Creating an access control list | Patton electronic 2800 instruction

OnSite 2800 Series User Manual	8 • Link scheduler configuration

Some types of packets you do not have to tag with ACL. Voice and data packets from of for the OnSite itself are automatically tagged with predefined traffic-class names: Predefined internal classes for data are:

•local-default—All other packets that originate from the OnSite itself.

•default—All traffic that has not otherwise been labeled.

Creating an access control list

The procedure to create an access control list is described in detail in chapter 7, “Access control list configura- tion” on page 79.

At this point a simple example is given, that shows the necessary steps to tag any outbound traffic from a Web server. The scenario is depicted in figure 21. The IP address of the Web server is used as source address in the permit statement of the IP filter rule for the access control list.

172.16.1.0

Web-Server

172.16.1.20/24

	lan				wan
	lan				wan
			Node				IP Access
			Node				Network
							Network

	172.16.1.1/24			17.254.0.91/16

Figure 21. Scenario with Web server regarded as a single source host

A new access control list has to be created. In the example above, the traffic-class that represents outbound Web related traffic is named Web.

Access control list have an implicit “deny all” entry at the very end, so packets that do not match the first crite- ria of outbound Web related traffic will be dropped. That is why a second access control list entry—one that allows all other traffic—is necessary.

This procedure describes creating an access control list for tagging web traffic from the single source host at a certain IP address.

Link scheduler configuration task list

101

Image 101

Patton electronic 2800 Creating an access control list, Scenario with Web server regarded as a single source host

Contents

Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables Structure About this guideAudience Impaired functioning Precautions Safety when working with electricity General observations General conventions Typographical conventions used in this document General information Chapter contents OnSite Managed VPN Router 2805 shown OnSite Model 2800 Series overview OnSite 2800 Series model codes OnSite 2800 Series detailed description DMZ Model code extensions OnSite 2800 Series power input connectors OnSite 2800 Series rear-panel ports are described in table Ports descriptions Applications overview Corporate multi-function virtual private network Corporate multi-function virtual private network General information Hardware installation Create a network diagram see section Network information on Planning the installation Installation checklist Site log Power sourceNetwork information IP related information Connecting cables Installing the VPN routerInstalling the Ethernet cable Location and mounting requirements Connecting an OnSite 2800 Series device to a hub Installing the serial WAN cable DCD Hardware installation Rear panel of 2803K/EUI Rear panel of 2803K/UI Pins not listed are not used Power connector location on rear panel Connecting to external power source UI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Introduction Configure IP address Power connection and default configuration Configure IP addressAll Ethernet interfaces are activated upon power-up Terminal emulation program settings 9600 bps No parity Bit Select the context IP mode to configure an IP interface LoginStop bit No flow control Changing the IP address Respectively from the host ping Load configurationConnect the OnSite VPN Router to the network Load configuration Serial port configuration Disabling an interface Serial port configuration task list Enabling an interface Port Configuring the encapsulation for Frame RelayExample Configuring the serial encapsulation type Configuring the LMI type Enter Frame Relay mode Entering Frame Relay PVC configuration mode Configuring the keep-alive interval Binding the Frame Relay PVC to IP interface Configuring the PVC encapsulation type Mode PVC Disabling a Frame Relay PVC Enabling a Frame Relay PVC CRC Displaying serial port information Dlci Displaying Frame Relay information Integrated service access Port Configure the serial interface settings Check that the Frame Relay settings are correct Configure the introduced PVCs T1/E1 port configuration Enable/Disable T1/E1 port T1/E1 port configuration task list Configuring T1/E1 port-type Mode port e1t1 slot portConfiguring T1/E1 clock-mode Configuring T1/E1 line-code Configuring T1/E1 line-build-out T1 only Configuring T1/E1 framingConfiguring T1/E1 used-connector E1 only Name prt-e1t1 slot/port# framing Configuring T1/E1 LOS threshold Configuring T1/E1 application modeConfiguring T1/E1 encapsulation Default short-haul Configuring Channel-Group Timeslots Be used Mode port e1t1 slot portMode channel-group group-name Configuring Channel-Group Encapsulation Configuring Hdlc Encapsulation Configuring Hdlc CRC-TypeT1/E1 Configuration Examples Default no encapsulation Example 1 Frame Relay without a channel-group Example 4 PPP with a channel-group Example 2 Framerelay with a channel-groupExample 3 PPP without a channel-group VPN configuration Encryption Authentication Creating an IPsec transformation profile VPN configuration task listTransport and tunnel modes Creating an IPsec policy profile Procedure To create an IPsec policy profile Nodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Displaying IPsec configuration information Configuration of an IP interface and the IP router for IPsec Example Display IPsec policy profiles Example Display IPsec transformation profilesDebugging IPsec Example IPsec Debug Output IPsec tunnel, DES encryption Sample configurationsOnSite configuration Cisco router configuration Cisco router configuration VPN configuration Access control list configuration Why you should configure access lists About access control listsWhat access lists do Features of access control lists When to configure access lists Mapping out the goals of the access control list Access control list configuration task list Nodepf-acl name#permit ip src src-wildcard any Src-wildcard Where the syntax is Type type type type code code cos group Nodepf-acl name#permit icmp src src-wildcard anyNodepf-acl name#deny icmp src src-wildcard Any host src dest dest-wildcard any host dest Msg name Where the syntax is as following Card any host src eq port gt port lt port range Nodepf-acl name#permit tcp udp sctp src src-wildPort lt port range from to cos group cos-rtp group Nodepf-acl name#deny tcp udp sctp src src Group-data Where the syntax is Debugging an access control list profile Unbind an access control list profile from an interfaceDisplaying an access control list profile Control list profile shall be debugged Denying a specific subnet Examples Link scheduler configuration Configuring access control lists Applying scheduling at the bottleneck Configuring quality of service QoSUsing traffic classes Priority Weighted fair queuing WFQIntroduction to Scheduling Hierarchy ShapingBurst tolerant shaping or wfq Some explanations Setting the modem rateQuick references Command cross reference Link scheduler configuration task list Packet classification Defining the access control list profile Scenario with Web server regarded as a single source host Creating an access control list Nodecfg#profile acl name Creating a service policy profileNodepf-acl name#permit ip host ip-address any traffic-class Nodepf-acl name#permit ip any any Structure of a Service-Policy Profile Specifying the handling of traffic-classes Defining fair queuing weight Defining the bit-rate Specifying the type-of-service TOS fieldDefining absolute priority Defining the maximum queue length Specifying the precedence field Specifying differentiated services codepoint Dscp markingNodesrc name#set ip tos value Nodesrc name#set ip precedence value Nodesrc name#set layer2 cos value Specifying layer 2 markingNodesrc name#set ip dscp value Nodesrc name#random-detect burst-tolerance Defining random early detectionDiscarding Excess Load Policy name in out Devoting the service policy profile to an interfaceNodeif-ip if-name#use profile service Displaying link scheduling profile information Enable statistics gatheringDisplaying link arbitration status Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Patton Support Headquarters in the USA Warranty coverageContact information Returns for credit Out-of-warranty serviceReturn for credit policy RMA numbers Appendix a Compliance information Compliance SafetyRadio and TV Interference FCC Part CE Declaration of Conformity Industry Canada Notice Model 2803 only Authorized European RepresentativeFCC Part 68 Acta Statement Model 2803 only Appendix B Specifications Sync serial interface Ethernet interfacesT1/E1 interface Model 2803 only PPP support Dimensions IP servicesManagement Operating environment Internal AC version Power supplyInternal power supply 100-240 VAC, 50/60 Hz, 200 mA Appendix C Cabling Serial console Connecting a serial terminal Ethernet cross-over Ethernet 10Base-T and 100Base-T Ethernet straight-through Appendix D Port pin-outs EIA-561 RJ-45 8-pin port RS-232 Console Port Console port, RJ-45, EIA-561 RS-232 Sync serial port Ethernet 10Base-T and 100Base-T portEthernet ports are auto-detect MDI-X Serial port 21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist