Cabletron Systems SmartSwitch 8-slot Скачать руководство пользователя | Manualshive

Страница: 137 / 150

background image

Chapter 9: Security Configuration Guide

SSR User Reference Manual

9 - 13

many rules in an ACL. You just have to put all of these rules into one ACL and apply
it to an interface.

When a packet comes into a router at an interface where an inbound ACL is applied,
the router compares the packet with the rules specified by that ACL. If it is permitted,
the packet is allowed into the router. If not, the packet is dropped. If that packet is to
be forwarded to go out of another interface (that is, the packet is to be routed) then a
second ACL check is possible. At the output interface, if an outbound ACL is applied,
the packet will be compared with the rules specified in this outbound ACL.
Consequently, it is possible for a packet to go through two separate checks, once at the
inbound interface and once more at the outbound interface.

In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the router will have to process the packet,
determine where the packet should go only to find out that the packet should be
dropped at the outbound interface. In some cases, however, it may not be simple or
possible for the administrator to know ahead of time that a packet should be dropped
at the inbound interface. Nonetheless, for performance reason, whenever possible, one
should create and apply an ACL to the inbound interface.

Applying ACLs to Services

ACLs can also be created to permit or deny access to system services provided by the
router; for example, HTTP server or Telnet server. This type of ACL is known as a
Service ACL. By definition, a Service ACL is for controlling inbound packets to a
service on the router. For example, you can grant Telnet server access from a few
specific hosts or deny Web server access from a particular subnet. It is true that one can
do the same thing with ordinary ACLs and apply them to all interfaces. However, the
Service ACL is created specifically to control access to some of the services on the
router. As a result, the syntax of a Service ACL is much simpler than that of the
ordinary ACL.

Note:

If a service does not have an ACL applied then that service is accessible to
everyone. To control access to a service, an ACL must be used.

ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, one can
enable ACL Logging when applying the ACL. When ACL Logging is turned on, the
router prints out a message on the console about whether a packet is forwarded or
dropped. If you have a Syslog server configured for the SSR then the same information
will also be sent to the Syslog server.

«
...
135
136
137
138
139
...
»

Содержание SmartSwitch 8-slot

Страница 1: ...SmartSwitch Router User Reference Manual 9032578...

Страница 2: ......

Страница 3: ...SEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST PROFITS ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT EVEN IF CABLETRON SYSTEMS HAS BEEN ADVISED OF KNOWN...

Страница 4: ...in which case the user will be required to correct the interference at his own expense WARNING Changes or modifications made to this device which are not expressly approved by the party responsible fo...

Страница 5: ...uipment Type Environment Networking Equipment for use in a Commercial or Light Industrial Environment We the undersigned hereby declare under our sole responsibility that the equipment packaged with t...

Страница 6: ...Notice vi...

Страница 7: ...et installed the SSR use the instructions in the SmartSwitch Router Getting Started Guide to install the chassis and perform basic setup tasks then return to this manual for more detailed configuratio...

Страница 8: ...hapter 4 Configure OSPF routing Chapter 5 Configure Routing Policies Chapter 6 Configure IP Multicast routing Chapter 7 Configure IPX routing Chapter 8 Configure filters Chapter 9 Configure QoS Qualit...

Страница 9: ...About This Manual SSR User Reference Manual ix System messages and SNMP traps SmartSwitch Router Error Message Ref erence Manual For Information About See the...

Страница 10: ...About This Manual x SSR User Reference Manual...

Страница 11: ...Feature 1 9 Loading System Images and Configuration Files 1 9 Boot and System Image 1 9 Configuration Files 1 9 Loading System Image Software 1 10 Loading Boot PROM Software 1 11 Activate the Configur...

Страница 12: ...Spanning Tree Parameters 2 7 Set the Bridge Priority 2 8 Set a Port Priority 2 8 Assign Port Costs 2 8 Adjust Bridge Protocol Data Unit BPDU Intervals 2 8 Configuring a Port or Protocol based VLAN 2...

Страница 13: ...IP Services ICMP 3 5 Monitor IP Parameters 3 5 Configuration Examples 3 6 Assigning IP IPX Interfaces 3 6 Chapter 4 RIP Configuration Guide RIP Overview 4 1 Configure RIP 4 1 Enabling and Disabling RI...

Страница 14: ...ew 6 1 Preference 6 1 Import Policies 6 2 Import Source 6 3 Route Filter 6 4 Export Policies 6 4 Export Destination 6 4 Export Source 6 4 Route Filter 6 5 Specifying a Route Filter 6 5 Aggregates and...

Страница 15: ...Route Filter 6 18 Creating an Aggregate Route 6 18 Creating an Aggregate Destination 6 20 Creating an Aggregate Source 6 20 Examples of Import Policies 6 20 Example 1 Importing from RIP 6 20 Example 2...

Страница 16: ...1 RIP Routing Information Protocol 8 1 SAP Service Advertising Protocol 8 2 Configuring IPX RIP and SAP 8 2 IPX RIP 8 2 IPX SAP 8 3 Creating IPX Interfaces 8 3 IPX Addresses 8 3 Configuring IPX Interf...

Страница 17: ...s 9 4 Configuring Layer 2 Static Entry Filters 9 4 Configuring Layer 2 Secure Port Filters 9 5 Monitor Layer 2 Security Filters 9 5 Layer 2 Filter Examples 9 7 Example 1 Address Filters 9 7 Example 2...

Страница 18: ...Precedence for Layer 3 Flows 10 2 SSR Queuing Policies 10 2 Configure Layer 2 QoS 10 2 Configure Layer 3 and 4 QoS 10 3 Configure IP QoS Policies 10 3 Set an IP QoS Policy 10 4 Specify Precedence for...

Страница 19: ...ftware specifications for the SSR 8 Feature Specification Throughput 16 Gbps non blocking switching fabric 15 million packets per second routing throughput Capacity Up to 250 000 routes Up to 2 000 00...

Страница 20: ...nation of the following Interior Gateway Protocols Open Shortest Path First OSPF Version 2 Routing Information Protocol RIP Version 1 2 Quality of Service QoS Layer 2 prioritization 802 1p Layer 3 sou...

Страница 21: ...X interfaces routing switching security filters and Quality of Service QoS policies Understanding the Command Line Interface The SSR Command Line Interface CLI provides access to several different com...

Страница 22: ...acter Configure Allows you to make configuration changes To enter Configure mode first enter Enable mode enable command then enter the configure command from the Enable command prompt When you are in...

Страница 23: ...R you are automatically in User mode The User commands available are a subset of those available in Enable mode In general the User commands allow you to display basic information and use basic utilit...

Страница 24: ...the Enable commands enter The Enable mode command prompt consists of the SSR name followed by the pound sign ssr To list the commands available in Enable mode enter a question mark as shown in the fol...

Страница 25: ...ted parameters traceroute Traceroute utility vlan Show VLAN related parameters To exit Enable mode and return to User mode use one of the following commands Configure Mode Configure mode provides the...

Страница 26: ...ters system Configure system wide parameters tacacs Configure TACACS related parameters vlan Configure VLAN related parameters Special configuration mode commands erase Erase configuration information...

Страница 27: ...configuration file Boot and System Image Only one boot image exists on the internal flash of the SSR Control Module Multiple system images can be stored on the external PC flash Configuration Files Th...

Страница 28: ...file pc flash boot ssr8 Note In this example the location pc flash indicates that the SSR is set to use the factory installed software on the flash card 2 Copy the software upgrade you want to install...

Страница 29: ...odule s internal memory To upgrade the boot PROM software and boot using the upgraded image use the following procedure 1 Display the current boot settings by entering the following command system sho...

Страница 30: ...how version Activate the Configuration Commands in the Scratchpad The configuration commands you have entered using procedures in this chapter are in the Scratchpad but have not yet been activated Use...

Страница 31: ...the CLI 2 Enter the following command to copy the configuration changes in the Active configuration to the Startup configuration copy active to startup 3 When the CLI displays the following message en...

Страница 32: ...g command in Enable mode Configure SNMP Services The SSR accepts SNMP sets and gets from an SNMP manager You can configure SSR SNMP parameters including community strings and trap server target addres...

Страница 33: ...provides many commands for displaying configuration information After you add configuration items and commit them to the active configuration you can display them using the following commands Configur...

Страница 34: ...w syslog buffer Show the contact information adminis trator name phone number and so on system show contact Show the SSR date and time system show date Show the IP addresses and domain names for DNS s...

Страница 35: ...ists the last five Telnet connections to the SSR system show telnet access Show the default terminal settings number of rows number of columns and baud rate system show terminal Show SSR uptime system...

Страница 36: ...Chapter 1 SmartSwitch Router Product Overview 1 18 SSR User Reference Manual...

Страница 37: ...y LAN segment Bridging Modes Flow Based and Address Based The SSR provides the following types of wire speed bridging Address based bridging The SSR performs this type of bridging by looking up the de...

Страница 38: ...frame is transmitted only to the VLAN to which it belongs This reduces the broadcast traffic on a network by an appreciable factor The type of VLAN depends upon one criterion how a received frame is...

Страница 39: ...ich the frame belongs To do this the switch must look into the network layer header of the incoming frame This type of VLAN behaves similar to a router by segregating different subnets into different...

Страница 40: ...nfigured manually The implicit VLANs created by the SSR are subnet based VLANs Most commonly an SSR is used as a combined switch and router For example it may be connected to two subnets S1 and S2 Por...

Страница 41: ...rotocol of the frame and the VLAN configured on the receiving port for that protocol For example if port 1 belongs to VLAN IPX_VLAN for IPX VLAN IP_VLAN for IP and VLAN OTHER_VLAN for any other protoc...

Страница 42: ...bridging provides tighter management and control over bridged traffic For example the following illustration shows an SSR with traffic being sent from port A to port B port B to port A port B to port...

Страница 43: ...arameters affecting the entire spanning tree are configured with variations of the bridge global configuration command Interface specific parameters are configured with variations of the bridge group...

Страница 44: ...ority enter the following command in Configure mode Assign Port Costs Each interface has a port cost associated with it By convention the port cost is 1000 data rate of the attached LAN in Mbps You ca...

Страница 45: ...default interval setting enter the following command in Configure mode Configuring a Port or Protocol based VLAN To create a port or protocol based VLAN perform the following steps in the Configure m...

Страница 46: ...ify to which ports you want the filter to apply Refer to the Security Configuration Chapter for details on configuring Layer 2 filters You can specify the following security filters Address filters Th...

Страница 47: ...assign ports to the VLAN For example servers connected to port gi 1 1 2 on the SSR need to communicate with clients connected to et 4 1 8 You can associate all the ports containing the clients and ser...

Страница 48: ...Chapter 2 Bridging Configuration Guide 2 12 SSR User Reference Manual ssr config vlan add ports et 1 1 8 gi 1 1 2 to BLUE...

Страница 49: ...s use to send datagrams to other application programs UDP is a connectionless protocol that does not guarantee delivery of datagrams between applications Applications which use UDP are responsible for...

Страница 50: ...t have membership to a multicast session Once host memberships are determined routers use multicast routing protocols such as DVMRP to forward multicast traffic between routers The SSR supports the fo...

Страница 51: ...l byte To configure IP encapsulation enter one of the following commands in Configure mode Configure Address Resolution Protocol The SSR allows you to configure Address Resolution Protocol ARP table e...

Страница 52: ...acket containing the SSR MAC address Proxy ARP is enabled by default on the SSR To disable proxy ARP enter the following command in Configure mode Configure DNS Parameters The SSR can be configured to...

Страница 53: ...s routing and performance information To display IP information enter the following command in Enable mode Specify ping ping hostname or IPaddr packets num size num wait num flood dontroute Specify tr...

Страница 54: ...ssign an IP or IPX interface named RED to the BLUE VLAN perform the following ssr config interface create ip RED address netmask 10 50 0 1 255 255 0 0 vlan BLUE You can also assign an IP or IPX interf...

Страница 55: ...n 1 and 2 The SSR implements plain text and MD5 authentication methods for RIP Version 2 The protocol independent features that apply to RIP are described in the section IP Routing Configuration Guide...

Страница 56: ...s to the RIP process rip add interface interfacename or IPaddr Add gateways from which the SSR will accept RIP updates rip add trusted gateway interfacename or IPaddr Define the list of routers to whi...

Страница 57: ...t RIP V2 packets should be multicast on this interface rip set interface interfacename or IPaddr all type multicast Specify that RIP V2 packets that are RIP V1 compatible should be broadcast on this i...

Страница 58: ...ine the metric used when advertis ing routes via RIP that were learned from other protocols rip set default metric num Show all RIP information rip show all Show RIP export policies rip show export po...

Страница 59: ...cation method to md5 rip set interface ssr1 if1 authentication method md5 Change default metric in rip set interface ssr1 if1 metric in 2 Change default metric out rip set interface ssr1 if1 metric ou...

Страница 60: ...Chapter 4 RIP Configuration Guide 4 6 SSR User Reference Manual...

Страница 61: ...ce Parameters Parameters that can be configured include interface output cost retransmission interval interface transmit delay router priority router dead and hello intervals and authentication key Co...

Страница 62: ...nable or disable OSPF enter one of the following commands in Configure mode Configure OSPF Interface Parameters You can configure the OSPF interface parameters shown in the table below Enable OSPF osp...

Страница 63: ...to an OSPF interface ospf set interface name or IPaddr all retransmit interval num Specify the number of seconds required to transmit a link state update on an OSPF interface ospf set interface name...

Страница 64: ...work LSAs To create areas and assign interfaces enter the following commands in the Configure mode Configure OSPF Area Parameters The SSR allows configuration of various OSPF area parameters including...

Страница 65: ...irtual links enter the following commands in the Configure mode Specify an OSPF stub area ospf set area area num stub Specify the cost to be used to inject a default route into an area ospf set area a...

Страница 66: ...es Periodic LSAs over NBMA circuits are suppressed To configure OSPF over WAN circuits enter the following command in Configure mode Monitoring OSPF The SSR provides display of OSPF statistics and con...

Страница 67: ...ostname or IPaddr Shows information about all OSPF routing neighbors ospf monitor neighborsdestination hostname or IPaddr Show information on valid next hops ospf monitor next hop list destination hos...

Страница 68: ...24 port et 1 4 interface create ip to r42 address netmask 140 1 2 1 24 port et 1 5 interface create ip to r6 address netmask 140 1 3 1 24 port et 1 6 Configure default routes to the other subnets rea...

Страница 69: ...1 OSPF ASE routes ip router policy create ospf export destination ospfExpDstType1 type 1 metric 1 2 Create a OSPF export destination for type 2 routes since we would like to redis tribute certain rou...

Страница 70: ...ion ospfExpDstType1 type 1 metric 1 3 Create a OSPF export destination for type 2 routes ip router policy create ospf export destination ospfExpDstType2 type 2 metric 4 4 Create a OSPF export destinat...

Страница 71: ...type OSPF ASE 12 Create the Export Policy for redistributing all interface RIP static OSPF and OSPF ASE routes into RIP ip router policy export destination ripExpDst source statExpSrc network all ip...

Страница 72: ...r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130 1 1 1 16 R8 A r e a 150 20 0 0 150...

Страница 73: ...e redistribution Preference Preference is the value the SSR routing process uses to order preference of routes from one protocol or peer over another Preference can be set using several different conf...

Страница 74: ...e is given but the smaller the set of routes it affects Import Policies Import policies control the importation of routes from routing protocols and their installation in the routing databases Routing...

Страница 75: ...ssociated attributes can be specified to identify the routes to be imported Note It is quite possible for several BGP import policies to match a given update If more than one policy matches the first...

Страница 76: ...determine which routes are advertised by the Unicast Routing Process to other systems Every export policy can have up to three components Export Destination Export Source Route Filter Export Destinat...

Страница 77: ...e parameter that specifies default metric associated with routes exported to that protocol If a metric is not explicitly specified with the route filter export source as well as export destination the...

Страница 78: ...network Refines Specifies that the mask of the destination must be more specified i e longer than the filter mask This is used to match subnets and or hosts of a network but not the network Between nu...

Страница 79: ...e RIP OSPF BGP Static Direct Aggregate Autonomous system from which the route was learned AS path associated with a route When BGP is configured all routes are assigned an AS path when they are added...

Страница 80: ...tication key by watching the protocol packets MD5 This method uses the MD5 algorithm to create a crypto checksum of the protocol packet and an authentication key of up to 16 characters The transmitted...

Страница 81: ...from proto parameter specifies the protocol of the source routes The values for the from proto parameter are rip ospf bgp direct static aggregate and ospf ase The to proto parameter specifies the des...

Страница 82: ...rocess requires RIP redistribution into RIP if a protocol is redistributed into RIP To redistribute RIP into RIP enter the following command in Configure mode Redistributing RIP into OSPF RIP routes m...

Страница 83: ...ed Note The aggregate route must first be created using the aggr gen command This command creates a specified aggregate route for routes that match the aggregate To redistribute aggregate routes enter...

Страница 84: ...efault route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure static routes to the 135 3 0 0 subnets reachable through R3 ip add route 135 3 1 0 24 gateway 130 1 1 3 ip add route 135...

Страница 85: ...proto rip network all ip router policy redistribute from proto static to proto rip network default restrict Example 2 Redistribution into OSPF For all examples given in this section refer to the conf...

Страница 86: ...above example we would like to export all static and direct routes into OSPF we have not specified this parameter Export all RIP interface and static routes to OSPF Note Also export interface static...

Страница 87: ...es the attributes associated with the exported routes The interface gateway or the autonomous system to which the routes are to be redistributed are a few examples of export destinations The metric ty...

Страница 88: ...than one export source then the ip router policy export destination exp dest id command should be repeated for each exp src id The filter id if specified is the identifer of the route filter associate...

Страница 89: ...oute filter has sev eral network specifications associated with it Every route is checked against the set of network specifications associated with all route filters to determine its eli gibility for...

Страница 90: ...e by destination or by destination and mask To create route filters enter the following command in Configure mode Creating an Aggregate Route Route aggregation is a method of generating a more general...

Страница 91: ...nd to use that route filter in several aggregates then the first method is recommended It you do not have complex filter requirements then use the second method After you create one or more building b...

Страница 92: ...s may be controlled by any of protocol source interface or source gateway If more than one is specified they are processed from most general protocol to most specific gateway RIP does not support the...

Страница 93: ...rnet R41 R1 R2 R3 R7 135 3 1 1 24 135 3 2 1 24 135 3 3 1 24 140 1 1 4 24 140 1 1 1 24 130 1 1 1 16 130 1 1 3 16 120 190 1 1 16 120 190 1 2 16 202 1 0 0 10 160 1 5 0 24 160 1 1 1 16 140 1 2 1 24 170 1...

Страница 94: ...16 port et 1 6 interface create ip to r7 address netmask 170 1 1 1 16 port et 1 7 Configure a default route through 170 1 1 7 ip add route default gateway 170 1 1 7 Configure default routes to the 13...

Страница 95: ...outer policy import source ripImpSrc144 network 10 51 0 0 16 restrict Importing a selected subset of routes from all RIP peers accessible over a certain inter face Router R1 has several RIP peers Rout...

Страница 96: ...when functioning as an AS border router Like the other interior protocols preference cannot be used to choose between OSPF ASE routes That is done by the OSPF costs Routes that are rejected by policy...

Страница 97: ...r e a B a c k b o n e A r e a 140 1 0 0 RIP V2 140 1 1 1 24 140 1 2 1 24 140 1 5 24 190 1 1 1 16 120 190 1 1 16 160 1 5 2 24 R10 R5 R7 202 1 2 2 16 140 1 3 1 24 130 1 1 1 16 R8 A r e a 150 20 0 0 150...

Страница 98: ...rough R2 ip add route 202 1 0 0 16 gateway 120 1 1 2 ip add route 160 1 5 0 24 gateway 120 1 1 2 OSPF Box Level Configuration ospf start ospf create area 140 1 0 0 ospf create area backbone ospf set a...

Страница 99: ...routes which specify a next hop of the loopback interface i e static and internally generated default routes via RIP it is necessary to specify the metric at some level in the export policy Just setti...

Страница 100: ...ast rip set interface to r42 version 2 type multicast rip set interface to r6 version 2 type multicast Exporting a given static route to all RIP interfaces Router R1 has several static routes of which...

Страница 101: ...end to change the rip export policy only for interface 140 1 1 1 ip router policy create rip export destination ripExpDst141 interface 140 1 1 1 2 Create a static export source since we would like to...

Страница 102: ...policy export destination ripExpDst141 source directExpSrc network all Exporting aggregate routes into RIP In the configuration shown in Figure 2 on page 6 21 suppose you decide to run RIP Version 1 o...

Страница 103: ...aggrExpSrc network 140 1 0 0 16 ip router policy export destination ripExpDst130 source ripExpSrc network all ip router policy export destination ripExpDst130 source directExpSrc network all Example...

Страница 104: ...dress netmask 140 1 3 1 24 port et 1 6 Configure default routes to the other subnets reachable through R2 ip add route 202 1 0 0 16 gateway 120 1 1 2 ip add route 160 1 5 0 24 gateway 120 1 1 2 OSPF B...

Страница 105: ...on ospfExpDstType2 source statExpSrc network all Export all RIP interface and static routes to OSPF Note Also export interface static RIP OSPF and OSPF ASE routes into RIP In the configuration shown i...

Страница 106: ...destination ospfExpDstType2 source statExpSrc network all ip router policy export destination ospfExpDstType2t100 source ripExpSrc network all 9 Create a RIP export destination ip router policy create...

Страница 107: ...IGMP and not DVMRP Since multiple physical ports VLANs can be configured with the same IP interface on the SSR IGMP keeps track of multicast host members on a per port basis Ports belonging to an IP...

Страница 108: ...RP interface Threshold values determine whether traffic is either restricted or not re stricted to a subnet site or region Scopes define a set of multicast addresses of devices to which the SSR can s...

Страница 109: ...e default response time is 10 seconds To configure the host response wait time enter the following command in Configure mode Configure Per Interface Control of IGMP Membership You can configure the SS...

Страница 110: ...pping DVMRP DVMRP is disabled by default on the SSR To start or stop DVMRP enter one of the following commands in Configure mode Configure DVMRP on an Interface DVMRP can be controlled configured on p...

Страница 111: ...ed from an interface Conventional guidelines for assigning TTL values to a multicast application and their corresponding SSR setting for DVMRP threshold TTL 1 Threshold 1 Application restricted to sub...

Страница 112: ...enter the following command in the Configure mode Configure a DVMRP Tunnel The SSR supports DVMRP tunnels to the MBONE the multicast backbone of the Internet You can configure a DVMRP tunnel on a rout...

Страница 113: ...e upstream ip vlan add ports et 5 3 et 5 4 to upstream Show all interfaces running DVMRP Also shows the neighbors on each inter face dvmrp show interface Display DVMRP routing table dvmrp show routes...

Страница 114: ...k 207 135 122 11 29 port et 1 1 interface create ip downstream address netmask 10 40 1 10 24 vlan upstream Enable IGMP interfaces igmp enable interface 10 135 89 10 igmp enable interface 172 1 1 10 ig...

Страница 115: ...Chapter 7 Multicast Routing Configuration Guide SSR User Reference Manual 7 9...

Страница 116: ...Chapter 7 Multicast Routing Configuration Guide 7 10 SSR User Reference Manual...

Страница 117: ...self The IPX packet consists of two parts a 30 byte header and a data portion The network node and socket addresses for both the destination and source are held within the IPX header RIP Routing Infor...

Страница 118: ...nformation known to the router are also sent periodically The SSR uses IPX SAP to create and maintain a database of internetwork service information The SSR s implementation of SAP allows the followin...

Страница 119: ...that VLAN remains active The procedure for creating an IPX interface depends on whether you are binding that interface to a single port or a VLAN Separate discussions on the different procedures follo...

Страница 120: ...within Novell IPX environments 802 2 802 2 encapsulation method used within Novell IPX environments Configure IPX Routing By default IPX routing is enabled on the SSR Enable IPX RIP IPX RIP is enable...

Страница 121: ...tised with different hops then you will need to configure a static entry To add an entry into the Server Information Table enter the following command in Configure mode Control Access to IPX Networks...

Страница 122: ...ist enter the following command in Configure mode Create an IPX SAP Access Control List IPX SAP access control lists control which SAP services are available on a server To create an IPX SAP access co...

Страница 123: ...n To display IPX information enter the following command in Enable mode Configuration Examples This example performs the following configuration Creates IPX interfaces Adds static RIP routes Adds stat...

Страница 124: ...s BBBBBBBB interface create ipx ipx2 address BBBBBBBB port et 1 2 output mac encapsulation ethernet_802 3 Add static route to network 9 ipx add route 9 BBBBBBBB 01 02 03 04 05 06 1 1 Add static sap ip...

Страница 125: ...vices provided on the SSR for example Telnet server and HTTP server Configuring SSR Access Security Configure TACACS Enable mode access to the SSR can be made secure by enabling a Terminal Access Cont...

Страница 126: ...re ports to filter specific MAC addresses When defining a Layer 2 security filter you specify to which ports you want the filter to apply You can specify the following security filters Address filters...

Страница 127: ...or destination on a per MAC address basis you can configure an address filter Address filters are always configured and applied to the input port You can set address filters on the following A source...

Страница 128: ...which specifies that any frame coming from source MAC address will be allowed or disallowed to go to a set of ports Destination static entry which specifies that any frame destined to a specific dest...

Страница 129: ...ceived traffic but allow any frame coming from a specific source MAC address that is destined to specific destination MAC address to go through Combine a destination secure port with a destination sta...

Страница 130: ...all destination all flow source mac MACaddr dest mac MACaddr ports port list vlan VLAN num Show port address lock filters filters show port address lock ports ports port list vlan VLAN num source mac...

Страница 131: ...o the finance server s MAC will be dropped filters add address filter name finance dest mac AABBCC DDEEFF vlan 1 in port list et 1 1 Flow filter Only the consultant is restricted access to one of the...

Страница 132: ...lters for the consultant on port et 1 1 If the consultant plugs his laptop into a different port he will bypass the filters To lock him to port et 1 1 use the following command filters add port addres...

Страница 133: ...packet that matches the rule s packet description The Anatomy of an ACL rule Each ACL is identified by a name The name can be a meaningful string such as denyftp or noweb or it can be a number such a...

Страница 134: ...t care The keyword any is needed only to skip a don t care field in order to explicitly specify another field that is further down in the rule If there are no other fields to specify the keyword any i...

Страница 135: ...packets match correctly with this rule The default behavior for a packet that doesn t match any rules in an ACL can be either to permit or to deny The SSR chooses to deny a packet as the default behav...

Страница 136: ...new rule to permit packets to go through acl 101 deny ip 10 1 20 0 24 any any any acl 101 permit ip acl 101 deny any any any any any The second rule will forward all packets that are not denied by th...

Страница 137: ...sible for the administrator to know ahead of time that a packet should be dropped at the inbound interface Nonetheless for performance reason whenever possible one should create and apply an ACL to th...

Страница 138: ...e the changes are made the administrator can then download the ACLs to the router using TFTP or RCP and make them take effect on the running system The following example describes how one can use TFTP...

Страница 139: ...it by specifying its name together with the acl edit command For example to edit ACL 101 you issue the command acl edit 101 The only restriction is that when you edit a particular ACL you cannot add r...

Страница 140: ...the ACL Editor To edit an ACL perform the following in the Configure mode Monitor Access Control Lists The SSR provides display of ACL configurations contained in the system Define an IP ACL acl name...

Страница 141: ...command in Enable mode Show all ACLs acl show all Show a specific ACL acl show aclname Name all Show an ACL on a specific interface acl show interface Name Show ACLs on all IP interfaces acl show int...

Страница 142: ...Chapter 9 Security Configuration Guide 9 18 SSR User Reference Manual...

Страница 143: ...reach its destination even if the exit ports for the traffic are experiencing greater than maximum utilization Layer 2 3 4 Flow Specification For Layer 2 traffic you can define a flow based on the MA...

Страница 144: ...riority traffic can be dropped to preserve throughput of control priority traffic and so on weighted fair queuing distributes priority throughput among the four priorities control high medium and low...

Страница 145: ...et a QoS policy on a layer 2 flow enter the following command in Configure mode Configure Layer 3 and 4 QoS QoS policies applied at layer 3 and 4 allow you to assign priorities based on specific field...

Страница 146: ...g tasks 1 Identify the Layer 3 or 4 flow and set the IPX QoS policy 2 Specify the precedence for the fields within an IPX flow Set an IPX QoS Policy To set a QoS policy on an IPX traffic flow enter th...

Страница 147: ...n Configure mode Allocating Bandwidth for a Weighted Fair Queuing Policy If you enable the weighted fair queuing policy on the SSR you can allocate bandwidth for the queues on the SSR To allocate band...

Страница 148: ...atistics and configurations contained in the SSR To display QoS information enter the following command in Enable mode Show all IP QoS flows qos show ip Show all IPX QoS flows qos show ipx Show all L2...

Страница 149: ...atistics show command In addition to the monitoring commands listed you can find more monitoring commands listed in each chapter of the SSR User Reference Manual To access statistics on the SSR enter...

Страница 150: ...ip Show unicast routing statistics statistics show ip routing Show IPX statistics statistics show ipx Show IPX interface s statistics statistics show ipx interface Show IPX routing statistics statist...

Отзывы:

Нет отзывов

Похожие инструкции для SmartSwitch 8-slot

Бренд: Makita Страницы: 2

Бренд: National Instruments Страницы: 24

Бренд: National Instruments Страницы: 32

FIELDPOINT FP-1600

Бренд: National Instruments Страницы: 8

PBE-5AC-300-ISO

Бренд: Ubiquiti Страницы: 28

Бренд: IBASE Technology Страницы: 39

Бренд: 2N Telekomunikace Страницы: 67

WebShare 141 WN

Бренд: Atlantis Страницы: 78

Бренд: ALIBI Страницы: 232

Бренд: Flexwatch Страницы: 13

Бренд: Socket Страницы: 18

OmniSwitch 6624

Бренд: Alcatel Страницы: 546

Бренд: Lantech Страницы: 23

Bipac 74 Series

Бренд: Billion Страницы: 8

Бренд: OWC Страницы: 8

8 Channel Dimmer Module CLX-1DIM8

Бренд: Crestron Страницы: 1

Internet Router Cisco 12404

Бренд: Cisco Страницы: 292

Бренд: Craftsman Страницы: 24

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды