-
ATM Switch Router Software Configuration Guide, 12.1(6)EY
-
Preface
-
Product Overview
-
Understanding the User Interface
-
Initially Configuring the Switch Router
-
Configuring System Management Functions
-
Configuring ATM Network Interfaces
-
Using Access Control
-
Configuring Virtual Connections
-
Configuring Operations, Administration, and Maintenance
-
Configuring Resource Management
-
Configuring ILMI
-
Configuring ATM Routing and PNNI
-
Configuring IP over ATM
-
Configuring LAN Emulation
-
Configuring ATM Accounting and ATM RMON
-
Configuring Tag Switching
-
Configuring Signalling Features
-
Configuring Interfaces
-
Configuring Circuit Emulation Services
-
Configuring Frame Relay to ATM Interworking Port Adapter Interfaces
-
Configuring IMA Port Adapter Interfaces
-
Configuring ATM Router Module Interfaces
-
Managing Configuration Files, System Images, and Functional Images
-
PNNI Migration Examples
-
Acronyms
-
Feedback
Table of Contents
Using Access ControlAccess Control Overview
Configuring a Template Alias
Configuring ATM Filter Sets
Configuring an ATM Filter Expression
Configuring ATM Interface Access Control
ATM Filter Configuration Scenario
Filtering IP Packets at the IP Interfaces
Applying an IP Access List to an Interface or Terminal Line
IP Access List Examples
Using Access Control
This chapter describes how to configure and maintain access control lists, which are used to permit or deny incoming calls or outgoing calls on an interface of the ATM switch router.
 |
Note This chapter provides advanced configuration instructions for the Catalyst 8540 MSR, Catalyst 8510 MSR, and LightStream 1010 ATM switch routers. For complete descriptions of the commands mentioned in this chapter, refer to the ATM Switch Router Command Reference publication. |
This chapter includes the following sections:
- Access Control Overview
- Configuring a Template Alias
- Configuring ATM Filter Sets
- Configuring an ATM Filter Expression
- Configuring ATM Interface Access Control
- ATM Filter Configuration Scenario
- Filtering IP Packets at the IP Interfaces
- Configuring Per-Interface Address Registration with Optional Access Filters
Access Control Overview
The ATM signalling software uses the access control list to filter setup messages on an interface based on destination, source, or a combination of both. Access lists can be used to deny connections known to be security risks and permit all other connections, or to permit only those connections considered acceptable and deny all the rest. For firewall implementation, denying access to security risks offers more control.
During initial configuration, perform the following steps to use access control to filter setup messages:
Step 1 Create a template alias allowing you to use real names instead of ATM addresses in your ATM filter expressions.
Step 2 Create the ATM filter set or filter expression based on your requirements.
Step 3 Associate the filter set or filter expression to an interface using the atm access-group command.
Step 4 Confirm the configuration.
Configuring a Template Alias
To configure an ATM template alias, use the following command in global configuration mode:
Examples
The following example creates a template alias named training using the ATM address template 47.1328 and the ellipses (...) to fill in the trailing 4-bit hexadecimal digits in the address:
The following example creates a template alias named bit_set with the ATM address template 47.9f9.(1*0*).88ab... that matches the four addresses that begin with the following:
The following example creates a template alias named byte_wise with the ATM address template 47.9*F8.33... that matches all ATM addresses beginning with the following sixteen prefixes:
Displaying the Template Alias Configuration
To display template alias configuration, use the following privileged EXEC command:
Example
The following example shows the template aliases configured in the previous examples using the more system:running-config privileged EXEC command:
Configuring ATM Filter Sets
To create an ATM address filter or time-of-day filter, use the following command in global configuration mode:
|
Examples
The following example creates a filter named filter_1 that permits access to the specific ATM address 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00:
The following example creates a filter named filter_2 that denies access to the specific ATM address 47.000.8100.5678.0003.c386.b301.0003.c386.b301.00, but allows access to all other ATM addresses:
The following example creates a filter named filter_3 that denies access to all ATM addresses that begin with the prefix 47.840F, but permits all other calls:
|
Note The order in which deny and permit filters are configured is very important. See the following example. |
In the following example, the first filter set, filter_4, has its first filter configured to permit all addresses and its second filter configured to deny access to all addressees that begin with the prefix 47.840F. Since the default filter matches all addresses, the second filter is never used. Addresses that begin with prefix 47.840F are also permitted.
The following example creates a filter named filter_5 that denies access to all ATM addresses described by the ATM template alias bad_users:
The following example shows how to configure a filter set named tod1, with an index of 2, to deny calls between 11:15 a.m. and 10:45 p.m.:
The following example shows how to configure a filter set named tod1, with an index of 4, to permit calls any time:
The following example shows how to configure a filter set named tod2 to deny calls between 8:00 p.m. and 6:00 a.m.:
The following example shows how to configure a filter set named tod2 to permit calls at any time:
Once you create a filter set using the previous configuration commands, it must be associated with an interface as an access group to actually filter any calls. See the "Configuring ATM Interface Access Control" section to configure an individual interface with an access group.
Deleting Filter Sets
To delete an ATM filter set, use the following command in global configuration mode:
Example
The following example shows how to display and delete filter sets:
Configuring an ATM Filter Expression
To create global ATM filter expressions, perform the following steps in global configuration mode:
Examples
The following example defines a simple filter expression that has only one term and no operators:
The following example defines a filter expression using the operator not:
The following example defines a filter expression using the operator or:
The following example defines a filter expression using the operator and:
The following example defines a filter expression using the operator xor:
Configuring ATM Interface Access Control
To subscribe an ATM interface or subinterface to an existing ATM filter set or filter expression, perform the following steps, beginning in global configuration mode:
|
Examples
The following example shows how to configure access control for outgoing calls on ATM interface 3/0/0:
The following example shows how to configure access control for both outgoing and incoming calls on ATM interface 3/0/0:
Displaying ATM Filter Configuration
To display access control configuration, use the following EXEC commands:
Examples
The following command displays the configured ATM filters:
The following command displays the configured ATM filter expressions:
ATM Filter Configuration Scenario
This section provides a complete access filter configuration example using the information described in the preceding sections.
The example network configuration used in the following filter set configuration scenario is shown in Figure 11-1.
Figure 11-1 ATM Access Filter Configuration Example
Example
The following example shows how to configure the Filter Switch, shown in Figure 11-1, to deny access to all calls received on ATM interface 1/0/0 from the workstations directly attached to the Lab Switch, but to allow all other calls. The Filter Switch denies all calls if the calling party address begins with the prefix 47.0091.8100.0000.2222.2222.FFFF:
Filtering IP Packets at the IP Interfaces
IP packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified IP interfaces, Cisco provides access lists.
You can use access lists for the following reasons:
This section summarizes how to create IP access lists and how to apply them.
|
Note This section applies to the IP interfaces only. |
An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The ATM switch router software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.
The two steps involved in using access lists follow:
Step 1 Create an access list by specifying an access list number and access conditions.
Step 2 Apply the access list to interfaces or terminal lines.
These steps are described in the following sections:
Creating Standard and Extended IP Access Lists
The ATM switch router software supports three styles of access lists for IP interfaces:
- Standard IP access lists use source addresses for matching operations.
- Extended IP access lists use source and destination addresses for matching operations, as well as optional protocol type information for increased control.
- Dynamic extended IP access lists grant access per user to a specific source or destination host through a user authentication process. In essence, you can allow user access through a firewall dynamically, without compromising security restrictions.
To create a standard access list, use one of the following commands in global configuration mode:
|
To create an extended access list, use one of the following commands in global configuration mode:
|
After you create an access list, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
|
Note When making the standard and extended access list, by default, the end of the access list contains an implicit deny statement for everything if it does not find a match before reaching the end. Further, with standard access lists, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. |
Applying an IP Access List to an Interface or Terminal Line
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. The following two tables show how this task is accomplished for both terminal lines and network interfaces.
To apply an access list to a terminal line, perform the following tasks, beginning in global configuration mode:
|
To apply an access list to a network interface, perform the following tasks, beginning in global configuration mode:
|
For inbound access lists, after receiving a packet, the ATM switch router software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.
If you apply an access list (standard or extended) that has not yet been defined to an interface, the software acts as if the access list has not been applied to the interface and accepts all packets. You must define the access list to the interface if you use it as a means of security in your network.
|
Note Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them. |
IP Access List Examples
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Using access list 2, the ATM switch router software accepts one address on subnet 48 and rejects all others on that subnet. The last line of the list shows that the software accepts addresses on all other network 36.0.0.0 subnets.
Examples of Implicit Masks in IP Access Lists
IP access lists contain implicit masks. For example, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example configuration:
For this example, the following masks are implied in the first two lines:
The last line in the configuration (using the deny keyword) can be omitted, because IP access lists implicitly deny all other access, which is equivalent to finishing the access list with the following command statement:
The following access list only allows access for those hosts on the three specified networks. It assumes that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with a source address that does not match the access list statements is rejected.
To specify a large number of individual addresses more easily, you can omit the address mask that is all zeros from the access-list global configuration command. Thus, the following two configuration commands are identical in effect:
Examples of Configuring Extended IP Access Lists
In the following example, the first line permits any incoming Transmission Control Protocol (TCP) connections with destination ports greater than 1023. The second line permits incoming TCP connections to the simple mail transfer protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.
As another example, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the switch always accepts mail connections on port 25 is what makes it possible to separately control incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the acknowledgment (ACK) or RST bits set, indicating that the packet belongs to an existing connection.
Configuring Per-Interface Address Registration with Optional Access Filters
The ATM switch router allows configuration of per-interface access filters for Integrated Local Management Interface (ILMI) address registration to override the global default of access filters.
To configure ILMI address registration and the optional access filters for a specified interface, perform the following tasks, beginning in global configuration mode:
|
Example
The following example shows how to configure ILMI address registration on an individual interface to permit all groups with a matching ATM address prefix:
Displaying the ILMI Access Filter Configuration
To display the interface ILMI address registration access filter configuration, use the following EXEC command:
Example
The following example displays address registration access filter configuration for ATM interface 3/0/0: