Applying ACLs to Services | Cabletron Systems SmartSwitch specs

Chapter 17: Access Control List Configuration Guide

interface. Nonetheless, for performance reasons, whenever possible, you should create and apply an ACL to the inbound interface.

To apply an ACL to an interface, enter the following command in Configure mode:

Apply ACL to an interface.

acl <name> apply interface <interface name>

inputoutput [logging onoffdeny- onlypermit-only][policy localexternal]

Applying ACLs to Services

ACLs can also be created to permit or deny access to system services provided by the SSR; for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. By definition, a Service ACL is for controlling inbound packets to a service on the router. For example, you can grant Telnet server access from a few specific hosts or deny Web server access from a particular subnet. It is true that you can do the same thing with ordinary ACLs and apply them to all interfaces. However, the Service ACL is created specifically to control access to some of the services on the SSR. As a result, only inbound traffic to the SSR is checked. Destination address and port information is ignored; therefore if you are defining a Service ACL, you do not need to specify destination information.

Note: If a service does not have an ACL applied, that service is accessible to everyone. To control access to a service, an ACL must be used.

To apply an ACL to a service, enter the following command in Configure mode:

Apply ACL to a service.

acl <name> apply service <service name>

[logging [onoff]]

Using ACLs as Profiles

You can use the acl command to define a profile. A profile specifies the criteria that addresses, flows, hosts, or packets must meet to be relevant to certain SSR features. Once you have defined an ACL profile, you can use the profile with the configuration command for that feature. For example, the Network Address Translation (NAT) feature on the SSR allows you to create address pools for dynamic bindings. You use ACL profiles to represent the appropriate pools of IP addresses.

SmartSwitch Router User Reference Manual

263

Image 263

Cabletron Systems SmartSwitch manual Applying ACLs to Services, Using ACLs as Profiles

Contents

9032578-04 SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Vcci Notice Industry Canada Notice Cabletron SYSTEMS, INC Program License Agreement SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Cabletron Systems Limited Program License Agreement SmartSwitch Router User Reference Manual Laser Radiation and Connectors Safety Information EC Directive 73/23/EEC EC Directive 89/336/EEC SmartSwitch Router User Reference Manual Contents Hot Swapping Line Cards and Control Modules Creating a non-IP/non-IPX Vlan SmartTRUNK Configuration Guide Vrrp Configuration Guide 127 IP Multicast Overview 199 Multicast Routing Configuration Guide 199 209 Web Hosting Configuration Guide 233 255 QoS Configuration Guide 283 WAN Configuration Guide 315 Contents Who Should Read This Manual? How to Use This ManualPreface About This Manual Preface For Information About See Installing and setting up the SSRManaging the SSR using Cabletron’s Related Documentation Preface SmartSwitch Router User Reference Manual Chapter SSR Product Overview SSR Hardware and software specificationsFeature Specification Multicast IGMP, Dvmrp IPX RIP, SAP Supported Routing Protocols Supported Media Encapsulation Type Routing Information Protocol RIP Version 1 Configuring the SmartSwitch RouterUnderstanding the Command Line Interface Key Sequence Command Basic Line Editing CommandsAccess Modes Common CLI key commands User Mode Enable Mode Exit Configure Mode Pvst Boot Prom Mode Configuration Files Loading System Images and Configuration FilesDisabling a Function or Feature Boot and System Image Ssr# system show version Loading System Image Software Enter the system image list command to verify the change Loading Boot Prom SoftwareActivating the Configuration Commands in the Scratchpad Enter yes or y to activate the changes Copying the Configuration to the Startup Configuration FileCLI displays the following message Managing the SSR Displaying Configuration Changes Configuring NTP Setting the SSR NameSetting SSR Date and Time Configuring DNS Configuring the SSR CLIConfiguring Snmp Services Configuring Logging Connecting Between the SSR and Other Systems Task Command Monitoring Configuration Reboot Show the status of the switching fabric Show the SSR login bannerShow the type of Power-On Self Test Post Show the configuration changes Hot Swapping Line Cards Chapter Hot Swapping Line Cards Control ModulesHot Swapping Overview Removing the Line Card Deactivating the Line Card Hot Swapping One Type of Line Card With Another Installing a New Line CardHot Swapping a Secondary Control Module Removing the Control Module Deactivating the Control Module Installing the Control Module Hot Swapping a Switching Fabric Module SSR 8600 only SSR-SF-16 Offline Switching Fabric Spanning Tree Ieee 802.1d Chapter Bridging Configuration GuideBridging Overview Bridging Modes Flow-Based and Address-Based Vlan Overview Subnet-based VLANs Port-based VLANsMAC-address-based VLANs Protocol-based VLANs VLANs and the SSR SSR Vlan SupportMulticast-based VLANs Policy-based VLANs Ports, VLANs, and L3 Interfaces Access Ports and Trunk Ports 802.1Q support Explicit and Implicit VLANs Configuring SSR Bridging FunctionsConfiguring Address-based or Flow-based Bridging Address-Based Bridge Table Flow-Based Bridge Table Configuring Spanning Tree More ports for a particular Vlan Adjusting Spanning-Tree ParametersSetting the Bridge Priority Assigning Port Costs Setting a Port PriorityAdjusting Bridge Protocol Data Unit Bpdu Intervals Defining the Maximum Age Adjusting the Interval between Hello TimesDefining the Forward Delay Interval Creating a Port or Protocol Based Vlan Configuring a Port or Protocol based VlanConfiguring Vlan Trunk Ports Configuring VLANs for Bridging Monitoring Bridging Configuring Layer-2 Filters Show information on MACs Configuration ExamplesCreating an IP or IPX Vlan Creating a non-IP/non-IPX VlanPage Overview Chapter SmartTRUNK Configuration Guide Add Physical Ports to the SmartTRUNK Configuring SmartTRUNKsCreating a SmartTRUNK Specify Traffic Distribution Policy Optional Monitoring SmartTRUNKs St.2 St.4 Router Switch Server Example Configurations SmartTRUNK Configuration Guide Page Dhcp Overview Configuration GuideChapter Client Parameters Configuring DhcpConfiguring an IP Address Pool Configuring Client Parameters Grouping Scopes with a Common Interface Configuring a Static IP Address Monitoring the Dhcp Server Configuring Dhcp Server ParametersUpdating the Lease Database Define a static IP address for Dhcp Configuration ExamplesDefine Dhcp network parameters for the scope ‘scope1’ Define an IP address pool for addresses 10.1.1.10 through Configuring Secondary Subnets Include ‘scope2’ in the superscope ‘super1’ Secondary Subnets and Directly-Connected Clients Interacting with Relay Agents Define the address pool for ‘scope1’ Page IP Routing Overview Chapter IP Routing Configuration Guide Multicast Routing Protocols IP Routing ProtocolsSSR supports standards-based TCP, UDP, and IP Unicast Routing Protocols Specifying Ethernet Encapsulation Method Configuring IP Interfaces and ParametersConfiguring IP Addresses to Ports Configuring IP Interfaces for a Vlan Configuring Proxy ARP Configuring Address Resolution Protocol ARPConfiguring ARP Cache Entries Defining MAC-to-IP Address Mappings Configuring Reverse Address Resolution Protocol RarpSpecifying IP Interfaces for Rarp Specify ping Configuring DNS ParametersConfiguring IP Services Icmp Monitoring Rarp Configuring Denial of Service DOS Configuring IP HelperConfiguring Direct Broadcast Monitoring IP Parameters Configuring Router Discovery Assigning IP/IPX Interfaces IP Routing Configuration Guide Vrrp Overview Configuring Vrrp Following is the configuration file for Router R1 in Figure Basic Vrrp ConfigurationBackup Configuration of Router R1 Following is the configuration file for Router R2 in Figure Symmetrical ConfigurationConfiguration for Router R2 Symmetrical Vrrp Configuration Master for VRID=1 Master for VRID=2 Backup for VRID=2 Configuration of Router R2 Multi-Backup Configuration Multi-Backup Vrrp Configuration SmartSwitch Router User Reference Manual 101 Virtual Router Default Priority Configured Priority Following is the configuration file for Router R3 in Figure Additional ConfigurationConfiguration of Router R3 Setting Pre-empt Mode Setting the Backup PrioritySetting the Advertisement Interval Ip-redundancy trace Setting an Authentication KeyMonitoring Vrrp Specific virtual router Vrrp Configuration NotesIp-redundancy show Virtual routers Display information about all SmartSwitch Router User Reference Manual 107 108 RIP Overview Chapter RIP Configuration GuideConfiguring RIP Enabling and Disabling RIP Configuring RIP InterfacesConfiguring RIP Parameters Specify that RIP V2 packets Set the authentication methodCharacters Set the authentication method To RIP Monitoring RIP Configuring RIP Route PreferenceConfiguring RIP Route Default-Metric Configuration Example 114 Ospf Overview Ospf Ospf Multipath Configuring OspfEnable Ospf Disable Ospf Ospf Interface Parameters Configuring Ospf Interface ParametersOspf Parameter Default Value Add an interface to an Ospf area Configuring an Ospf AreaCreate an Ospf area Add a network to an Ospf area for Configuring Ospf Area ParametersCreating Virtual Links Add a stub host to an Ospf area Set virtual link Configuring Ospf over Non-Broadcast Multiple AccessCreate a virtual Link Monitoring Ospf Ospf Configuration Examples Exporting All RIP, Interface & Static Routes to Ospf Exporting All Interface & Static Routes to Ospf Create a Static export source Create a Ospf export destination for type-1 routesCreate a Ospf export destination for type-2 routes Create a RIP export source Create OSPF-ASE export source Create a RIP export destinationCreate Ospf export source R10 BGP Overview Chapter BGP Configuration Guide SSR BGP Implementation Basic BGP Tasks Ip-router global set autonomous-system num1 loops num2 Setting the Autonomous System NumberSetting the Router ID Configuring a BGP Peer Group Autonomous-system number Where Starting BGP Using AS-Path Regular ExpressionsAdding and Removing a BGP Peer 132 To import MCI routes with a preference Using the AS Path Prepend FeatureAS-Path Regular Expression Examples Following is an example BGP Configuration Examples BGP Peering Session Example Physical Link Peering Relationship CLI configuration for router SSR1 is as followsAS-1 AS-2 Gated.conf file for router SSR2 is as follows Ibgp Configuration ExampleCLI configuration for router SSR2 is as follows Gated.conf file for router SSR1 is as follows Ibgp Routing Group Example AS-64801 Sample Ibgp Configuration Routing Group Type Following lines in the Cisco router configure Ospf Ibgp Internal Group Example Sample Ibgp Configuration Internal Group Type Illustrates a sample Ibgp Internal group configuration SmartSwitch Router User Reference Manual 143 Configuration for router C2 a Cisco router is as follows Ebgp Multihop Configuration ExampleConfiguration for router C1 a Cisco router is as follows Physical Link AS-64800 CLI configuration for router SSR3 is as follows Gated.conf file for router SSR4 is as follows CLI configuration for router SSR4 is as followsCommunity Attribute Example Gated.conf file for router SSR3 is as follows Sample BGP Configuration Specific Community Sample BGP Configuration Well-Known Community , router SSR11 has the following configuration , router SSR13 has the following configuration , router SSR14 has the following configuration , router SSR10 has the following configuration SmartSwitch Router User Reference Manual 153 LocalPref Attribute Example Sample BGP Configuration LocalPref Attribute Multi-Exit Discriminator Attribute Example Router SSR6 has the following CLI configuration Sample BGP Configuration MED Attribute AS-64901 Router SSR8 has the following CLI configurationEbgp Aggregation Example AS-64900 Route Reflection Example Router SSR9 has the following CLI configuration AS-64902 Shows a sample configuration that uses route reflection SmartSwitch Router User Reference Manual 161 162 Route Import and Export Policy Overview Chapter Routing Policy Configuration Guide Preference Default Preference ValuesPreference Defined by CLI Command Default Import-Source Import Policies Export-Source Export PoliciesRoute-Filter Export-Destination Specifying a Route Filter Aggregates and Generates Aggregate-Source Aggregate-Destination Authentication Methods Authentication Authentication Keys and Key Management Configuring Simple Routing Policies Redistributing Directly Attached Networks Redistributing Static Routes Redistributing Aggregate Routes Redistributing RIP into RIPRedistributing RIP into Ospf Redistributing Ospf to RIP Example 1 Redistribution into RIP Simple Route Redistribution ExamplesTo redistribute aggregate Routes into Ospf Example 2 Redistribution into Ospf Exporting a Given Static Route to All RIP InterfacesExporting All Static Routes to All RIP Interfaces 176 Configuring Advanced Routing Policies 178 Creating an Export Source Creating an Export Destination Create a RIP import Creating an Import SourceCreating a Route Filter Creating an Aggregate Route SmartSwitch Router User Reference Manual 181 Example 1 Importing from RIP Creating an Aggregate DestinationCreating an Aggregate Source Examples of Import Policies R41 184 Example 2 Importing from Ospf 186 R41 Importing a Selected Subset of OSPF-ASE Routes Example 1 Exporting to RIP Examples of Export Policies Ip-router policy create rip-export-source ripExpSrc Exporting a Given Static Route to a Specific RIP Interface Exporting Aggregate-Routes into RIP Ip-router policy create aggr-export-source aggrExpSrc Example 2 Exporting to Ospf SmartSwitch Router User Reference Manual 195 196 SmartSwitch Router User Reference Manual 197 198 Igmp Overview Chapter Multicast Routing Configuration GuideIP Multicast Overview Dvmrp Overview Configuring Igmp Response Wait Time Configuring IgmpConfiguring Igmp on an IP Interface Configuring Igmp Query Interval Starting and Stopping Dvmrp Configuring DvmrpConfiguring Per-Interface Control of Igmp Membership Configuring the Dvmrp Routing Metric Configuring Dvmrp on an InterfaceConfiguring Dvmrp Parameters Configuring a Dvmrp Tunnel Configuring Dvmrp TTL & Scope Monitoring Igmp & Dvmrp Show all multicast routes Show all interfaces runningMulticast protocols Igmp Page 208 Chapter IP Policy-Based Forwarding Configuration Guide Associating the Profile with an IP Policy Configuring IP PoliciesDefining an ACL Profile Creating Multi-statement IP Policies Setting the IP Policy Action Setting Load Distribution for Next-hop Gateways Checking the Availability of Next-hop Gateways Applying an IP Policy to an Interface All IP interfaces on the SSR IP Policy Configuration ExamplesRouting Traffic to Different ISPs An IP interface Apply a defined IP policy to Using an IP policy to route traffic to two different ISPs Using an IP policy to prioritize service to customers Prioritizing Service to Customers Using an IP policy to authenticate users through a firewall Authenticating Users through a Firewall Selecting Next Hop Gateway from IP Packet Information Firewall Load Balancing Display statistics about a Monitoring IP PoliciesDisplay information about all IP policies Ip-policy show interface interface SmartSwitch Router User Reference Manual 221 222 Chapter Network Address Translation Configuration Guide Setting Inside and Outside Interfaces Configuring NAT Dynamic Setting NAT RulesManaging Dynamic Bindings Static Monitoring NAT Static ConfigurationSpecify the FTP session timeout NAT and FTP Then, define the NAT static rules Using Static NATFirst step is to create the interfaces Next, define the interfaces to be NAT inside or outside Using Dynamic NAT Dynamic Configuration Dynamic NAT with IP Overload PAT Configuration Dynamic NAT with Outside Interface Redundancy Using Dynamic NAT with IP Overload Using Dynamic NAT with Matching Interface Redundancy 232 Chapter Web Hosting Configuration Guide Specifying Load Balancing Policy Optional Configuring Load BalancingLoad Balancing Creating the Server Group Adding Servers to the Load Balancing Group Setting Server Status Load Balancing and FTP Allowing Access to Load Balancing ServersSetting Timeouts for Load Balancing Mappings Displaying Load Balancing Information Configuration Examples 207.135.89.16 10.1.1.1 Ftp.quick..com 10.1.1.2 Ftp.quick.com Internet Router User Queries 207.135.89.16 207.135.89.17 207.135.89.18 Virtual IP Address Ranges Web Caching Configuring Web Caching Not redirected to cache servers Creating the Cache GroupSpecifying the Clients for the Cache Group Optional Redirected to cache servers Bypassing Cache Servers Configuration ExampleOther Configurations Proxy Server Redundancy Distributing Frequently-Accessed Sites Across Cache ServersMonitoring Web-Caching Show cache server information Show caching policy information RIP Routing Information Protocol Chapter IPX Routing Configuration GuideIPX Routing Overview SAP Service Advertising Protocol IPX Addresses Configuring IPX RIP & SAPCreating IPX Interfaces Specifying IPX Encapsulation Method Configuring IPX Interfaces and ParametersConfiguring IPX Addresses to Ports Configuring IPX Interfaces for a Vlan Enabling SAP Configuring IPX RoutingConfiguring Static Routes Enabling IPX RIP Creating an IPX Access Control List Configuring Static SAP Table EntriesControlling Access to IPX Networks Creating an IPX GNS Access Control List Creating an IPX Type 20 Access Control ListCreating an IPX SAP Access Control List Monitoring an IPX Network Creating an IPX RIP Access Control List Adds a SAP access list Adds a GNS access list 254 Chapter Access Control List Configuration Guide Defining Selection Criteria in ACL Rules ACL Basics How ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Editing ACLs Offline Following ACL illustrates this featureCreating and Modifying ACLs Maintaining ACLs Using the ACL Editor These uses of ACLs are described in the following sections Using ACLsApplying ACLs to Interfaces Using ACLs as Profiles Applying ACLs to Services Using Profile ACLs with the IP Policy Facility Following SSR features use ACL profilesSSR Feature ACL Profile Usage Using Profile ACLs with the Traffic Rate Limiting Facility Using Profile ACLs with the Port Mirroring Facility Using Profile ACLs with Dynamic NAT Redirecting Http Traffic to Cache Servers Using Profile ACLs with the Web Caching Facility Preventing Web Objects From Being Cached Enabling ACL Logging Monitoring ACLs 270 Security Overview Chapter Security Configuration Guide Configuring Radius Configuring SSR Access Security Monitoring Tacacs Configuring TacacsMonitoring Radius Monitoring Tacacs Plus Configuring Tacacs Plus Layer-2 Security Filters Configuring Passwords Configuring Layer-2 Port-to-Address Lock Filters Configuring Layer-2 Address Filters Configure a destination static Configuring Layer-2 Static Entry FiltersConfiguring Layer-2 Secure Port Filters Configure a source static Monitoring Layer-2 Security Filters Static Entries Example Layer-2 Filter ExamplesEt.1.1 Et.1.2 Et.1.3 Hub Example 2 Secure Ports Port-to-Address Lock Examples Layer-3 Access Control Lists ACLs 282 QoS & Layer-2/Layer-3/Layer-4 Flow Overview Chapter QoS Configuration Guide Precedence for Layer-3 Flows Layer-2 and Layer-3 & Layer-4 Flow Specification SSR Queuing Policies Configuring Layer-2 QoSTraffic Prioritization for Layer-2 Flows Traffic Prioritization for Layer-3 & Layer-4 Flows Configuring IP QoS Policies Specifying Precedence for an IP QoS Policy Configuring IPX QoS PoliciesSetting an IP QoS Policy Setting an IPX QoS Policy Specifying Precedence for an IPX QoS Policy Configuring SSR Queueing PolicyAllocating Bandwidth for a Weighted-Fair Queuing Policy ToS Rewrite MBZ Configuring ToS Rewrite for IP Packets Tos-rewrite Show all IPX QoS flows Monitoring QoSLimiting Traffic Rate Show all IP QoS flows Interface Example ConfigurationDefine a rate limit profile Apply a rate limit profile to an Interface interface Displaying Rate Limit Information 294 Performance Monitoring Overview Chapter Performance Monitoring Guide Particular MAC address Show info about multicasts Show port error statisticsShow information about the master MAC table Show information about a Only IP ACLs can be specified for port mirroring Configuring the SSR for Port MirroringMonitoring Broadcast Traffic 298 Rmon Overview Configuring and Enabling Rmon Example of Rmon Configuration Commands Lite Rmon Groups Rmon Groups Professional Rmon Groups Standard Rmon Groups Control Tables Using Rmon Configuring Rmon Groups Size owner string status enabledisable EnabledisableNum status enabledisable String status enabledisable Rmon user-history-control index index-number Port port owner string status enabledisableOid type absolutedelta status enabledisable Rmon protocol-distribution index index-number Displaying Rmon Information Rmon CLI Filters 01000CCCCCCC Following shows Host table output without a CLI filter Creating Rmon CLI Filters Troubleshooting RmonUsing Rmon CLI Filters 312 Ssr# rmon show status Rmon Status Allocating Memory to Rmon Rmon set memory number WAN Overview WAN Static Addresses Configuring WAN InterfacesPrimary and Secondary Addresses Static, Mapped, and Dynamic Peer IP/IPX Addresses Dynamic Addresses Following command line displays an example for a VlanFollowing command line displays two examples for PPP Mapped Addresses Packet Compression Following command line displays an example for PPPForcing Bridged Encapsulation Link Integrity Example ConfigurationsAverage Packet Size Nature of the Data Packet Encryption WAN Quality of Service Random Early Discard RED Weighted-Fair QueueingSource Filtering and ACLs Congestion Management Adaptive Shaping Frame Relay OverviewVirtual Circuits Permanent Virtual Circuits PVCs Configuring Frame Relay Interfaces for the SSR Applying a Service Profile to an Active Frame Relay WAN Port Setting up a Frame Relay Service Profile Monitoring Frame Relay WAN Ports Frame Relay Port Configuration 326 Use of LCP Magic Numbers Configuring PPP InterfacesPoint-to-Point Protocol PPP Overview Defining the Type and Location of a PPP Interface Setting up a PPP Service Profile Compression on MLP Bundles or Links Applying a Service Profile to an Active PPP PortConfiguring Multilink PPP Bundles Monitoring PPP WAN Ports PPP Port Configuration Ssrconfig# ppp apply service profile2 ports hs.5.1 Simple Configuration File WAN Configuration Examples Multi-router WAN configuration Multi-Router WAN Configuration Following configuration file applies to Router R2 Router R1 Configuration FileFollowing configuration file applies to Router R1 Router R2 Configuration File Following configuration file applies to Router R4 Router R3 Configuration FileFollowing configuration file applies to Router R3 Router R4 Configuration File Following configuration file applies to Router R6 Router R5 Configuration FileFollowing configuration file applies to Router R5 Router R6 Configuration File SmartSwitch Router User Reference Manual 337 338