Prom SoftwareActivating the Configuration Commands in the Scratchpad Enter yes or y to activate the changes Copying the Configuration to the Startup Configuration FileCLI displays the following message Displaying Configuration Changes Managing the SSRConfiguring NTP Setting the SSR NameSetting SSR Date and Time Configuring DNS Configuring the SSR CLIConfiguring Snmp Services Connecting Between the SSR and Other Systems Configuring LoggingMonitoring Configuration Task CommandShow the SSR login banner Show the type of Power-On Self Test PostShow the configuration changes Reboot Show the status of the switching fabricHot Swapping Line Cards Chapter Hot Swapping Line Cards Control ModulesHot Swapping Overview Deactivating the Line Card Removing the Line CardHot Swapping One Type of Line Card With Another Installing a New Line CardHot Swapping a Secondary Control Module Deactivating the Control Module Removing the Control ModuleHot Swapping a Switching Fabric Module SSR 8600 only Installing the Control ModuleSSR-SF-16 Offline Switching Fabric Spanning Tree Ieee 802.1d Chapter Bridging Configuration GuideBridging Overview Vlan Overview Bridging Modes Flow-Based and Address-BasedPort-based VLANs MAC-address-based VLANsProtocol-based VLANs Subnet-based VLANsSSR Vlan Support Multicast-based VLANsPolicy-based VLANs VLANs and the SSRAccess Ports and Trunk Ports 802.1Q support Ports, VLANs, and L3 InterfacesExplicit and Implicit VLANs Configuring SSR Bridging FunctionsConfiguring Address-based or Flow-based Bridging Configuring Spanning Tree Address-Based Bridge Table Flow-Based Bridge TableMore ports for a particular Vlan Adjusting Spanning-Tree ParametersSetting the Bridge Priority Assigning Port Costs Setting a Port PriorityAdjusting Bridge Protocol Data Unit Bpdu Intervals Defining the Maximum Age Adjusting the Interval between Hello TimesDefining the Forward Delay Interval Configuring a Port or Protocol based Vlan Configuring Vlan Trunk PortsConfiguring VLANs for Bridging Creating a Port or Protocol Based VlanConfiguring Layer-2 Filters Monitoring BridgingConfiguration Examples Creating an IP or IPX VlanCreating a non-IP/non-IPX Vlan Show information on MACsPage Chapter SmartTRUNK Configuration Guide OverviewAdd Physical Ports to the SmartTRUNK Configuring SmartTRUNKsCreating a SmartTRUNK Monitoring SmartTRUNKs Specify Traffic Distribution Policy OptionalExample Configurations St.2 St.4 Router Switch ServerSmartTRUNK Configuration Guide Page Dhcp Overview Configuration GuideChapter Configuring Dhcp Configuring an IP Address PoolConfiguring Client Parameters Client ParametersConfiguring a Static IP Address Grouping Scopes with a Common InterfaceMonitoring the Dhcp Server Configuring Dhcp Server ParametersUpdating the Lease Database Dhcp Configuration Examples Define Dhcp network parameters for the scope ‘scope1’Define an IP address pool for addresses 10.1.1.10 through Define a static IP address forConfiguring Secondary Subnets Secondary Subnets and Directly-Connected Clients Include ‘scope2’ in the superscope ‘super1’Interacting with Relay Agents Define the address pool for ‘scope1’ Page Chapter IP Routing Configuration Guide IP Routing OverviewIP Routing Protocols SSR supports standards-based TCP, UDP, and IPUnicast Routing Protocols Multicast Routing ProtocolsConfiguring IP Interfaces and Parameters Configuring IP Addresses to PortsConfiguring IP Interfaces for a Vlan Specifying Ethernet Encapsulation MethodConfiguring Proxy ARP Configuring Address Resolution Protocol ARPConfiguring ARP Cache Entries Defining MAC-to-IP Address Mappings Configuring Reverse Address Resolution Protocol RarpSpecifying IP Interfaces for Rarp Configuring DNS Parameters Configuring IP Services IcmpMonitoring Rarp Specify pingConfiguring Denial of Service DOS Configuring IP HelperConfiguring Direct Broadcast Configuring Router Discovery Monitoring IP ParametersAssigning IP/IPX Interfaces IP Routing Configuration Guide Configuring Vrrp Vrrp OverviewBasic Vrrp Configuration BackupConfiguration of Router R1 Following is the configuration file for Router R1 in FigureFollowing is the configuration file for Router R2 in Figure Symmetrical ConfigurationConfiguration for Router R2 Master for VRID=1 Master for VRID=2 Backup for VRID=2 Symmetrical Vrrp ConfigurationMulti-Backup Configuration Configuration of Router R2Multi-Backup Vrrp Configuration SmartSwitch Router User Reference Manual 101 Virtual Router Default Priority Configured Priority Following is the configuration file for Router R3 in Figure Additional ConfigurationConfiguration of Router R3 Setting Pre-empt Mode Setting the Backup PrioritySetting the Advertisement Interval Ip-redundancy trace Setting an Authentication KeyMonitoring Vrrp Vrrp Configuration Notes Ip-redundancy showVirtual routers Display information about all Specific virtual routerSmartSwitch Router User Reference Manual 107 108 RIP Overview Chapter RIP Configuration GuideConfiguring RIP Enabling and Disabling RIP Configuring RIP InterfacesConfiguring RIP Parameters Set the authentication method Characters Set the authentication methodTo RIP Specify that RIP V2 packetsMonitoring RIP Configuring RIP Route PreferenceConfiguring RIP Route Default-Metric Configuration Example 114 Ospf Ospf OverviewConfiguring Ospf Enable OspfDisable Ospf Ospf MultipathOspf Interface Parameters Configuring Ospf Interface ParametersOspf Parameter Default Value Add an interface to an Ospf area Configuring an Ospf AreaCreate an Ospf area Configuring Ospf Area Parameters Creating Virtual LinksAdd a stub host to an Ospf area Add a network to an Ospf area forConfiguring Ospf over Non-Broadcast Multiple Access Create a virtualLink Set virtual linkMonitoring Ospf Ospf Configuration Examples Exporting All Interface & Static Routes to Ospf Exporting All RIP, Interface & Static Routes to OspfCreate a Ospf export destination for type-1 routes Create a Ospf export destination for type-2 routesCreate a RIP export source Create a Static export sourceCreate OSPF-ASE export source Create a RIP export destinationCreate Ospf export source R10 Chapter BGP Configuration Guide BGP OverviewBasic BGP Tasks SSR BGP ImplementationSetting the Autonomous System Number Setting the Router IDConfiguring a BGP Peer Group Ip-router global set autonomous-system num1 loops num2Where Autonomous-system numberStarting BGP Using AS-Path Regular ExpressionsAdding and Removing a BGP Peer 132 To import MCI routes with a preference Using the AS Path Prepend FeatureAS-Path Regular Expression Examples BGP Configuration Examples Following is an exampleBGP Peering Session Example Physical Link Peering Relationship CLI configuration for router SSR1 is as followsAS-1 AS-2 Ibgp Configuration Example CLI configuration for router SSR2 is as followsGated.conf file for router SSR1 is as follows Gated.conf file for router SSR2 is as followsIbgp Routing Group Example Sample Ibgp Configuration Routing Group Type AS-64801Following lines in the Cisco router configure Ospf Ibgp Internal Group Example Illustrates a sample Ibgp Internal group configuration Sample Ibgp Configuration Internal Group TypeSmartSwitch Router User Reference Manual 143 Configuration for router C2 a Cisco router is as follows Ebgp Multihop Configuration ExampleConfiguration for router C1 a Cisco router is as follows AS-64800 Physical LinkCLI configuration for router SSR3 is as follows CLI configuration for router SSR4 is as follows Community Attribute ExampleGated.conf file for router SSR3 is as follows Gated.conf file for router SSR4 is as followsSample BGP Configuration Specific Community Sample BGP Configuration Well-Known Community , router SSR11 has the following configuration , router SSR13 has the following configuration , router SSR10 has the following configuration , router SSR14 has the following configurationSmartSwitch Router User Reference Manual 153 LocalPref Attribute Example Sample BGP Configuration LocalPref Attribute Multi-Exit Discriminator Attribute Example Sample BGP Configuration MED Attribute Router SSR6 has the following CLI configurationRouter SSR8 has the following CLI configuration Ebgp Aggregation ExampleAS-64900 AS-64901Router SSR9 has the following CLI configuration Route Reflection ExampleShows a sample configuration that uses route reflection AS-64902SmartSwitch Router User Reference Manual 161 162 Chapter Routing Policy Configuration Guide Route Import and Export Policy OverviewPreference Default Preference ValuesPreference Defined by CLI Command Default Import Policies Import-SourceExport Policies Route-FilterExport-Destination Export-SourceSpecifying a Route Filter Aggregates and Generates Aggregate-Destination Aggregate-SourceAuthentication Authentication MethodsConfiguring Simple Routing Policies Authentication Keys and Key ManagementRedistributing Static Routes Redistributing Directly Attached NetworksRedistributing Aggregate Routes Redistributing RIP into RIPRedistributing RIP into Ospf Redistributing Ospf to RIP Simple Route Redistribution Examples To redistribute aggregateRoutes into Ospf Example 1 Redistribution into RIPExample 2 Redistribution into Ospf Exporting a Given Static Route to All RIP InterfacesExporting All Static Routes to All RIP Interfaces 176 Configuring Advanced Routing Policies 178 Creating an Export Destination Creating an Export SourceCreating an Import Source Creating a Route FilterCreating an Aggregate Route Create a RIP importSmartSwitch Router User Reference Manual 181 Creating an Aggregate Destination Creating an Aggregate SourceExamples of Import Policies Example 1 Importing from RIPR41 184 Example 2 Importing from Ospf 186 R41 Importing a Selected Subset of OSPF-ASE Routes Examples of Export Policies Example 1 Exporting to RIPIp-router policy create rip-export-source ripExpSrc Exporting a Given Static Route to a Specific RIP Interface Exporting Aggregate-Routes into RIP Ip-router policy create aggr-export-source aggrExpSrc Example 2 Exporting to Ospf SmartSwitch Router User Reference Manual 195 196 SmartSwitch Router User Reference Manual 197 198 Igmp Overview Chapter Multicast Routing Configuration GuideIP Multicast Overview Dvmrp Overview Configuring Igmp Configuring Igmp on an IP InterfaceConfiguring Igmp Query Interval Configuring Igmp Response Wait TimeStarting and Stopping Dvmrp Configuring DvmrpConfiguring Per-Interface Control of Igmp Membership Configuring the Dvmrp Routing Metric Configuring Dvmrp on an InterfaceConfiguring Dvmrp Parameters Configuring Dvmrp TTL & Scope Configuring a Dvmrp TunnelMonitoring Igmp & Dvmrp Show all multicast routes Show all interfaces runningMulticast protocols Igmp Page 208 Chapter IP Policy-Based Forwarding Configuration Guide Associating the Profile with an IP Policy Configuring IP PoliciesDefining an ACL Profile Creating Multi-statement IP Policies Setting Load Distribution for Next-hop Gateways Setting the IP Policy ActionApplying an IP Policy to an Interface Checking the Availability of Next-hop GatewaysIP Policy Configuration Examples Routing Traffic to Different ISPsAn IP interface Apply a defined IP policy to All IP interfaces on the SSRUsing an IP policy to route traffic to two different ISPs Prioritizing Service to Customers Using an IP policy to prioritize service to customersAuthenticating Users through a Firewall Using an IP policy to authenticate users through a firewallFirewall Load Balancing Selecting Next Hop Gateway from IP Packet InformationMonitoring IP Policies Display information about allIP policies Display statistics about aIp-policy show interface interface SmartSwitch Router User Reference Manual 221 222 Chapter Network Address Translation Configuration Guide Configuring NAT Setting Inside and Outside InterfacesSetting NAT Rules Managing Dynamic BindingsStatic DynamicStatic Configuration Specify the FTP session timeoutNAT and FTP Monitoring NATUsing Static NAT First step is to create the interfacesNext, define the interfaces to be NAT inside or outside Then, define the NAT static rulesDynamic Configuration Using Dynamic NATDynamic NAT with IP Overload PAT Configuration Using Dynamic NAT with IP Overload Dynamic NAT with Outside Interface RedundancyUsing Dynamic NAT with Matching Interface Redundancy 232 Chapter Web Hosting Configuration Guide Configuring Load Balancing Load BalancingCreating the Server Group Specifying Load Balancing Policy OptionalSetting Server Status Adding Servers to the Load Balancing GroupLoad Balancing and FTP Allowing Access to Load Balancing ServersSetting Timeouts for Load Balancing Mappings Configuration Examples Displaying Load Balancing InformationFtp.quick.com Internet Router User Queries 207.135.89.16 10.1.1.1 Ftp.quick..com 10.1.1.2Virtual IP Address Ranges 207.135.89.16 207.135.89.17 207.135.89.18Configuring Web Caching Web CachingCreating the Cache Group Specifying the Clients for the Cache Group OptionalRedirected to cache servers Not redirected to cache serversBypassing Cache Servers Configuration ExampleOther Configurations Proxy Server Redundancy Distributing Frequently-Accessed Sites Across Cache ServersMonitoring Web-Caching Show caching policy information Show cache server informationRIP Routing Information Protocol Chapter IPX Routing Configuration GuideIPX Routing Overview SAP Service Advertising Protocol IPX Addresses Configuring IPX RIP & SAPCreating IPX Interfaces Configuring IPX Interfaces and Parameters Configuring IPX Addresses to PortsConfiguring IPX Interfaces for a Vlan Specifying IPX Encapsulation MethodConfiguring IPX Routing Configuring Static RoutesEnabling IPX RIP Enabling SAPCreating an IPX Access Control List Configuring Static SAP Table EntriesControlling Access to IPX Networks Creating an IPX GNS Access Control List Creating an IPX Type 20 Access Control ListCreating an IPX SAP Access Control List Creating an IPX RIP Access Control List Monitoring an IPX NetworkAdds a SAP access list Adds a GNS access list 254 Chapter Access Control List Configuration Guide ACL Basics Defining Selection Criteria in ACL RulesHow ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Editing ACLs Offline Following ACL illustrates this featureCreating and Modifying ACLs Maintaining ACLs Using the ACL Editor These uses of ACLs are described in the following sections Using ACLsApplying ACLs to Interfaces Applying ACLs to Services Using ACLs as ProfilesUsing Profile ACLs with the IP Policy Facility Following SSR features use ACL profilesSSR Feature ACL Profile Usage Using Profile ACLs with the Traffic Rate Limiting Facility Using Profile ACLs with Dynamic NAT Using Profile ACLs with the Port Mirroring FacilityUsing Profile ACLs with the Web Caching Facility Redirecting Http Traffic to Cache ServersEnabling ACL Logging Preventing Web Objects From Being CachedMonitoring ACLs 270 Chapter Security Configuration Guide Security OverviewConfiguring SSR Access Security Configuring RadiusMonitoring Tacacs Configuring TacacsMonitoring Radius Configuring Tacacs Plus Monitoring Tacacs PlusConfiguring Passwords Layer-2 Security FiltersConfiguring Layer-2 Address Filters Configuring Layer-2 Port-to-Address Lock FiltersConfiguring Layer-2 Static Entry Filters Configuring Layer-2 Secure Port FiltersConfigure a source static Configure a destination staticMonitoring Layer-2 Security Filters Static Entries Example Layer-2 Filter ExamplesEt.1.1 Et.1.2 Et.1.3 Hub Port-to-Address Lock Examples Example 2 Secure PortsLayer-3 Access Control Lists ACLs 282 Chapter QoS Configuration Guide QoS & Layer-2/Layer-3/Layer-4 Flow OverviewLayer-2 and Layer-3 & Layer-4 Flow Specification Precedence for Layer-3 FlowsSSR Queuing Policies Configuring Layer-2 QoSTraffic Prioritization for Layer-2 Flows Configuring IP QoS Policies Traffic Prioritization for Layer-3 & Layer-4 FlowsConfiguring IPX QoS Policies Setting an IP QoS PolicySetting an IPX QoS Policy Specifying Precedence for an IP QoS PolicyConfiguring SSR Queueing Policy Allocating Bandwidth for a Weighted-Fair Queuing PolicyToS Rewrite Specifying Precedence for an IPX QoS PolicyConfiguring ToS Rewrite for IP Packets MBZTos-rewrite Monitoring QoS Limiting Traffic RateShow all IP QoS flows Show all IPX QoS flowsExample Configuration Define a rate limit profileApply a rate limit profile to an InterfaceDisplaying Rate Limit Information Interface interface294 Chapter Performance Monitoring Guide Performance Monitoring OverviewShow port error statistics Show information about the masterMAC table Show information about a Particular MAC address Show info about multicastsOnly IP ACLs can be specified for port mirroring Configuring the SSR for Port MirroringMonitoring Broadcast Traffic 298 Configuring and Enabling Rmon Rmon OverviewExample of Rmon Configuration Commands Rmon Groups Lite Rmon GroupsStandard Rmon Groups Professional Rmon GroupsControl Tables Using Rmon Configuring Rmon Groups Enabledisable Num status enabledisableString status enabledisable Size owner string status enabledisablePort port owner string status enabledisable Oid type absolutedelta status enabledisableRmon protocol-distribution index index-number Rmon user-history-control index index-numberDisplaying Rmon Information Rmon CLI Filters Following shows Host table output without a CLI filter 01000CCCCCCCCreating Rmon CLI Filters Troubleshooting RmonUsing Rmon CLI Filters 312 Allocating Memory to Rmon Ssr# rmon show status Rmon StatusRmon set memory number WAN WAN OverviewConfiguring WAN Interfaces Primary and Secondary AddressesStatic, Mapped, and Dynamic Peer IP/IPX Addresses Static AddressesFollowing command line displays an example for a Vlan Following command line displays two examples for PPPMapped Addresses Dynamic AddressesPacket Compression Following command line displays an example for PPPForcing Bridged Encapsulation Example Configurations Average Packet SizeNature of the Data Link IntegrityWAN Quality of Service Packet EncryptionWeighted-Fair Queueing Source Filtering and ACLsCongestion Management Random Early Discard REDAdaptive Shaping Frame Relay OverviewVirtual Circuits Configuring Frame Relay Interfaces for the SSR Permanent Virtual Circuits PVCsSetting up a Frame Relay Service Profile Applying a Service Profile to an Active Frame Relay WAN PortFrame Relay Port Configuration Monitoring Frame Relay WAN Ports326 Use of LCP Magic Numbers Configuring PPP InterfacesPoint-to-Point Protocol PPP Overview Setting up a PPP Service Profile Defining the Type and Location of a PPP InterfaceCompression on MLP Bundles or Links Applying a Service Profile to an Active PPP PortConfiguring Multilink PPP Bundles PPP Port Configuration Monitoring PPP WAN PortsSsrconfig# ppp apply service profile2 ports hs.5.1 WAN Configuration Examples Simple Configuration FileMulti-Router WAN Configuration Multi-router WAN configurationRouter R1 Configuration File Following configuration file applies to Router R1Router R2 Configuration File Following configuration file applies to Router R2Router R3 Configuration File Following configuration file applies to Router R3Router R4 Configuration File Following configuration file applies to Router R4Router R5 Configuration File Following configuration file applies to Router R5Router R6 Configuration File Following configuration file applies to Router R6SmartSwitch Router User Reference Manual 337 338