Cabletron Systems SmartSwitch - page 264

Chapter 17: Access Control List Configuration Guide

264 SmartSwitch Router User Reference Manual

The following SSR features use ACL profiles:

Note the following about using Profile ACLs:

• Only IP ACLs can be used as Profile ACLs. ACLs for non-IP protocols cannot be used

as Profile ACLs.

•The permit/deny keywords, while required in the ACL rule definit ion, are disregarded

in the configuration commands for the above-mentioned features. In other words, the

configuration commands will act upon a specified Profile ACL whether or not the

Profile ACL rule contains the permit or deny keyword.

• Unlike with other kinds of ACLs, there is no implicit deny rule for Profile ACLs.

• Only certain ACL rule parameters are relevant for each configuration c ommand. For

example, the configuration command to create NAT address pools for dynamic

bindings (the nat create dynamic command) only looks at the source IP address in the

specified ACL rule. The destination IP address, ports, and TOS parameters, if specifie d,

are ignored.

Specific usage of Profile ACLs is described in more detail in the following sections.

Using Profile ACLs with the IP Policy Facility

The IP policy facility uses a Profile ACL to de fine criteria that determines which packe ts

should be forwarded according to an IP policy. Packets that meet the criteria defined in

the Profile ACL are forwarded according to the ip-policy command that references the

Profile ACL.

For example, you can define an IP policy that causes all telnet packets travelling from

source network 9.1.1.0/24 to destination network 15.1.1.0/24 to be forwarded to

destination address 10.10.10.10. You use a Profile ACL to define the selection criteria (in

this case, telnet packets travelling from source network 9 .1.1.0/24 to destination network

SSR Feature ACL Profile Usage

IP policy Specifies the packets that are subject to the IP routing policy.

Dynamic NAT Defines local address pools for dynamic bindings.

Port mirroring Defines traffic to be mirrored.

Rate limiting Specifies the incoming traffic flow to which rate limiting is

applied.

Web caching Specifies which HTTP traffic should always (or never) be

redirected to the cache servers .

Specifies characteristics of Web objects that should not be cached.

Contents

Main Notice Industry Canada Notice VCCI Notice CABLETRON SYSTEMS, INC. Page CABLETRON SYSTEMS SALES AND SERVICE, INC. Page CABLETRON SYSTEMS LIMITED Page SAFETY INFORMATION CLASS 1 LASER TRANSCEIVE RS DECLARATION OF CONFORMITY ADDENDUM Page Contents Chapter 1: SSR Product Overview......................................................... 29 Chapter 2: Hot Swapping Line Cards and Control Modules................49 Chapter 3: Bridging Configuration Guide.............................................55 Chapter 4: SmartTRUNK Configuration Guide......................................69 Chapter 5: DHCP Configuration Guide..................................................75 Chapter 6: IP Routing Configuration Guide..........................................85 Chapter 7: VRRP Configuration Guide...................................................95 Chapter 8: RIP Configuration Guide.....................................................109 Chapter 9: OSPF Configuration Guide.................................................115 Chapter 10: BGP Configuration Guide.................................................127 Chapter 11: Routing Policy Configuration Guide............................... 163 Chapter 12: Multicast Routing Configuration Guide..........................199 Chapter 13: IP Policy-Based Forwarding Configuration Guide..........209 Chapter 14: Network Address Translation Configuration Guide...... 223 Chapter 15: Web Hosting Configuration Guide..................................233 Chapter 16: IPX Routing Configuration Guide....................................245 Chapter 17: Access Control List Configuration Guide........................ 255 Chapter 18: Security Configuration Guide..........................................271 Chapter 19: QoS Configuration Guide.................................................283 Chapter 20: Performance Monitoring Guide.......................................295 Chapter 21: RMON Configuration Guide.............................................299 Chapter 22: WAN Configuration Guide...............................................315 Page Preface About This Manual Who Should Read This Manual? How to Use This Manual Page Related Documentation Page Chapter 1 SSR Product Overview Page Supported Media (Encapsulation Type) Supported Routing Protocols Configuring the SmartSwitch Router Understanding the Command Line Interface Basic Line Editing Commands Access Modes User Mode Enable Mode To exit Enable mode and return to User mode, use one of the following commands: Exit Enable mode. Ctrl+Z Configure Mode Boot PROM Mode Disabling a Function or Feature Loading System Images and Configuration Files Boot and System Image Configuration Files Loading System Image Software Loading Boot PROM Software Activating the Configuration Commands in the Scratchpad Copying the Configuration to the Startup Configuration File Displaying Configuration Changes Managing the SSR Setting the SSR Name Setting SSR Date and Time Configuring NTP Configuring the SSR CLI Configuring SNMP Services Configuring DNS Connecting Between the SSR and Other Systems Configuring Logging Monitoring Configuration Page Page Deactivating the Line Card Removing the Line Card Hot Swapping One Type of Line Card With Another Hot Swapping a Secondary Control Module Deactivating the Cont rol Module Removing the Control Module Installing the Control Module Hot Swapping a Switching Fabric Module (SSR 8600 only) Page Page Bridging Modes (Flow- Based and Address-Based) VLAN Overview Page SSR VLAN Support Page Configuring SSR Bridging Functions Configuring Address- based or Flow-based Bridging Configuring Spanning Tree Adjusting Spanning-Tree Parameters Page Page Configuring a Port or Protocol based VLAN Configuring VLAN Trunk Ports Configuring VLANs for Bridging Configuring Layer-2 Filters Monitoring Bridging Creating an IP or IPX VLAN Creating a non-IP/non-IPX VLAN Page Chapter 4 SmartTRUNK Overview Configuring SmartTRUNKs Creating a SmartTRUNK Add Physical Ports to the SmartTRUNK Specify Traffic Distribution Policy (Optional) Monitoring SmartTRUNKs Example Configurations The following is the SmartTRUNK co nfiguration for the SSR labeled R1 in the diagram: The following is the SmartTRUNK configuration for the SSR labeled S1 in the diag ram: The following is the SmartTRUNK configuration for the SSR labeled S2 in the diag ram: Page Page Configuring DHCP Configuring an IP Address Pool Configuring Client Parameters Configuring a Static IP Address Grouping Scopes with a Common Interface Configuring DHCP Server Parameters Updating the Lease Database Monitoring the DHCP Server DHCP Configuration Examples Configuring Secondary Subnets Secondary Subnets and Directly-Connected Clients Interacting with Relay Agents Page Page Chapter 6 IP Routing IP Routing Overview IP Routing Protocol s Configuring IP Interfaces and Parameters Configuring IP Addresses to Ports Configuring IP Interfaces for a VLAN Specifying Ethernet Encap sulation Method Configuring Address Resolution Protocol (ARP) Configuring Reverse Address Resolution Protocol (RARP) Configuring DNS Parameters Configuring IP Services (ICMP) Configuring IP Helper Configuring Direct Broadcast Configuring Denial of Service (DOS) Monitoring IP Parameters Configuring Router Discovery Assigning IP/IPX Interfaces Page Page Basic VRRP Configura tion Symmetrical Configuration Page Multi-Backup Configuration Page Page Page Additional Configuration Page Monitoring VRRP ip-redundancy trace ip-redundancy show VRRP Configuration Notes Page Page Chapter 8 RIP Configuration RIP Overview Configuring RIP Enabling and Disabling RIP Configuring RIP Interfaces Configuring RIP Parameters Page Configuring RIP Route Preference Configuring RIP Route Default-Metric Monitoring RIP Configuration Example Page Page OSPF Multipath Configuring OSPF Enabling OSPF Configuring OSPF Interface Parameters Configuring an OSPF Area Configuring OSPF Area Parameters Creating Virtual Links Configuring Autonomous System External (ASE) Link Advertisements Configuring OSPF over Non-Broadcast Multiple Access Monitoring OSPF OSPF Configuration Examples Page Page Page Page Chapter 10 BGP Configuration BGP Overview The SSR BGP Implementation Basic BGP Tasks Setting the Autonomous Sy stem Number Setting the Router ID Configuring a BGP Peer Group Page Adding and Removing a BGP Peer Starting BGP Using AS-Path Regula r Expressions Page Using the AS Path Prepend Feat ure BGP Configuration Examples BGP Peering Session Examp le Page IBGP Configuration Example Page Figure 9 shows a sample BGP configuration that uses the Routing group type. Figure 9. S ample IBGP Configuration (Routing Group Type) AS-64801 The following lines in the Cisco router configure OSPF: The following lines in the SSR6 set up peering with the Cisco router using the Routing group type. Page Page The gated.conf file for router SSR1 is as follows: The CLI configuration for router SSR2 is as follows: The gated.conf file for router SSR2 is as follows: EBGP Multihop Configuration Example Page The gated.conf file for router SSR1 is as follows: The CLI configuration for router SSR2 is as follows: The CLI configuration for router SSR3 is as follows: The gated.conf file for router SSR2 is as follows: Community Attribute Example Figure 11. Sample BGP Configuration (Specific Community) Page In Figure 12, router SSR11 has the following con figuration: Page In Figure 12, router SSR10 has the following con figuration: In Figure 12, router SSR14 has the following confi guration: Page Local_Pref Attribute Example Figure 13. Samp le BGP Configuration (Local_Pref Attribute) Multi-Exit Discriminator Attribute Examp le Page EBGP Aggregation Example Route Reflection Example Page Page Page Page Preference Import Policies Export Policies Specifying a Route Filter Aggregates and Generates Page Authentication Configuring Simple Routing Policies Redistributing Static Routes Redistributing Directly Attached Networks Redistributing RIP in to RIP Redistributing RIP in to OSPF Redistributing OSPF to RIP Redistributing Aggregate Routes Simple Route Redistribution Examples Page Page Configuring Advanced Routing Policies Export Policies Page Creating an Export Destination Creating an Export Source Import Policies Creating an Import Source Creating a Route Filter Creating an Aggregate Route Page Creating an Aggregate Destination Creating an Aggregate Source Examples of Import Policies Page Page Page Page Page Page Examples of Export Policies Page Page Page Page Page Page Page Page Page Page DVMRP Overview Configuring IGMP Configuring IGMP on an IP Interface Configuring IGMP Query Interval Configuring IGMP Response Wait Time Configuring Per-Interface Control of IGMP Membership Configuring DVMRP Starting and Stopping DVMRP Configuring DVMRP on an Interface Configuring DVMRP Parameters Configuring the DVMRP Routing Metric Configuring DVMRP TTL & Scope Configuring a DVMRP Tunnel Monitoring IGMP & DVMRP Chapter 12: Multicast Routing Configuration Guide 206 SmartSwitch Router User Reference Manual Show all interfaces running multicast protocols (IGMP, DVMRP). multicast show interfaces Show all multicast routes. Page Page Page Configuring IP Policies Defining an ACL Profile Associating the Profile with an IP Poli cy Page Page Applying an IP Policy to an Interface IP Policy Configuration Examples Routing Traffic to Different ISPs Page Prioritizing Service to Customers Authenticating Users through a Firewall The following is the IP policy configuration for the Policy Router in Figure 21: Firewall Load Balancing Intranet Internet Monitoring IP Policies Page Page Page Page Configuring NAT Setting Inside and Outside Interface s Setting NAT Rules Managing Dynamic Bindings NAT and FTP Monitoring NAT Static Configuration Page Dynamic Configuration Dynamic NAT with IP Overload (PAT) Configuration Dynamic NAT with Outside Interface Redundancy Page Page Page Load Balancing Configuring Load Balancing Setting Server Status Load Balancing and FTP Allowing Access to Load Balancing Servers Setting Timeouts for Load Balancing Mappings Displaying Load Balancing Information Configuration Examples Domain Name Virtual IP TCP Port Real Server IP TCP Port Domain Name Virtual IP TCP Port Real Server IP TCP Port Group Name Virtual IP TCP Port Destination Server IP TCP Port Web Caching Configuring Web Caching Group Name Virtual IP TCP Port Dest ination Server IP TCP Port Page Configuration Example Other Configurations Monitoring Web-Caching Page Chapter 16 IPX Routing IPX Routing Overview RIP (Routing Information Protocol) SAP (Service Advertising Protoco l) Configuring IPX RIP & SAP IPX RIP IPX SAP Creating IPX Interfaces IPX Addresses Configuring IPX Interfaces and Parameters Configuring IPX Addresses to Ports Configuring IPX Interfaces for a VLAN Specifying IPX Encapsulation Method Configuring IPX Routing Enabling IPX RIP Enabling SAP Configuring Static Routes Configuring Static SAP Table Entries Controlling Access to IPX Networks Page Monitoring an IPX Network Adds a SAP access list Adds a GNS access list Page Page ACL Basics Defining Selection Criteria in ACL Rules How ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Creating and Modifying ACLs Editing ACLs Offline Maintaining ACLs Using the ACL Editor Using ACLs Applying ACLs to Interfaces Applying ACLs to Services Using ACLs as Profiles Page Page Page Page Enabling ACL Logging Monitoring ACLs Page Page Configuring SSR Access Security Configuring RADIUS Configuring TACACS Configuring TACACS Plus Configuring Passwords Layer-2 Security Filters Configuring Layer-2 Address Filters Configuring Layer-2 Port-to-Address Lock Filters Configuring Layer-2 Static Entry Filters Configuring Layer-2 Secure Port Filters Monitoring Layer-2 Security Filters Layer-2 Filter Examples Page Layer-3 Access Control Lists (ACLs) Page Chapter 19 QoS Configuration QoS & Layer-2/Layer-3/Layer-4 Flow Overview Layer-2 and Layer-3 & Layer-4 Flow Specification Precedence for Layer-3 Flows SSR Queuing Policies Traffic Prioritization for Layer-2 Flows Configuring Layer-2 QoS Traffic Prioritization for Layer-3 & Layer-4 Flows Configuring IP QoS Policies Configuring IPX QoS Policies Configuring SSR Queueing Policy Allocating Bandwidth for a Weighted-Fair Queuing Policy ToS Rewrite Configuring ToS Rewrite for IP Packets Page Monitoring QoS Limiting Traffic Rate Example Configuration Displaying Rate Limit Information Page Chapter 20 Performance Monitoring Guide Performance Monitoring Overview Page Configuring the SSR for Port Mirroring Monitoring Broadcast Traffic Page Page Example of RMON Config uration Commands RMON Groups Page Control Tables Using RMON Configuring RMON Groups Page Configuration Examples Displaying RMON Information RMON CLI Filters Page Troubleshooting RMON Page Allocating Memory to RMON Page Page Configuring WAN Interfaces Primary and Secondary Ad dresses Static, Mapped, and Dynamic P eer IP/IPX Addresses Page Forcing Bridged Encapsulation Packet Compression Page Packet Encryption WAN Quality of Service Page Frame Relay Overview Virtual Circuits Configuring Frame Relay Interfaces for the SSR Defining the Type and Location of a Frame Relay and VC Interface Setting up a Frame Relay Serv ice Profile Applying a Service Profile to an Acti ve Frame Relay WAN Port Monitoring Frame Relay WAN Ports Frame Relay Port Configuration Page Point-to-Point Protocol (PPP) Overview Use of LCP Magic Numbers Configuring PPP Interfaces Defining the Type and Location of a PPP Interface Setting up a PPP Service Profil e Applying a Service Profile to an Active PPP Port Configuring Multilink PPP Bundles Monitoring PPP WAN Ports PPP Port Configuration Page WAN Configuration Examples Simple Configuration File SmartSwitch Router User Reference Manual 333 Multi-Router WAN Configuration R3 Figure 24. Multi-router WAN configuration R5 R4 Router R1 Configuration File The following configuration file applies to Router R1. Router R2 Configuration File The following configuration file applies to Router R2. Router R3 Configuration File The following configuration file applies to Router R3. Router R4 Configuration File The following configuration file applies to Router R4. Router R5 Configuration File The following configuration file applies to Router R5. Router R6 Configuration File The following configuration file applies to Router R6.