Cabletron Systems SmartSwitch 8-slot Page 132 User'S Reference Manual Download | Manualshive

Page: 132 / 150

background image

Chapter 9: Security Configuration Guide

9 - 8

SSR User Reference Manual

Destination static entry: Restrict "login multicasts" originating from the engineering
segment (port et.1.1) from reaching the finance servers.

filters add static-entry name login-mcasts dest-mac

010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.3

restriction disallow

or

filters add static-entry name login-mcasts dest-mac

010000:334455 vlan 1 in-port-list et.1.1 out-port-list et.1.2

restriction allow

Flow static entry: Restrict "login multicasts" originating from the consultant from
reaching the finance servers.

filters add static-entry name consult-to-mcasts source-mac

001122:334455 dest-mac 010000:334455 vlan 1 in-port-list et.1.1

out-port-list et.1.3 restriction disallow

Port-to-address Lock Examples:

You have configured some filters for the consultant on port et.1.1 If the consultant
plugs his laptop into a different port, he will bypass the filters. To lock him to port
et.1.1, use the following command:

filters add port-address-lock name consultant source-mac

001122:334455 vlan 1 in-port-list et.1.1

Note: If the consultant’s MAC is detected on a different port, all of its traffic will be
blocked.

Example 2 : Secure Ports

Source secure port: To block all engineers on port 1 from accessing all other ports,
enter the following command:

filters add secure-port name engineers direction source vlan 1

in-port-list et.1.1

To allow ONLY the engineering manager access to the engineering servers, you must
"punch" a hole through the secure-port wall. A "source static-entry" overrides a
"source secure port".

filters add static-entry name eng-mgr source-mac 080060:123456

vlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allow

Destination secure port: To block access to all file servers on all ports from port et.1.1
use the following command:

«
...
130
131
132
133
134
...
»

Summary of Contents for SmartSwitch 8-slot

Page 1: ...SmartSwitch Router User Reference Manual 9032578...

Page 2: ......

Page 3: ...SEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST PROFITS ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT EVEN IF CABLETRON SYSTEMS HAS BEEN ADVISED OF KNOWN...

Page 4: ...in which case the user will be required to correct the interference at his own expense WARNING Changes or modifications made to this device which are not expressly approved by the party responsible fo...

Page 5: ...uipment Type Environment Networking Equipment for use in a Commercial or Light Industrial Environment We the undersigned hereby declare under our sole responsibility that the equipment packaged with t...

Page 6: ...Notice vi...

Page 7: ...et installed the SSR use the instructions in the SmartSwitch Router Getting Started Guide to install the chassis and perform basic setup tasks then return to this manual for more detailed configuratio...

Page 8: ...hapter 4 Configure OSPF routing Chapter 5 Configure Routing Policies Chapter 6 Configure IP Multicast routing Chapter 7 Configure IPX routing Chapter 8 Configure filters Chapter 9 Configure QoS Qualit...

Page 9: ...About This Manual SSR User Reference Manual ix System messages and SNMP traps SmartSwitch Router Error Message Ref erence Manual For Information About See the...

Page 10: ...About This Manual x SSR User Reference Manual...

Page 11: ...Feature 1 9 Loading System Images and Configuration Files 1 9 Boot and System Image 1 9 Configuration Files 1 9 Loading System Image Software 1 10 Loading Boot PROM Software 1 11 Activate the Configur...

Page 12: ...Spanning Tree Parameters 2 7 Set the Bridge Priority 2 8 Set a Port Priority 2 8 Assign Port Costs 2 8 Adjust Bridge Protocol Data Unit BPDU Intervals 2 8 Configuring a Port or Protocol based VLAN 2...

Page 13: ...IP Services ICMP 3 5 Monitor IP Parameters 3 5 Configuration Examples 3 6 Assigning IP IPX Interfaces 3 6 Chapter 4 RIP Configuration Guide RIP Overview 4 1 Configure RIP 4 1 Enabling and Disabling RI...

Page 14: ...ew 6 1 Preference 6 1 Import Policies 6 2 Import Source 6 3 Route Filter 6 4 Export Policies 6 4 Export Destination 6 4 Export Source 6 4 Route Filter 6 5 Specifying a Route Filter 6 5 Aggregates and...

Page 15: ...Route Filter 6 18 Creating an Aggregate Route 6 18 Creating an Aggregate Destination 6 20 Creating an Aggregate Source 6 20 Examples of Import Policies 6 20 Example 1 Importing from RIP 6 20 Example 2...

Page 16: ...1 RIP Routing Information Protocol 8 1 SAP Service Advertising Protocol 8 2 Configuring IPX RIP and SAP 8 2 IPX RIP 8 2 IPX SAP 8 3 Creating IPX Interfaces 8 3 IPX Addresses 8 3 Configuring IPX Interf...

Page 17: ...s 9 4 Configuring Layer 2 Static Entry Filters 9 4 Configuring Layer 2 Secure Port Filters 9 5 Monitor Layer 2 Security Filters 9 5 Layer 2 Filter Examples 9 7 Example 1 Address Filters 9 7 Example 2...

Page 18: ...Precedence for Layer 3 Flows 10 2 SSR Queuing Policies 10 2 Configure Layer 2 QoS 10 2 Configure Layer 3 and 4 QoS 10 3 Configure IP QoS Policies 10 3 Set an IP QoS Policy 10 4 Specify Precedence for...

Page 19: ...ftware specifications for the SSR 8 Feature Specification Throughput 16 Gbps non blocking switching fabric 15 million packets per second routing throughput Capacity Up to 250 000 routes Up to 2 000 00...

Page 20: ...nation of the following Interior Gateway Protocols Open Shortest Path First OSPF Version 2 Routing Information Protocol RIP Version 1 2 Quality of Service QoS Layer 2 prioritization 802 1p Layer 3 sou...

Page 21: ...X interfaces routing switching security filters and Quality of Service QoS policies Understanding the Command Line Interface The SSR Command Line Interface CLI provides access to several different com...

Page 22: ...acter Configure Allows you to make configuration changes To enter Configure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you are in...

Page 23: ...R you are automatically in User mode The User commands available are a subset of those available in Enable mode In general the User commands allow you to display basic information and use basic utilit...

Page 24: ...the Enable commands enter The Enable mode command prompt consists of the SSR name followed by the pound sign ssr To list the commands available in Enable mode enter a question mark as shown in the fol...

Page 25: ...ted parameters traceroute Traceroute utility vlan Show VLAN related parameters To exit Enable mode and return to User mode use one of the following commands Configure Mode Configure mode provides the...

Page 26: ...ters system Configure system wide parameters tacacs Configure TACACS related parameters vlan Configure VLAN related parameters Special configuration mode commands erase Erase configuration information...

Page 27: ...configuration file Boot and System Image Only one boot image exists on the internal flash of the SSR Control Module Multiple system images can be stored on the external PC flash Configuration Files Th...

Page 28: ...file pc flash boot ssr8 Note In this example the location pc flash indicates that the SSR is set to use the factory installed software on the flash card 2 Copy the software upgrade you want to install...

Page 29: ...odule s internal memory To upgrade the boot PROM software and boot using the upgraded image use the following procedure 1 Display the current boot settings by entering the following command system sho...

Page 30: ...how version Activate the Configuration Commands in the Scratchpad The configuration commands you have entered using procedures in this chapter are in the Scratchpad but have not yet been activated Use...

Page 31: ...the CLI 2 Enter the following command to copy the configuration changes in the Active configuration to the Startup configuration copy active to startup 3 When the CLI displays the following message en...

Page 32: ...g command in Enable mode Configure SNMP Services The SSR accepts SNMP sets and gets from an SNMP manager You can configure SSR SNMP parameters including community strings and trap server target addres...

Page 33: ...provides many commands for displaying configuration information After you add configuration items and commit them to the active configuration you can display them using the following commands Configur...

Page 34: ...w syslog buffer Show the contact information adminis trator name phone number and so on system show contact Show the SSR date and time system show date Show the IP addresses and domain names for DNS s...

Page 35: ...ists the last five Telnet connections to the SSR system show telnet access Show the default terminal settings number of rows number of columns and baud rate system show terminal Show SSR uptime system...

Page 36: ...Chapter 1 SmartSwitch Router Product Overview 1 18 SSR User Reference Manual...

Page 37: ...y LAN segment Bridging Modes Flow Based and Address Based The SSR provides the following types of wire speed bridging Address based bridging The SSR performs this type of bridging by looking up the de...

Page 38: ...frame is transmitted only to the VLAN to which it belongs This reduces the broadcast traffic on a network by an appreciable factor The type of VLAN depends upon one criterion how a received frame is...

Page 39: ...ich the frame belongs To do this the switch must look into the network layer header of the incoming frame This type of VLAN behaves similar to a router by segregating different subnets into different...

Page 40: ...nfigured manually The implicit VLANs created by the SSR are subnet based VLANs Most commonly an SSR is used as a combined switch and router For example it may be connected to two subnets S1 and S2 Por...

Page 41: ...rotocol of the frame and the VLAN configured on the receiving port for that protocol For example if port 1 belongs to VLAN IPX_VLAN for IPX VLAN IP_VLAN for IP and VLAN OTHER_VLAN for any other protoc...

Page 42: ...bridging provides tighter management and control over bridged traffic For example the following illustration shows an SSR with traffic being sent from port A to port B port B to port A port B to port...

Page 43: ...arameters affecting the entire spanning tree are configured with variations of the bridge global configuration command Interface specific parameters are configured with variations of the bridge group...

Page 44: ...ority enter the following command in Configure mode Assign Port Costs Each interface has a port cost associated with it By convention the port cost is 1000 data rate of the attached LAN in Mbps You ca...

Page 45: ...default interval setting enter the following command in Configure mode Configuring a Port or Protocol based VLAN To create a port or protocol based VLAN perform the following steps in the Configure m...

Page 46: ...ify to which ports you want the filter to apply Refer to the Security Configuration Chapter for details on configuring Layer 2 filters You can specify the following security filters Address filters Th...

Page 47: ...assign ports to the VLAN For example servers connected to port gi 1 1 2 on the SSR need to communicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and ser...

Page 48: ...Chapter 2 Bridging Configuration Guide 2 12 SSR User Reference Manual ssr config vlan add ports et 1 1 8 gi 1 1 2 to BLUE...

Page 49: ...s use to send datagrams to other application programs UDP is a connectionless protocol that does not guarantee delivery of datagrams between applications Applications which use UDP are responsible for...

Page 50: ...t have membership to a multicast session Once host memberships are determined routers use multicast routing protocols such as DVMRP to forward multicast traffic between routers The SSR supports the fo...

Page 51: ...l byte To configure IP encapsulation enter one of the following commands in Configure mode Configure Address Resolution Protocol The SSR allows you to configure Address Resolution Protocol ARP table e...

Page 52: ...acket containing the SSR MAC address Proxy ARP is enabled by default on the SSR To disable proxy ARP enter the following command in Configure mode Configure DNS Parameters The SSR can be configured to...

Page 53: ...s routing and performance information To display IP information enter the following command in Enable mode Specify ping ping hostname or IPaddr packets num size num wait num flood dontroute Specify tr...

Page 54: ...ssign an IP or IPX interface named RED to the BLUE VLAN perform the following ssr config interface create ip RED address netmask 10 50 0 1 255 255 0 0 vlan BLUE You can also assign an IP or IPX interf...

Page 55: ...n 1 and 2 The SSR implements plain text and MD5 authentication methods for RIP Version 2 The protocol independent features that apply to RIP are described in the section IP Routing Configuration Guide...

Page 56: ...s to the RIP process rip add interface interfacename or IPaddr Add gateways from which the SSR will accept RIP updates rip add trusted gateway interfacename or IPaddr Define the list of routers to whi...

Page 57: ...t RIP V2 packets should be multicast on this interface rip set interface interfacename or IPaddr all type multicast Specify that RIP V2 packets that are RIP V1 compatible should be broadcast on this i...

Page 58: ...ine the metric used when advertis ing routes via RIP that were learned from other protocols rip set default metric num Show all RIP information rip show all Show RIP export policies rip show export po...

