C H A P T E R
34-1
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
34
Configuring the IP Permit List
This chapter describes how to configure the IP permit list on the Catalyst 6000 family switches.
Note
The functionality of the IP permit list can also be achieved with VLAN access control lists (VACLs).
Because VACLs are handled by hardware (Policy Feature Card [PFC]), VACL processing is
considerably faster than IP permit list processing.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference
publication.
This chapter consists of these sections:
•
Understanding How the IP Permit List Works, page 34-1
•
IP Permit List Default Configuration, page 34-2
•
Configuring the IP Permit List, page 34-2
Understanding How the IP Permit List Works
The IP permit list prevents inbound Telnet and SNMP access to the switch from unauthorized source IP
addresses. All other TCP/IP services (such as IP traceroute and IP ping) continue to work normally when
you enable the IP permit list. Outbound Telnet, TFTP, and other IP-based services are unaffected by the
IP permit list.
Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from
unauthorized IP addresses receive no response; the request times out. If you want to log unauthorized
access attempts to the console or a syslog server, you must change the logging severity level for IP, as
described in the
“Enabling the IP Permit List” section on page 34-3
. If you want to generate SNMP traps
when unauthorized access attempts are made, you must enable IP permit list (ippermit) SNMP traps, as
described in the
“Enabling the IP Permit List” section on page 34-3
. Multiple access attempts from the
same unauthorized host only trigger notifications every ten minutes.
You can configure up to 100 entries in the permit list. Each entry consists of an IP address and subnet
mask pair in dotted decimal format and information on whether the IP address is part of the SNMP
permit list, Telnet permit list, or both lists. The bits set to one in the mask are checked for a match with
the source IP address of incoming packets, while the bits set to zero are not checked. This process allows
wildcard address specification.