Manuals / Cabletron Systems / Computer Equipment / Network Router

Cabletron Systems SmartSwitch manual Layer-3 Access Control Lists ACLs

Models: SmartSwitch

1 338

Download 338 pages 45.77 Kb

Page 281

Chapter 18: Security Configuration Guide

Destination secure port: To block access to all file servers on all ports from port et.1.1 use the following command:

filters add secure-port name engineers direction dest vlan 1 in-port-list et.1.1

To allow all engineers access to the engineering servers, you must "punch" a hole through the secure-port wall. A "dest static-entry" overrides a "dest secure port".

filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allow

Layer-3 Access Control Lists (ACLs)

Access Control Lists (ACLs) allow you to restrict Layer-3 traffic going through the SSR. Each ACL consists of one or more rules describing a particular type of IP or IPX traffic. An ACL can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the router to either permit or deny the packet that matches the rule's packet description.

For information about defining and using ACLs on the SSR, see “Access Control List Configuration Guide” on page 255.

SmartSwitch Router User Reference Manual

281

Image 281

Cabletron Systems SmartSwitch manual Layer-3 Access Control Lists ACLs

Contents

9032578-04 SmartSwitch Router User Reference ManualSmartSwitch Router User Reference Manual Vcci Notice Industry Canada NoticeCabletron SYSTEMS, INC Program License Agreement SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Cabletron Systems Limited Program License Agreement SmartSwitch Router User Reference Manual Laser Radiation and Connectors Safety InformationEC Directive 73/23/EEC EC Directive 89/336/EECSmartSwitch Router User Reference Manual Contents Hot Swapping Line Cards and Control Modules Creating a non-IP/non-IPX Vlan SmartTRUNK Configuration GuideVrrp Configuration Guide 127 IP Multicast Overview 199 Multicast Routing Configuration Guide 199209 Web Hosting Configuration Guide 233 255 QoS Configuration Guide 283 WAN Configuration Guide 315 Contents Preface How to Use This ManualAbout This Manual Who Should Read This Manual?Preface Managing the SSR using Cabletron’s Installing and setting up the SSRRelated Documentation For Information About SeePreface SmartSwitch Router User Reference Manual Chapter SSR Product Overview SSR Hardware and software specificationsFeature Specification Multicast IGMP, Dvmrp IPX RIP, SAPSupported Routing Protocols Supported Media Encapsulation TypeRouting Information Protocol RIP Version 1 Configuring the SmartSwitch RouterUnderstanding the Command Line Interface Access Modes Basic Line Editing CommandsCommon CLI key commands Key Sequence CommandUser Mode Enable Mode Exit Configure Mode Pvst Boot Prom ModeDisabling a Function or Feature Loading System Images and Configuration FilesBoot and System Image Configuration FilesSsr# system show version Loading System Image SoftwareEnter the system image list command to verify the change Loading Boot Prom SoftwareActivating the Configuration Commands in the Scratchpad Enter yes or y to activate the changes Copying the Configuration to the Startup Configuration FileCLI displays the following message Managing the SSR Displaying Configuration ChangesConfiguring NTP Setting the SSR NameSetting SSR Date and Time Configuring DNS Configuring the SSR CLIConfiguring Snmp Services Configuring Logging Connecting Between the SSR and Other SystemsTask Command Monitoring ConfigurationShow the type of Power-On Self Test Post Show the SSR login bannerShow the configuration changes Reboot Show the status of the switching fabricHot Swapping Line Cards Chapter Hot Swapping Line Cards Control ModulesHot Swapping Overview Removing the Line Card Deactivating the Line CardHot Swapping One Type of Line Card With Another Installing a New Line CardHot Swapping a Secondary Control Module Removing the Control Module Deactivating the Control ModuleInstalling the Control Module Hot Swapping a Switching Fabric Module SSR 8600 onlySSR-SF-16 Offline Switching Fabric Spanning Tree Ieee 802.1d Chapter Bridging Configuration GuideBridging Overview Bridging Modes Flow-Based and Address-Based Vlan OverviewMAC-address-based VLANs Port-based VLANsProtocol-based VLANs Subnet-based VLANsMulticast-based VLANs SSR Vlan SupportPolicy-based VLANs VLANs and the SSRPorts, VLANs, and L3 Interfaces Access Ports and Trunk Ports 802.1Q supportExplicit and Implicit VLANs Configuring SSR Bridging FunctionsConfiguring Address-based or Flow-based Bridging Address-Based Bridge Table Flow-Based Bridge Table Configuring Spanning TreeMore ports for a particular Vlan Adjusting Spanning-Tree ParametersSetting the Bridge Priority Assigning Port Costs Setting a Port PriorityAdjusting Bridge Protocol Data Unit Bpdu Intervals Defining the Maximum Age Adjusting the Interval between Hello TimesDefining the Forward Delay Interval Configuring Vlan Trunk Ports Configuring a Port or Protocol based VlanConfiguring VLANs for Bridging Creating a Port or Protocol Based VlanMonitoring Bridging Configuring Layer-2 FiltersCreating an IP or IPX Vlan Configuration ExamplesCreating a non-IP/non-IPX Vlan Show information on MACsPage Overview Chapter SmartTRUNK Configuration GuideAdd Physical Ports to the SmartTRUNK Configuring SmartTRUNKsCreating a SmartTRUNK Specify Traffic Distribution Policy Optional Monitoring SmartTRUNKsSt.2 St.4 Router Switch Server Example ConfigurationsSmartTRUNK Configuration Guide Page Dhcp Overview Configuration GuideChapter Configuring an IP Address Pool Configuring DhcpConfiguring Client Parameters Client ParametersGrouping Scopes with a Common Interface Configuring a Static IP AddressMonitoring the Dhcp Server Configuring Dhcp Server ParametersUpdating the Lease Database Define Dhcp network parameters for the scope ‘scope1’ Dhcp Configuration ExamplesDefine an IP address pool for addresses 10.1.1.10 through Define a static IP address forConfiguring Secondary Subnets Include ‘scope2’ in the superscope ‘super1’ Secondary Subnets and Directly-Connected ClientsInteracting with Relay Agents Define the address pool for ‘scope1’ Page IP Routing Overview Chapter IP Routing Configuration GuideSSR supports standards-based TCP, UDP, and IP IP Routing ProtocolsUnicast Routing Protocols Multicast Routing ProtocolsConfiguring IP Addresses to Ports Configuring IP Interfaces and ParametersConfiguring IP Interfaces for a Vlan Specifying Ethernet Encapsulation MethodConfiguring Proxy ARP Configuring Address Resolution Protocol ARPConfiguring ARP Cache Entries Defining MAC-to-IP Address Mappings Configuring Reverse Address Resolution Protocol RarpSpecifying IP Interfaces for Rarp Configuring IP Services Icmp Configuring DNS ParametersMonitoring Rarp Specify pingConfiguring Denial of Service DOS Configuring IP HelperConfiguring Direct Broadcast Monitoring IP Parameters Configuring Router DiscoveryAssigning IP/IPX Interfaces IP Routing Configuration Guide Vrrp Overview Configuring VrrpBackup Basic Vrrp ConfigurationConfiguration of Router R1 Following is the configuration file for Router R1 in FigureFollowing is the configuration file for Router R2 in Figure Symmetrical ConfigurationConfiguration for Router R2 Symmetrical Vrrp Configuration Master for VRID=1 Master for VRID=2 Backup for VRID=2Configuration of Router R2 Multi-Backup ConfigurationMulti-Backup Vrrp Configuration SmartSwitch Router User Reference Manual 101 Virtual Router Default Priority Configured Priority Following is the configuration file for Router R3 in Figure Additional ConfigurationConfiguration of Router R3 Setting Pre-empt Mode Setting the Backup PrioritySetting the Advertisement Interval Ip-redundancy trace Setting an Authentication KeyMonitoring Vrrp Ip-redundancy show Vrrp Configuration NotesVirtual routers Display information about all Specific virtual routerSmartSwitch Router User Reference Manual 107 108 RIP Overview Chapter RIP Configuration GuideConfiguring RIP Enabling and Disabling RIP Configuring RIP InterfacesConfiguring RIP Parameters Characters Set the authentication method Set the authentication methodTo RIP Specify that RIP V2 packetsMonitoring RIP Configuring RIP Route PreferenceConfiguring RIP Route Default-Metric Configuration Example 114 Ospf Overview OspfEnable Ospf Configuring OspfDisable Ospf Ospf MultipathOspf Interface Parameters Configuring Ospf Interface ParametersOspf Parameter Default Value Add an interface to an Ospf area Configuring an Ospf AreaCreate an Ospf area Creating Virtual Links Configuring Ospf Area ParametersAdd a stub host to an Ospf area Add a network to an Ospf area forCreate a virtual Configuring Ospf over Non-Broadcast Multiple AccessLink Set virtual linkMonitoring Ospf Ospf Configuration Examples Exporting All RIP, Interface & Static Routes to Ospf Exporting All Interface & Static Routes to OspfCreate a Ospf export destination for type-2 routes Create a Ospf export destination for type-1 routesCreate a RIP export source Create a Static export sourceCreate OSPF-ASE export source Create a RIP export destinationCreate Ospf export source R10 BGP Overview Chapter BGP Configuration GuideSSR BGP Implementation Basic BGP TasksSetting the Router ID Setting the Autonomous System NumberConfiguring a BGP Peer Group Ip-router global set autonomous-system num1 loops num2Autonomous-system number WhereStarting BGP Using AS-Path Regular ExpressionsAdding and Removing a BGP Peer 132 To import MCI routes with a preference Using the AS Path Prepend FeatureAS-Path Regular Expression Examples Following is an example BGP Configuration ExamplesBGP Peering Session Example Physical Link Peering Relationship CLI configuration for router SSR1 is as followsAS-1 AS-2 CLI configuration for router SSR2 is as follows Ibgp Configuration ExampleGated.conf file for router SSR1 is as follows Gated.conf file for router SSR2 is as followsIbgp Routing Group Example AS-64801 Sample Ibgp Configuration Routing Group TypeFollowing lines in the Cisco router configure Ospf Ibgp Internal Group Example Sample Ibgp Configuration Internal Group Type Illustrates a sample Ibgp Internal group configurationSmartSwitch Router User Reference Manual 143 Configuration for router C2 a Cisco router is as follows Ebgp Multihop Configuration ExampleConfiguration for router C1 a Cisco router is as follows Physical Link AS-64800CLI configuration for router SSR3 is as follows Community Attribute Example CLI configuration for router SSR4 is as followsGated.conf file for router SSR3 is as follows Gated.conf file for router SSR4 is as followsSample BGP Configuration Specific Community Sample BGP Configuration Well-Known Community , router SSR11 has the following configuration , router SSR13 has the following configuration , router SSR14 has the following configuration , router SSR10 has the following configurationSmartSwitch Router User Reference Manual 153 LocalPref Attribute Example Sample BGP Configuration LocalPref Attribute Multi-Exit Discriminator Attribute Example Router SSR6 has the following CLI configuration Sample BGP Configuration MED AttributeEbgp Aggregation Example Router SSR8 has the following CLI configurationAS-64900 AS-64901Route Reflection Example Router SSR9 has the following CLI configurationAS-64902 Shows a sample configuration that uses route reflectionSmartSwitch Router User Reference Manual 161 162 Route Import and Export Policy Overview Chapter Routing Policy Configuration GuidePreference Default Preference ValuesPreference Defined by CLI Command Default Import-Source Import PoliciesRoute-Filter Export PoliciesExport-Destination Export-SourceSpecifying a Route Filter Aggregates and Generates Aggregate-Source Aggregate-DestinationAuthentication Methods AuthenticationAuthentication Keys and Key Management Configuring Simple Routing PoliciesRedistributing Directly Attached Networks Redistributing Static RoutesRedistributing Aggregate Routes Redistributing RIP into RIPRedistributing RIP into Ospf Redistributing Ospf to RIP To redistribute aggregate Simple Route Redistribution ExamplesRoutes into Ospf Example 1 Redistribution into RIPExample 2 Redistribution into Ospf Exporting a Given Static Route to All RIP InterfacesExporting All Static Routes to All RIP Interfaces 176 Configuring Advanced Routing Policies 178 Creating an Export Source Creating an Export DestinationCreating a Route Filter Creating an Import SourceCreating an Aggregate Route Create a RIP importSmartSwitch Router User Reference Manual 181 Creating an Aggregate Source Creating an Aggregate DestinationExamples of Import Policies Example 1 Importing from RIPR41 184 Example 2 Importing from Ospf 186 R41 Importing a Selected Subset of OSPF-ASE Routes Example 1 Exporting to RIP Examples of Export PoliciesIp-router policy create rip-export-source ripExpSrc Exporting a Given Static Route to a Specific RIP Interface Exporting Aggregate-Routes into RIP Ip-router policy create aggr-export-source aggrExpSrc Example 2 Exporting to Ospf SmartSwitch Router User Reference Manual 195 196 SmartSwitch Router User Reference Manual 197 198 Igmp Overview Chapter Multicast Routing Configuration GuideIP Multicast Overview Dvmrp Overview Configuring Igmp on an IP Interface Configuring IgmpConfiguring Igmp Query Interval Configuring Igmp Response Wait TimeStarting and Stopping Dvmrp Configuring DvmrpConfiguring Per-Interface Control of Igmp Membership Configuring the Dvmrp Routing Metric Configuring Dvmrp on an InterfaceConfiguring Dvmrp Parameters Configuring a Dvmrp Tunnel Configuring Dvmrp TTL & ScopeMonitoring Igmp & Dvmrp Show all multicast routes Show all interfaces runningMulticast protocols Igmp Page 208 Chapter IP Policy-Based Forwarding Configuration Guide Associating the Profile with an IP Policy Configuring IP PoliciesDefining an ACL Profile Creating Multi-statement IP Policies Setting the IP Policy Action Setting Load Distribution for Next-hop GatewaysChecking the Availability of Next-hop Gateways Applying an IP Policy to an InterfaceRouting Traffic to Different ISPs IP Policy Configuration ExamplesAn IP interface Apply a defined IP policy to All IP interfaces on the SSRUsing an IP policy to route traffic to two different ISPs Using an IP policy to prioritize service to customers Prioritizing Service to CustomersUsing an IP policy to authenticate users through a firewall Authenticating Users through a FirewallSelecting Next Hop Gateway from IP Packet Information Firewall Load BalancingDisplay information about all Monitoring IP PoliciesIP policies Display statistics about aIp-policy show interface interface SmartSwitch Router User Reference Manual 221 222 Chapter Network Address Translation Configuration Guide Setting Inside and Outside Interfaces Configuring NATManaging Dynamic Bindings Setting NAT RulesStatic DynamicSpecify the FTP session timeout Static ConfigurationNAT and FTP Monitoring NATFirst step is to create the interfaces Using Static NATNext, define the interfaces to be NAT inside or outside Then, define the NAT static rulesUsing Dynamic NAT Dynamic ConfigurationDynamic NAT with IP Overload PAT Configuration Dynamic NAT with Outside Interface Redundancy Using Dynamic NAT with IP OverloadUsing Dynamic NAT with Matching Interface Redundancy 232 Chapter Web Hosting Configuration Guide Load Balancing Configuring Load BalancingCreating the Server Group Specifying Load Balancing Policy OptionalAdding Servers to the Load Balancing Group Setting Server StatusLoad Balancing and FTP Allowing Access to Load Balancing ServersSetting Timeouts for Load Balancing Mappings Displaying Load Balancing Information Configuration Examples207.135.89.16 10.1.1.1 Ftp.quick..com 10.1.1.2 Ftp.quick.com Internet Router User Queries207.135.89.16 207.135.89.17 207.135.89.18 Virtual IP Address RangesWeb Caching Configuring Web CachingSpecifying the Clients for the Cache Group Optional Creating the Cache GroupRedirected to cache servers Not redirected to cache serversBypassing Cache Servers Configuration ExampleOther Configurations Proxy Server Redundancy Distributing Frequently-Accessed Sites Across Cache ServersMonitoring Web-Caching Show cache server information Show caching policy informationRIP Routing Information Protocol Chapter IPX Routing Configuration GuideIPX Routing Overview SAP Service Advertising Protocol IPX Addresses Configuring IPX RIP & SAPCreating IPX Interfaces Configuring IPX Addresses to Ports Configuring IPX Interfaces and ParametersConfiguring IPX Interfaces for a Vlan Specifying IPX Encapsulation MethodConfiguring Static Routes Configuring IPX RoutingEnabling IPX RIP Enabling SAPCreating an IPX Access Control List Configuring Static SAP Table EntriesControlling Access to IPX Networks Creating an IPX GNS Access Control List Creating an IPX Type 20 Access Control ListCreating an IPX SAP Access Control List Monitoring an IPX Network Creating an IPX RIP Access Control ListAdds a SAP access list Adds a GNS access list 254 Chapter Access Control List Configuration Guide Defining Selection Criteria in ACL Rules ACL BasicsHow ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Editing ACLs Offline Following ACL illustrates this featureCreating and Modifying ACLs Maintaining ACLs Using the ACL Editor These uses of ACLs are described in the following sections Using ACLsApplying ACLs to Interfaces Using ACLs as Profiles Applying ACLs to ServicesUsing Profile ACLs with the IP Policy Facility Following SSR features use ACL profilesSSR Feature ACL Profile Usage Using Profile ACLs with the Traffic Rate Limiting Facility Using Profile ACLs with the Port Mirroring Facility Using Profile ACLs with Dynamic NATRedirecting Http Traffic to Cache Servers Using Profile ACLs with the Web Caching FacilityPreventing Web Objects From Being Cached Enabling ACL LoggingMonitoring ACLs 270 Security Overview Chapter Security Configuration GuideConfiguring Radius Configuring SSR Access SecurityMonitoring Tacacs Configuring TacacsMonitoring Radius Monitoring Tacacs Plus Configuring Tacacs PlusLayer-2 Security Filters Configuring PasswordsConfiguring Layer-2 Port-to-Address Lock Filters Configuring Layer-2 Address FiltersConfiguring Layer-2 Secure Port Filters Configuring Layer-2 Static Entry FiltersConfigure a source static Configure a destination staticMonitoring Layer-2 Security Filters Static Entries Example Layer-2 Filter ExamplesEt.1.1 Et.1.2 Et.1.3 Hub Example 2 Secure Ports Port-to-Address Lock ExamplesLayer-3 Access Control Lists ACLs 282 QoS & Layer-2/Layer-3/Layer-4 Flow Overview Chapter QoS Configuration GuidePrecedence for Layer-3 Flows Layer-2 and Layer-3 & Layer-4 Flow SpecificationSSR Queuing Policies Configuring Layer-2 QoSTraffic Prioritization for Layer-2 Flows Traffic Prioritization for Layer-3 & Layer-4 Flows Configuring IP QoS PoliciesSetting an IP QoS Policy Configuring IPX QoS PoliciesSetting an IPX QoS Policy Specifying Precedence for an IP QoS PolicyAllocating Bandwidth for a Weighted-Fair Queuing Policy Configuring SSR Queueing PolicyToS Rewrite Specifying Precedence for an IPX QoS PolicyMBZ Configuring ToS Rewrite for IP PacketsTos-rewrite Limiting Traffic Rate Monitoring QoSShow all IP QoS flows Show all IPX QoS flowsDefine a rate limit profile Example ConfigurationApply a rate limit profile to an InterfaceInterface interface Displaying Rate Limit Information294 Performance Monitoring Overview Chapter Performance Monitoring GuideShow information about the master Show port error statisticsMAC table Show information about a Particular MAC address Show info about multicastsOnly IP ACLs can be specified for port mirroring Configuring the SSR for Port MirroringMonitoring Broadcast Traffic 298 Rmon Overview Configuring and Enabling RmonExample of Rmon Configuration Commands Lite Rmon Groups Rmon GroupsProfessional Rmon Groups Standard Rmon GroupsControl Tables Using Rmon Configuring Rmon Groups Num status enabledisable EnabledisableString status enabledisable Size owner string status enabledisableOid type absolutedelta status enabledisable Port port owner string status enabledisableRmon protocol-distribution index index-number Rmon user-history-control index index-numberDisplaying Rmon Information Rmon CLI Filters 01000CCCCCCC Following shows Host table output without a CLI filterCreating Rmon CLI Filters Troubleshooting RmonUsing Rmon CLI Filters 312 Ssr# rmon show status Rmon Status Allocating Memory to RmonRmon set memory number WAN Overview WANPrimary and Secondary Addresses Configuring WAN InterfacesStatic, Mapped, and Dynamic Peer IP/IPX Addresses Static AddressesFollowing command line displays two examples for PPP Following command line displays an example for a VlanMapped Addresses Dynamic AddressesPacket Compression Following command line displays an example for PPPForcing Bridged Encapsulation Average Packet Size Example ConfigurationsNature of the Data Link IntegrityPacket Encryption WAN Quality of ServiceSource Filtering and ACLs Weighted-Fair QueueingCongestion Management Random Early Discard REDAdaptive Shaping Frame Relay OverviewVirtual Circuits Permanent Virtual Circuits PVCs Configuring Frame Relay Interfaces for the SSRApplying a Service Profile to an Active Frame Relay WAN Port Setting up a Frame Relay Service ProfileMonitoring Frame Relay WAN Ports Frame Relay Port Configuration326 Use of LCP Magic Numbers Configuring PPP InterfacesPoint-to-Point Protocol PPP Overview Defining the Type and Location of a PPP Interface Setting up a PPP Service ProfileCompression on MLP Bundles or Links Applying a Service Profile to an Active PPP PortConfiguring Multilink PPP Bundles Monitoring PPP WAN Ports PPP Port ConfigurationSsrconfig# ppp apply service profile2 ports hs.5.1 Simple Configuration File WAN Configuration ExamplesMulti-router WAN configuration Multi-Router WAN ConfigurationFollowing configuration file applies to Router R1 Router R1 Configuration FileRouter R2 Configuration File Following configuration file applies to Router R2Following configuration file applies to Router R3 Router R3 Configuration FileRouter R4 Configuration File Following configuration file applies to Router R4Following configuration file applies to Router R5 Router R5 Configuration FileRouter R6 Configuration File Following configuration file applies to Router R6SmartSwitch Router User Reference Manual 337 338