Page 59: ...cation method to md5 rip set interface ssr1 if1 authentication method md5 Change default metric in rip set interface ssr1 if1 metric in 2 Change default metric out rip set interface ssr1 if1 metric ou...

Page 60: ...Chapter 4 RIP Configuration Guide 4 6 SSR User Reference Manual...

Page 61: ...ce Parameters Parameters that can be configured include interface output cost retransmission interval interface transmit delay router priority router dead and hello intervals and authentication key Co...

Page 62: ...nable or disable OSPF enter one of the following commands in Configure mode Configure OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below Enable OSPF osp...

Page 63: ...to an OSPF interface ospf set interface name or IPaddr all retransmit interval num Specify the number of seconds required to transmit a link state update on an OSPF interface ospf set interface name...

Page 64: ...work LSAs To create areas and assign interfaces enter the following commands in the Configure mode Configure OSPF Area Parameters The SSR allows configuration of various OSPF area parameters including...

Page 65: ...irtual links enter the following commands in the Configure mode Specify an OSPF stub area ospf set area area num stub Specify the cost to be used to inject a default route into an area ospf set area a...

Page 66: ...es Periodic LSAs over NBMA circuits are suppressed To configure OSPF over WAN circuits enter the following command in Configure mode Monitoring OSPF The SSR provides display of OSPF statistics and con...

Page 67: ...ostname or IPaddr Shows information about all OSPF routing neighbors ospf monitor neighborsdestination hostname or IPaddr Show information on valid next hops ospf monitor next hop list destination hos...

Page 68: ...24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et 1 6 Configure default routes to the other subnets rea...

Page 69: ...1 OSPF ASE routes ip router policy create ospf export destination ospfExpDstType1 type 1 metric 1 2 Create a OSPF export destination for type 2 routes since we would like to redis tribute certain rou...

Page 70: ...ion ospfExpDstType1 type 1 metric 1 3 Create a OSPF export destination for type 2 routes ip router policy create ospf export destination ospfExpDstType2 type 2 metric 4 4 Create a OSPF export destinat...

Page 71: ...type OSPF ASE 12 Create the Export Policy for redistributing all interface RIP static OSPF and OSPF ASE routes into RIP ip router policy export destination ripExpDst source statExpSrc network all ip...

Page 72: ...r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130 1 1 1 16 R8 A r e a 150 20 0 0 150...

Page 73: ...e redistribution Preference Preference is the value the SSR routing process uses to order preference of routes from one protocol or peer over another Preference can be set using several different conf...

Page 74: ...e is given but the smaller the set of routes it affects Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases Routing...

Page 75: ...ssociated attributes can be specified to identify the routes to be imported Note It is quite possible for several BGP import policies to match a given update If more than one policy matches the first...

Page 76: ...determine which routes are advertised by the Unicast Routing Process to other systems Every export policy can have up to three components Export Destination Export Source Route Filter Export Destinat...

Page 77: ...e parameter that specifies default metric associated with routes exported to that protocol If a metric is not explicitly specified with the route filter export source as well as export destination the...

Page 78: ...network Refines Specifies that the mask of the destination must be more specified i e longer than the filter mask This is used to match subnets and or hosts of a network but not the network Between nu...

Page 79: ...e RIP OSPF BGP Static Direct Aggregate Autonomous system from which the route was learned AS path associated with a route When BGP is configured all routes are assigned an AS path when they are added...

Page 80: ...tication key by watching the protocol packets MD5 This method uses the MD5 algorithm to create a crypto checksum of the protocol packet and an authentication key of up to 16 characters The transmitted...

Page 81: ...from proto parameter specifies the protocol of the source routes The values for the from proto parameter are rip ospf bgp direct static aggregate and ospf ase The to proto parameter specifies the des...

Page 82: ...rocess requires RIP redistribution into RIP if a protocol is redistributed into RIP To redistribute RIP into RIP enter the following command in Configure mode Redistributing RIP into OSPF RIP routes m...

Page 83: ...ed Note The aggregate route must first be created using the aggr gen command This command creates a specified aggregate route for routes that match the aggregate To redistribute aggregate routes enter...

Page 84: ...efault route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure static routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135...

Page 85: ...proto rip network all ip router policy redistribute from proto static to proto rip network default restrict Example 2 Redistribution into OSPF For all examples given in this section refer to the conf...

Page 86: ...above example we would like to export all static and direct routes into OSPF we have not specified this parameter Export all RIP interface and static routes to OSPF Note Also export interface static...

Page 87: ...es the attributes associated with the exported routes The interface gateway or the autonomous system to which the routes are to be redistributed are a few examples of export destinations The metric ty...

Page 88: ...than one export source then the ip router policy export destination exp dest id command should be repeated for each exp src id The filter id if specified is the identifer of the route filter associate...

Page 89: ...oute filter has sev eral network specifications associated with it Every route is checked against the set of network specifications associated with all route filters to determine its eli gibility for...

Page 90: ...e by destination or by destination and mask To create route filters enter the following command in Configure mode Creating an Aggregate Route Route aggregation is a method of generating a more general...

Page 91: ...nd to use that route filter in several aggregates then the first method is recommended It you do not have complex filter requirements then use the second method After you create one or more building b...

Page 92: ...s may be controlled by any of protocol source interface or source gateway If more than one is specified they are processed from most general protocol to most specific gateway RIP does not support the...

Page 93: ...rnet R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1 1 24 130 1 1 1 16 130 1 1 3 16 120 190 1 1 16 120 190 1 2 16 202 1 0 0 10 160 1 5 0 24 160 1 1 1 16 140 1 2 1 24 170 1...

Page 94: ...16 port et 1 6 interface create ip to r7 address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 13...

Page 95: ...outer policy import source ripImpSrc144 network 10 51 0 0 16 restrict Importing a selected subset of routes from all RIP peers accessible over a certain inter face Router R1 has several RIP peers Rout...

Page 96: ...when functioning as an AS border router Like the other interior protocols preference cannot be used to choose between OSPF ASE routes That is done by the OSPF costs Routes that are rejected by policy...

Page 97: ...r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130 1 1 1 16 R8 A r e a 150 20 0 0 150...

Page 98: ...rough R2 ip add route 202 1 0 0 16 gateway 120 1 1 2 ip add route 160 1 5 0 24 gateway 120 1 1 2 OSPF Box Level Configuration ospf start ospf create area 140 1 0 0 ospf create area backbone ospf set a...

Page 99: ...routes which specify a next hop of the loopback interface i e static and internally generated default routes via RIP it is necessary to specify the metric at some level in the export policy Just setti...

Page 100: ...ast rip set interface to r42 version 2 type multicast rip set interface to r6 version 2 type multicast Exporting a given static route to all RIP interfaces Router R1 has several static routes of which...

Page 101: ...end to change the rip export policy only for interface 140 1 1 1 ip router policy create rip export destination ripExpDst141 interface 140 1 1 1 2 Create a static export source since we would like to...

Page 102: ...policy export destination ripExpDst141 source directExpSrc network all Exporting aggregate routes into RIP In the configuration shown in Figure 2 on page 6 21 suppose you decide to run RIP Version 1 o...

Page 103: ...aggrExpSrc network 140 1 0 0 16 ip router policy export destination ripExpDst130 source ripExpSrc network all ip router policy export destination ripExpDst130 source directExpSrc network all Example...

Page 104: ...dress netmask 140 1 3 1 24 port et 1 6 Configure default routes to the other subnets reachable through R2 ip add route 202 1 0 0 16 gateway 120 1 1 2 ip add route 160 1 5 0 24 gateway 120 1 1 2 OSPF B...

Page 105: ...on ospfExpDstType2 source statExpSrc network all Export all RIP interface and static routes to OSPF Note Also export interface static RIP OSPF and OSPF ASE routes into RIP In the configuration shown i...

Page 106: ...destination ospfExpDstType2 source statExpSrc network all ip router policy export destination ospfExpDstType2t100 source ripExpSrc network all 9 Create a RIP export destination ip router policy create...

Page 107: ...IGMP and not DVMRP Since multiple physical ports VLANs can be configured with the same IP interface on the SSR IGMP keeps track of multicast host members on a per port basis Ports belonging to an IP...

Page 108: ...RP interface Threshold values determine whether traffic is either restricted or not re stricted to a subnet site or region Scopes define a set of multicast addresses of devices to which the SSR can s...

Page 109: ...e default response time is 10 seconds To configure the host response wait time enter the following command in Configure mode Configure Per Interface Control of IGMP Membership You can configure the SS...

Page 110: ...pping DVMRP DVMRP is disabled by default on the SSR To start or stop DVMRP enter one of the following commands in Configure mode Configure DVMRP on an Interface DVMRP can be controlled configured on p...

Page 111: ...ed from an interface Conventional guidelines for assigning TTL values to a multicast application and their corresponding SSR setting for DVMRP threshold TTL 1 Threshold 1 Application restricted to sub...

Page 112: ...enter the following command in the Configure mode Configure a DVMRP Tunnel The SSR supports DVMRP tunnels to the MBONE the multicast backbone of the Internet You can configure a DVMRP tunnel on a rout...

Page 113: ...e upstream ip vlan add ports et 5 3 et 5 4 to upstream Show all interfaces running DVMRP Also shows the neighbors on each inter face dvmrp show interface Display DVMRP routing table dvmrp show routes...

Page 114: ...k 207 135 122 11 29 port et 1 1 interface create ip downstream address netmask 10 40 1 10 24 vlan upstream Enable IGMP interfaces igmp enable interface 10 135 89 10 igmp enable interface 172 1 1 10 ig...

Page 115: ...Chapter 7 Multicast Routing Configuration Guide SSR User Reference Manual 7 9...

Page 116: ...Chapter 7 Multicast Routing Configuration Guide 7 10 SSR User Reference Manual...

Page 117: ...self The IPX packet consists of two parts a 30 byte header and a data portion The network node and socket addresses for both the destination and source are held within the IPX header RIP Routing Infor...

Page 118: ...nformation known to the router are also sent periodically The SSR uses IPX SAP to create and maintain a database of internetwork service information The SSR s implementation of SAP allows the followin...

Page 119: ...that VLAN remains active The procedure for creating an IPX interface depends on whether you are binding that interface to a single port or a VLAN Separate discussions on the different procedures follo...

Page 120: ...within Novell IPX environments 802 2 802 2 encapsulation method used within Novell IPX environments Configure IPX Routing By default IPX routing is enabled on the SSR Enable IPX RIP IPX RIP is enable...

Page 121: ...tised with different hops then you will need to configure a static entry To add an entry into the Server Information Table enter the following command in Configure mode Control Access to IPX Networks...

Page 122: ...ist enter the following command in Configure mode Create an IPX SAP Access Control List IPX SAP access control lists control which SAP services are available on a server To create an IPX SAP access co...

Page 123: ...n To display IPX information enter the following command in Enable mode Configuration Examples This example performs the following configuration Creates IPX interfaces Adds static RIP routes Adds stat...

Page 124: ...s BBBBBBBB interface create ipx ipx2 address BBBBBBBB port et 1 2 output mac encapsulation ethernet_802 3 Add static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ip...

Page 125: ...vices provided on the SSR for example Telnet server and HTTP server Configuring SSR Access Security Configure TACACS Enable mode access to the SSR can be made secure by enabling a Terminal Access Cont...

Page 126: ...re ports to filter specific MAC addresses When defining a Layer 2 security filter you specify to which ports you want the filter to apply You can specify the following security filters Address filters...

Page 127: ...or destination on a per MAC address basis you can configure an address filter Address filters are always configured and applied to the input port You can set address filters on the following A source...

Page 128: ...which specifies that any frame coming from source MAC address will be allowed or disallowed to go to a set of ports Destination static entry which specifies that any frame destined to a specific dest...

Page 129: ...ceived traffic but allow any frame coming from a specific source MAC address that is destined to specific destination MAC address to go through Combine a destination secure port with a destination sta...

Page 130: ...all destination all flow source mac MACaddr dest mac MACaddr ports port list vlan VLAN num Show port address lock filters filters show port address lock ports ports port list vlan VLAN num source mac...

Page 131: ...o the finance server s MAC will be dropped filters add address filter name finance dest mac AABBCC DDEEFF vlan 1 in port list et 1 1 Flow filter Only the consultant is restricted access to one of the...

Page 132: ...lters for the consultant on port et 1 1 If the consultant plugs his laptop into a different port he will bypass the filters To lock him to port et 1 1 use the following command filters add port addres...

Page 133: ...packet that matches the rule s packet description The Anatomy of an ACL rule Each ACL is identified by a name The name can be a meaningful string such as denyftp or noweb or it can be a number such a...

Page 134: ...t care The keyword any is needed only to skip a don t care field in order to explicitly specify another field that is further down in the rule If there are no other fields to specify the keyword any i...

Page 135: ...packets match correctly with this rule The default behavior for a packet that doesn t match any rules in an ACL can be either to permit or to deny The SSR chooses to deny a packet as the default behav...

Page 136: ...new rule to permit packets to go through acl 101 deny ip 10 1 20 0 24 any any any acl 101 permit ip acl 101 deny any any any any any The second rule will forward all packets that are not denied by th...

Page 137: ...sible for the administrator to know ahead of time that a packet should be dropped at the inbound interface Nonetheless for performance reason whenever possible one should create and apply an ACL to th...

Page 138: ...e the changes are made the administrator can then download the ACLs to the router using TFTP or RCP and make them take effect on the running system The following example describes how one can use TFTP...

Page 139: ...it by specifying its name together with the acl edit command For example to edit ACL 101 you issue the command acl edit 101 The only restriction is that when you edit a particular ACL you cannot add r...

Page 140: ...the ACL Editor To edit an ACL perform the following in the Configure mode Monitor Access Control Lists The SSR provides display of ACL configurations contained in the system Define an IP ACL acl name...

Page 141: ...command in Enable mode Show all ACLs acl show all Show a specific ACL acl show aclname Name all Show an ACL on a specific interface acl show interface Name Show ACLs on all IP interfaces acl show int...

Page 142: ...Chapter 9 Security Configuration Guide 9 18 SSR User Reference Manual...

Page 143: ...reach its destination even if the exit ports for the traffic are experiencing greater than maximum utilization Layer 2 3 4 Flow Specification For Layer 2 traffic you can define a flow based on the MA...

Page 144: ...riority traffic can be dropped to preserve throughput of control priority traffic and so on weighted fair queuing distributes priority throughput among the four priorities control high medium and low...

Page 145: ...et a QoS policy on a layer 2 flow enter the following command in Configure mode Configure Layer 3 and 4 QoS QoS policies applied at layer 3 and 4 allow you to assign priorities based on specific field...

Page 146: ...g tasks 1 Identify the Layer 3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Set an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter th...

Page 147: ...n Configure mode Allocating Bandwidth for a Weighted Fair Queuing Policy If you enable the weighted fair queuing policy on the SSR you can allocate bandwidth for the queues on the SSR To allocate band...

Page 148: ...atistics and configurations contained in the SSR To display QoS information enter the following command in Enable mode Show all IP QoS flows qos show ip Show all IPX QoS flows qos show ipx Show all L2...

Page 149: ...atistics show command In addition to the monitoring commands listed you can find more monitoring commands listed in each chapter of the SSR User Reference Manual To access statistics on the SSR enter...

Page 150: ...ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx interface Show IPX routing statistics statist...

Reviews:

No comments

Related manuals for SmartSwitch 8-slot

Brand: N-Tron Pages: 101

Brand: D-Link Pages: 29

DGS-3700 Series

Brand: D-Link Pages: 292

Brand: D-Link Pages: 140

DGS-1224T - Web Smart Switch

Brand: D-Link Pages: 61

DI-LB604 - Load Balancing Router

Brand: D-Link Pages: 14

Brand: D-Link Pages: 2

Brand: D-Link Pages: 45

Brand: D-Link Pages: 218

DES-3528 - xStack Switch - Stackable

Brand: D-Link Pages: 322

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 10

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 4

DIR-130 - Broadband VPN Router

Brand: D-Link Pages: 13

Brand: D-Link Pages: 13

DI-804HV - Express ENwork Router

Brand: D-Link Pages: 19

Brand: D-Link Pages: 12

Brand: D-Link Pages: 8

Brand: D-Link Pages: 16

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands