BinTec Dm752-I User manual
Access Control
bintec Dm752-I
Copyright© Version 11.06 bintec elmeg
bintec elmeg Manual
Access Control 1
Legal Notice
Warranty
This publication is subject to change.
bintec offers no warranty whatsoever for information contained in this manual.
bintec is not liable for any direct, indirect, collateral, consequential or any other damage connected to the delivery,
supply or use of this manual.
Manual bintec elmeg
2 Access Control
Table of Contents
I RelatedDocuments................................. 1
Chapter1 Introduction..................................... 2
1.1 AccessControlLists .................................. 2
Chapter2 Configuration.................................... 3
2.1 Introduction...................................... 3
2.2 Accessing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 MainConfigurationMenu................................ 4
2.3.1 ?(HELP) ....................................... 5
2.3.2 ACCESS-LIST..................................... 5
2.3.3 LIST ......................................... 6
2.3.4 NO.......................................... 7
2.3.5 EXIT......................................... 7
2.4 StandardAccessLists.................................. 7
2.4.1 ?(HELP) ....................................... 7
2.4.2 ENTRY........................................ 8
2.4.3 LIST ........................................ 10
2.4.4 MOVE-ENTRY.................................... 11
2.4.5 DESCRIPTION.................................... 11
2.4.6 NO......................................... 12
2.4.7 EXIT........................................ 12
2.5 ExtendedAccessLists ................................ 12
2.5.1 ?(HELP) ...................................... 13
2.5.2 ENTRY....................................... 13
2.5.3 LIST ........................................ 20
2.5.4 MOVE-ENTRY.................................... 21
2.5.5 DESCRIPTION.................................... 21
2.5.6 NO......................................... 21
2.5.7 EXIT........................................ 22
2.6 StatefulAccessLists................................. 22
2.6.1 ¿?(HELP)...................................... 23
2.6.2 DESCRIPTION.................................... 23
2.6.3 ENTRY....................................... 23
2.6.4 NO......................................... 35
2.7 ShowConfig..................................... 35
2.8 PracticalExample .................................. 36
2.8.1 Creating the access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.8.2 Associating the access List to the IPSec Protocol . . . . . . . . . . . . . . . . . . . . . 37
Chapter3 Monitoring..................................... 38
3.1 MonitoringCommands ................................ 38
bintec elmeg Table of Contents
Access Control i
3.1.1 ?(HELP) ...................................... 38
3.1.2 LIST ........................................ 38
3.1.3 CLEAR-CACHE................................... 43
3.1.4 SET-CACHE-SIZE.................................. 43
3.1.5 SHOW-HANDLES.................................. 43
3.1.6 HIDE-HANDLES................................... 43
Chapter4 Appendix..................................... 44
4.1 ReservedPorts.................................... 44
4.2 ReservedProtocols.................................. 44
4.3 Protocol Values in “Stateful” Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table of Contents bintec elmeg
ii Access Control
I Related Documents
bintec Dm745-I Policy Routing
bintec Dm764-I Route Mapping
bintec Dm780-I Prefix Lists
bintec Dm786-I AFS
bintec Dm788-I New NAT Protocol
bintec Dm795-I Policy-Map Class-Map
bintec elmeg Related Documents
Access Control 1
Chapter 1 Introduction
1.1 Access Control Lists
Routers use Access Control Lists (ACL) to identify traffic passing through them.
Access lists can filter the packet or route flow passing through the router interfaces.
An IP access list is a sequential list of permission or negation conditions applied to source or destination IP ad-
dresses, source or destination ports or to higher layer IP protocols (such as IP, TCP etc.).
These can separate the traffic into different queues, according to priority.
Types of access lists:
Standard (1 – 99): checks the source addresses of those packets requesting
routing.
Extended (100 – 1999): checks both the source and destination addresses of
each packet. This kind of list can also verify specific protocols, number of ports
and other parameters.
Stateful (5000-9999): checks both the source and destination address for the
packet, as well as the state and the type of session. To configure stateful lists,
the AFS feature must be enabled (please see manual bintec Dm786-I AFS).
Access lists can be applied at both input (to avoid router overload) and output.
Access Control Lists themselves cannot limit the packet flow in the router. To do this, they must be associated to pro-
tocols that allow traffic filters to be established. Certain protocols allow for Access Control List management and in-
corporate a series of commands that associate the protocol to said lists. The following are some of the most common
protocols managing Access Control Lists: BRS, IPSec, Policy Routing, RIP.
Routing protocols, such as RIP, OSPF and BGP, are particularly interesting. They use Access Control Lists, either
directly or through Route Maps (please see manual bintec Dm764-I Route Mapping), to control the routes installed
in the routing table or the ones distributed to other devices. Other tools, such as Prefix Lists, are very similar to Ac-
cess Lists and have been specifically designed for route filtering (see manual bintec Dm780-I Prefix Lists).
Access Control Lists indicate the entry search results to the associated protocol. The reception search result for a
packet can be:
The associated protocol determines what should happen to the IP packet in accordance with the Access List applica-
tion result.
1 Introduction bintec elmeg
2 Access Control
Chapter 2 Configuration
2.1 Introduction
Each entry in the list is a block of sentences and an action, and is identified by a unique number (the entry identifier
or ID field). The sentence block is made up of a source IP address (or range of addresses), a destination IP address
(or range of destination IP addresses), a protocol (or range of protocols), source and destination ports (or range of
ports), IP service byte values and the connection identifier for the interfaces the packet goes through. You only have
to specify those required. The action represents the process assigned to the packets that match the associated block
of sentences: PERMIT or DENY.
A Standard, Extended or Stateful Access Control List is made up of a series of entries (which define the properties
that a packet must have in order to belong to this entry and, consequently, to this list). This Access Control List is
then assigned to a protocol.
Note
Access Control Lists themselves cannot limit the packet flow in the router. To do this, they must be as-
sociated to a protocol.
Note
Access Control Lists provide the associated protocol with the entry search results. The latter can have
the following values: Not Found, Permit or Deny. The associated protocol determines what to do with a
packet according to the result given by the Access Control List.
2.2 Accessing the Configuration
Operations to create, modify or eliminate access lists are executed from a specific menu. There, you can also view
the lists that have been created.
In the router configuration structure, Access Controls are organized as a feature (FEATURE). To view the features
bintec elmeg 2 Configuration
Access Control 3
that allow you to configure the router, enter the feature command followed by a question mark (?).
Example:
Config>feature ?
access-lists Access generic access lists configuration
environment
bandwidth-reservation Bandwidth-Reservation configuration environment
control-access Control-access configuration environment
dns DNS configuration environment
frame-relay-switch Frame Relay Switch configuration environment
ip-discovery TIDP configuration environment
ldap LDAP configuration environment
mac-filtering Mac-filtering configuration environment
nsla Network Service Level Advisor configuration
nsm Network Service Monitor configuration environment
ntp NTP configuration environment
prefix-lists Access generic prefix lists configuration
environment
radius RADIUS protocol configuration environment
route-map Route-map configuration environment
scada-forwarder SCADA Forwarder configuration environment
sniffer Sniffer configuration environment
stun Stun facility configuration environment
syslog Syslog configuration environment
tms TMS configuration environment
vlan IEEE 802.1Q switch configuration environment
vrf VRF configuration environment
wrr-backup-wan WRR configuration environment
wrs-backup-wan WRS configuration environment
Config>
To access the Access Controls configuration menu, enter, from the configuration root menu (PROCESS 4), the word
feature, followed by access-lists.
Example:
Config>feature access-lists
-- Access Lists user configuration --
Access Lists config>
You will then access the main Access Controls functionality configuration menu. Here you can create, eliminate and
view the access lists.
Each Access Control List is made up of entries, where you can indicate criteria and the parameters that grant or
deny access.
There are three types of Access Control Lists: Standard, Extended and Stateful.
Very few parameters are used in the Standard lists to define the characteristics of each Access Control entry. Exten-
ded lists, however, allow you to define a larger number of selection parameters.
With Stateful lists, users can also specify the connection status (established, new, etc.) and type of connection (rtp,
peer to peer, etc.).
There are three submenus within the main Access Lists menu, one for each type of list. Each submenu is accessed
when editing a specific list, depending on whether the type selected is Extended, Standard, or Stateful.
2.3 Main Configuration Menu
Creates and deletes lists from the main Access Control configuration menu. You can also view the configuration of
the lists that have been created.
An access list is made up of a series of entries. Each entry in the list is a block of sentences and an action, and is
identified by a unique number (the entry identifier or ID field). The sentence block is made up of a source IP address
(or range of addresses), a destination IP address (or range of destination IP addresses), a protocol (or range of pro-
tocols), source and destination ports (or range of ports) and the connection identifier for all interfaces the packet
goes through. The action sets forth the criteria that must be applied to the IP packets meeting the requirements
defined by the sentences. The action can be one of two types: permit or deny.
2 Configuration bintec elmeg
4 Access Control
You can configure 9999 access lists in the router. Access lists whose identifiers take a value between 1 and 99 are
Standard Access Lists. Extended Access Lists take a value between 100 and 1999 and those between 5000 and
9999 are Stateful Access Lists.
The 9999 access lists are empty by default. An access list is considered empty when it does not contain any entries.
Depending on the type of list created (Standard/Extended/Stateful), entry configurations are carried out in a submenu
containing the same parameters for all entries of the same type. The following sections describe the configuration
mode for all parameters contained in these submenus.
Non-configured entry parameters or options in the Access Control Lists will not be taken into account when checking
the access.
Note
The order of the entries in the Access Control List is very important if the information the sentences
refer to stretches over different entries.
You must bear in mind that the order in which the entries in a list are dealt with is not defined by the
entry identifier number, but by the order in which they have been introduced. This order can be seen
through the list command and modified with the move-entry command. When moving through the list,
beginning with the first listed element or entry, if an element is found that matches the search criteria,
no further search is carried out and the action indicated by said entry is executed.
Please note that the search order among the entries on an Access Control List DIFFERS from that
used in a Prefix List (please see manual bintec Dm780-I Prefix Lists). In the latter case, this order is
given by the value of the identifier.
The following commands are available in the main Access Control menu:
Command Function
? (HELP) Lists the available commands or their options.
ACCESS-LIST Configures an access list.
LIST Displays the configuration of the access lists.
NO Negates a command or sets the default value.
2.3.1 ? (HELP)
Lists the valid commands at the level where the router is programmed. You can also use this command after a spe-
cific command to list the available options.
Syntax:
Access Lists config>?
Example:
Access Lists config>?
access-list Configure an access-list
list Display access-lists configuration
no Negates a command or sets its defaults
exit
Access Lists config>
2.3.2 ACCESS-LIST
Accesses the submenu that allows you to configure entries in an access list. Access lists are identified by a numeric-
al value that can take values between 1 and 9999 (i.e. the router allows you to configure 9999 access lists). Access
lists whose identifiers take a value between 1 and 99 are Standard Access Lists. Extended Access Lists take a value
between 100 and 1999, while those taking a value between 5000 and 9999 are Stateful Access Lists.
Once you have entered this command, followed by an identifier, you access a submenu where you can configure an
access list for said identifier. The type of access list and its identifier will appear in the new prompt.
Syntax:
Access Lists config>access-list ?
<1..99> Standard Access List number (1-99)
<100..1999> Extended Access List number (100-1999)
bintec elmeg 2 Configuration
Access Control 5
<5000..10000> Stateful access-list
Example:
Access Lists config>access-list 101
Extended Access List 101>
2.3.3 LIST
Displays configuration information on the Access Control Lists feature. Stateful Access Lists cannot be listed. To see
the content, execute show config.
Syntax:
Access Lists config>list ?
all-access-lists Display all access-lists configuration
standard-access-lists Display standard access-lists configuration
extended-access-lists Display extended access-lists configuration
2.3.3.1 LIST ALL-ACCESS-LISTS
Displays ALL the configuration information on the Access Control Lists, except for the Stateful Access Control Lists.
Syntax:
Access Lists config>list all-access-lists
Example:
Access Lists config>list all-access-lists
Standard Access List 1, assigned to no protocol
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
Extended Access List 100, assigned to no protocol
1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0
PROT=10-255
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
Access Lists config>
2.3.3.2 LIST STANDARD-ACCESS-LISTS
Displays the configured Standard Access Control Lists.
Syntax:
Access Lists config>list standard-access-lists
Example:
Access Lists config>list standard-access-lists
Standard Access List 1, assigned to no protocol
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
Access Lists config>
2.3.3.3 LIST EXTENDED-ACCESS-LISTS
Displays the configured Extended Access Control Lists.
Syntax:
Access Lists config>list extended-access-lists
Example:
Access Lists config>list extended-access-lists
Extended Access List 100, assigned to no protocol
1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0
2 Configuration bintec elmeg
6 Access Control
PROT=10-255
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
Access Lists config>
2.3.4 NO
Disables functions or sets the default values in some parameters.
Syntax:
Access Lists config>no ?
access-list Configure an access-list
2.3.4.1 NO ACCESS-LIST
Eliminates the contents of an Access Control List.
Syntax:
Access Lists config>no access-list <ID>
Example:
Access Lists config>no access-list 100
Access Lists config>
2.3.5 EXIT
Exits the Access Controls feature configuration environment and returns to the general configuration prompt.
Syntax:
Access Lists config>exit
Example:
Access Lists config>exit
Config>
2.4 Standard Access Lists
Edits an Access Control List whose identifier is within the 1-99 value range (i.e. a Standard List).
The new submenu prompt, together with its identifier, shows it is a Standard List.
Example:
Access Lists config>access-list 1
Standard Access List 1>
The Standard Access Control Lists submenu allows the use of the following subcommands:
Command Function
? (HELP) Lists the available commands or their options.
ENTRY Configures an entry for this access list.
LIST Displays the access lists configuration.
DESCRIPTION Inserts a textual description of an Access Control List.
MOVE-ENTRY Changes the order of the entries.
NO Negates a command or sets its default value.
2.4.1 ? (HELP)
Lists the valid commands at the level where the router is programmed. You can also use this command after a spe-
cific command to list the available options.
Syntax:
Standard Access List #>?
bintec elmeg 2 Configuration
Access Control 7
Example:
Standard Access List 1>?
entry Configure an entry for this access-list
list Display this access-list configuration
move-entry move an entry within an access-list
description Configure a description for this access-list
no Negates a command or sets its defaults
exit
Standard Access List 1>
2.4.2 ENTRY
Creates and modifies an entry or element in an Access Control List.
This command must always be entered followed by the register number identifier and a sentence.
A new entry is created every time you introduce this command, followed by an identifier that is not in the list. Entering
an identifier that already exists means that the value of the parameter introduced will be modified.
Syntax:
Standard Access List #>entry <id> <sentence> [value]
The configuration options for a global entry are as follows:
Standard Access List #>entry <id> ?
default Sets default values to an existing or a new entry
permit Configures type of entry or access control as permit
deny Configures type of entry or access control as deny
source Source menu: subnet or port
description Sets a description for the current entry
2.4.2.1 ENTRY <id> DEFAULT
Sets all parameters for a Standard entry to their default values.
These are:
• PERMIT
• ADDRESS: 0.0.0.0/0
Syntax:
Standard Access List #>entry <id> default
Example:
Standard Access List 1>entry 3 default
Standard Access List 1>
2.4.2.2 ENTRY <id> PERMIT
Identifies the entry as permit. Therefore, all traffic that meets the register selection parameters can pass through the
access list. Since this command is an action indicator, it determines the function of the entry sentences
(inclusive/exclusive)
Syntax:
Standard Access List #>entry <id> permit
Example:
Standard Access List 1>entry 3 permit
Standard Access List 1>
2.4.2.3 ENTRY <id> DENY
Identifies the entry as deny. Therefore, all traffic that meets the register selection parameters will NOT pass through
the access list. Since this command is an action indicator, it determines the function of the entry sentences
(inclusive/exclusive).
2 Configuration bintec elmeg
8 Access Control
Syntax:
Standard Access List #>entry <id> deny
Example:
Standard Access List 1>entry 3 deny
Standard Access List 1>
2.4.2.4 ENTRY <id> SOURCE
Establishes the IP parameters sentence in the message ‘source’ addressing.
Syntax:
Standard Access List #>entry <id> source <parameter> [options]
The following options can be introduced in the IP source sentence.
Standard Access List #>entry <id> source ?
address IP address and mask of the source subnet
2.4.2.4.1 ENTRY <id> SOURCE ADDRESS
Establishes the source IP address sentence. A mask is used to indicate the selected range of addresses. This ad-
dress may not be numbered, meaning you can enter an address associated to an interface that is unknown when
configuring the device (assigned by a different mechanism, such as PPP).
In cases where you want to specify a range of addresses you can, for practical reasons, take two types of masks into
consideration:
Standard subset mask: This corresponds to the masks normally used to define subnets. E.g. 255.255.255.0 (which is
equivalent to a /24 subnet).
Wildcard mask: This can be considered as a generalization of the previous type. Through a wildcard mask you can
delimit, more specifically, the address groups checked with the entry. To do this, the active bits in the wildcard mask
indicate the exact position of the address bit that must be checked by the entry. Please check the double examples
in the following table to better understand these concepts.
Address Wildcard mask Matching entry
172.24.0.127 255.255.0.255 Matches source addresses 172.24.x.127 regardless of the value of x.
(E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches source addresses x.x.x.67, regardless of the x values. (E.g.
10.150.130.67)
0.0.130.0 0.0.254.0 Matches source addresses x.x.130.x and x.x.131.x, regardless of the
x values. (E.g. 18.102.130.2, 192.168.131.125)
192.0.125.0 255.0.253.0 Matches source addresses 192.x.125.x and 192.x.127.x, regardless
of the x values. (E.g. 192.142.125.8, 192.3.127.135)
192.0.125.0 254.0.253.0 Matches source addresses 192.x.125.x, 193.x.125.x, 192.x.127.x
and 193.x.127.x, regardless of the x values. (E.g. 192.222.125.44,
193.111.127.201)
So the user better understands the concepts associated to wildcard configuration, the positions of the mask bits
whose values are 0, must also be 0 in the address. Otherwise, the device will issue an error message and suggest
an address that adapts to the mask provided. The user must check whether this address matches the required con-
figuration.
For example, if you try to enter address 172.24.155.130 in the command with mask 255.255.254.255, the device will
issue an error message. This is because the last bit in the mask's third octet (254) does not match the one in the ad-
dress (155). In this case, the device will suggest address 172.24.154.130.
When configuring an IP address, you must enter the IP address and the mask. When configuring an interface, you
must enter its number.
Syntax:
a) IP Address
Standard Access List #>entry <id> source address <address> <mask>
b) Interface
bintec elmeg 2 Configuration
Access Control 9
Standard Access List #>entry <id> source address <interface>
Example:
a) IP Address
Standard Access List 1>entry 3 source address 192.168.4.5 255.255.255.255
Standard Access List 1>
Standard Access List 1>entry 4 source address 192.0.0.17 255.0.0.255
Standard Access List 1>
b) Interface
Standard Access List 1>entry 3 source address serial0/0
Standard Access List 1>
Caution
An interface should only be configured as source in those access lists that are going to be associated
to IPSec. Since this option is currently not applied to the rest of protocols and features, it should not be
configured.
2.4.2.5 ENTRY <id> DESCRIPTION
Adds a text description to an entry to better understand its purpose (or for later use).
Syntax:
Standard Access List 1>entry <id> description ?
<1..64 chars> Description text
Example:
Standard Access List 1>entry 1 description “first entry”
Standard Access List 1>
2.4.3 LIST
Displays the information on the Access Control List configuration that is being edited (i.e. information relative to the
identifier that appears at the menu prompt).
Syntax:
Standard Access List #>list ?
all-entries Display any entry of this access-list
address-filter-entries Display the entries that match an ip address
entry Display one entry of this access-list
2.4.3.1 LIST ALL-ENTRIES
Displays all the Access Control List configuration entries (i.e. the whole configuration).
Syntax:
Standard Access List #>list all-entries
Example:
Standard Access List 1>list all-entries
Standard Access List 1, assigned to no protocol
1 DESCRIPTION: first entry
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
Standard Access List 1>
2.4.3.2 LIST ADDRESS-FILTER-ENTRIES
Displays the Access Control List configuration entries containing a specific IP address.
Syntax:
2 Configuration bintec elmeg
10 Access Control
Standard Access List #>list address-filter-entries <address> <subnet>
Example:
Standard Access List 1>list address-filter-entries 192.60.1.24 255.255.255.255
Standard Access List 1, assigned to no protocol
1 DESCRIPTION: first entry
1 PERMIT SRC=192.60.1.24/32
Standard Access List 1>
2.4.3.3 LIST ENTRY
Displays a configuration entry for the Access Control List identified after the command.
Syntax:
Standard Access List #>list entry <id>
Example:
Standard Access List 1>list entry 1
Standard Access List 1, assigned to no protocol
1 DESCRIPTION: first entry
1 PERMIT SRC=192.60.1.24/32
Standard Access List 1>
2.4.4 MOVE-ENTRY
Modifies the priority of an entry. This option allows you to place a specific entry in front of another within the Access
Control List.
This command must be entered followed by the identifier of the entry you wish to modify. You must then enter the
identifier for the position in front of which you wish to place the entry. When you wish to place an entry at the end of
the list (lowest priority), you need to specify the end option.
Syntax:
Standard Access List #>move-entry <entry_to_move> {<entry_destination> | end}
Example:
Standard Access List 1>list all-entries
Standard Access List 1, assigned to no protocol
1 DENY SRC=0.0.0.0/0
2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
Standard Access List 1>move-entry 1 end
Standard Access List 1>list all-entries
Standard Access List 1, assigned to no protocol
2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
1 DENY SRC=0.0.0.0/0
Standard Access List 1>
2.4.5 DESCRIPTION
Adds a text description to an access list to better understand its purpose (or for later use).
Syntax:
Standard Access List #>description ?
<1..64 chars> Description text
Example:
Standard Access List 1>description “lista para ipsec”
Standard Access List 1>list all
Standard Access List 1, assigned to no protocol
Description: lista para ipsec
1 DESCRIPTION: first entry
1 PERMIT SRC=1.1.1.1/32
bintec elmeg 2 Configuration
Access Control 11
2.4.6 NO
Disables functionalities or sets default values in some parameters.
Syntax:
Standard Access List #>no ?
entry Configure an entry for this access-list
description Configure a description for this access-list
2.4.6.1 NO ENTRY
Deletes an entry from the Access Control List. Simply enter the identifier from the list you wish to eliminate.
Syntax:
Standard Access List #>no entry <id>
Example:
Standard Access List 1>no entry 3
Standard Access List 1>
2.4.6.2 NO DESCRIPTION
Deletes the textual description associated to the Access Control List.
Syntax:
Standard Access List #>no description
Example:
Standard Access List 1>no description
Standard Access List 1>
2.4.7 EXIT
Exits the Standard Access Control list configuration environment and returns to the main Access Control menu
prompt.
Syntax:
Standard Access List #>exit
Example:
Standard Access List 1>exit
Access Lists config>
2.5 Extended Access Lists
Edits an Access Control List whose identifier is within the 100-1999 value range (i.e. an Extended List).
The new submenu prompt, together with its identifier, shows it is an Extended List.
Example:
Access Lists config>access-list 100
Extended Access List 100>
The Extended Access Control Lists allows the use of the following subcommands:
Command Function
? (HELP) Lists the available commands or their options.
ENTRY Configures an entry for this access list.
LIST Displays the access lists configuration.
MOVE-ENTRY Changes the order of the entries.
DESCRIPTION Inserts a textual description of an Access Control List.
2 Configuration bintec elmeg
12 Access Control
NO Negates a command or sets its default value.
2.5.1 ? (HELP)
This command is used to list the valid commands at the level the router is programmed. You can also use this com-
mand after a specific command to list the available options.
Syntax:
Extended Access List #>?
Example:
Extended Access List 100>?
entry Configures an entry for this access-list
list Displays this access-list configuration
move-entry Moves an entry within an access-list
description Configures a description for this access-list
no Negates a command or sets its defaults
exit
Extended Access List 100>
2.5.2 ENTRY
Creates and modifies an entry or element in an Access Control List.
This command must always be entered followed by the register number identifier and a sentence.
A new entry is created every time you enter this command followed by an identifier that is not in the list. Entering an
identifier that already exists means that the value of the parameter introduced will be modified.
Syntax:
Extended Access List #>entry <id> <parameter> [value]
The configuration options for an Extended entry are as follows:
Extended Access List 100>entry 1 ?
default Sets default values to an existing or a new entry
permit Configures type of entry or access control as permit
deny Configures type of entry or access control as deny
source Source menu: subnet or port
destination Destination menu: subnet or port
protocol Protocol
protocol-range Protocol range
connection IP connection identifier (rule)
description Sets a description for the current entry
ds-field DSCP in IP packets
precedence Precedence in IP packets
tcp-specific Tcp specific filtering
tos-octet TOS octet value in IP packets
no Negates a command or sets its defaults
2.5.2.1 ENTRY <id> DEFAULT
Sets all parameters for an Extended entry to its default values.
These are:
• PERMIT
• SOURCE: 0.0.0.0/0
• DESTINATION 0.0.0.0/0
• NO PROTOCOL-RANGE
• NO TOS-OCTET
• NO CONNECTION
• NO TCP-SPECIFIC
Syntax:
bintec elmeg 2 Configuration
Access Control 13
Extended Access List #>entry <id> default
Example:
Extended Access List 100>entry 3 default
Extended Access List 100>
2.5.2.2 ENTRY <id> PERMIT
Identifies the entry as permit. Therefore, all traffic that meets the register selection parameters can pass through the
access list. Since this command is an action indicator, it determines the function of the entry sentences.
Syntax:
Extended Access List #>entry <id> permit
Example:
Extended Access List 100>entry 3 permit
Extended Access List 100>
2.5.2.3 ENTRY <id> DENY
Identifies the entry as deny. Therefore, all traffic that meets the register selection parameters will NOT pass through
the access list. Since this command is an action indicator, it determines the function of the entry sentences.
Syntax:
Extended Access List #>entry <id> deny
Example:
Extended Access List 100>entry 3 deny
Extended Access List 100>
2.5.2.4 ENTRY <id> SOURCE
Establishes the IP parameters sentence in the message source addressing.
Syntax:
Extended Access List #>entry <id> source <parameter> [options]
The following options can be introduced in the IP source sentence.
Extended Access List #>entry <id> source ?
address IP address and mask of the source subnet
port-range source port range
2.5.2.4.1 ENTRY <id> SOURCE ADDRESS
Establishes the source IP address sentence. A mask is used to indicate the selected range of addresses. This ad-
dress may not be numbered, meaning you can enter an address associated to an interface that is unknown when
configuring the device (assigned by a different mechanism, such as PPP).
In cases where you want to specify a range of addresses you can, for practical reasons, take two types of masks into
consideration:
Standard subset mask: This corresponds to the masks normally used to define subnets. E.g. 255.255.255.0 (which is
equivalent to a /24 subnet).
Wildcard mask: This can be considered as a generalization of the previous type. Through a wildcard mask you can
delimit, more specifically, the address groups checked with the entry. To do this, the active bits in the wildcard mask
indicate the exact position of the address bit that must be checked by the entry. Please check the double examples
in the following table to better understand these concepts:
Address Wildcard mask Matching entry
172.24.0.127 255.255.0.255 Matches source addresses 172.24.x.127 regardless of the value of x.
(E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches source addresses x.x.x.67, regardless of the x values. (E.g.
10.150.130.67)
0.0.130.0 0.0.254.0 Matches source addresses x.x.130.x and x.x.131.x, regardless of the
2 Configuration bintec elmeg
14 Access Control
x values. (E.g. 18.102.130.2, 192.168.131.125)
192.0.125.0 255.0.253.0 Matches source addresses 192.x.125.x and 192.x.127.x, regardless
of the x values. (E.g. 192.142.125.8, 192.3.127.135)
192.0.125.0 254.0.253.0 Matches source addresses 192.x.125.x, 193.x.125.x, 192.x.127.x
and 193.x.127.x, regardless of the x values. (E.g. 192.222.125.44,
193.111.127.201)
So that the user better understands the concepts associated to wildcard configuration, the positions of the mask bits
whose values are 0, must also be 0 in the address. Otherwise, the device will issue an error message and suggest
an address that adapts to the mask provided. The user must check whether this address matches the required con-
figuration.
For example, if you try to enter address 172.24.155.130 in the command with mask 255.255.254.255, the device will
issue an error message. This is because the last bit in the mask's third octet (254) does not match the one in the ad-
dress (155). In this case, the device will suggest address 172.24.154.130.
When configuring an IP address, you must enter the IP address and the mask. When configuring an interface, you
must enter its number.
Syntax:
a) IP Address
Extended Access List #>entry <id> source address <address> <mask>
b) Interface
Extended Access List #>entry <id> source address interface <interface>
Example:
a) IP Address
Extended Access List 100>entry 3 source address 192.168.4.5 255.255.255.255
Extended Access List 100>
Extended Access List 100>entry 4 source address 192.0.0.17 255.0.0.255
Extended Access List 100>
b) Interface
Extended Access List 100>entry 3 source address interface serial0/0
Extended Access List 100>
Caution
An interface should only be configured as source in those access lists that are going to be associated
to IPSec. Since this option is currently not applied to the rest of protocols and features, it should not be
configured.
2.5.2.4.2 ENTRY <id> SOURCE PORT-RANGE
The meaning of this command depends on the type of protocol used in the packet that’s being filtered.
• If the packet corresponds to TCP or UDP, this command establishes the sentence for the packet source port and
must be followed by two numbers. The first indicates the port identifier in the lower port range and the second is
the identifier in the higher port range. If you do not want a range, simply enter two equal values. Both port identifi-
ers can take values between 0 and 65535.
In this case, the aim of this command is to grant or deny access to various TCP or UDP source ports.
• If the packet corresponds to the ICMP protocol and the entry is configured to carry out filtering over this protocol
(using command entry <id> protocol icmp), this command establishes the sentence for the ICMP packet code.
This must be followed by two numbers used to specify a range. The first indicates the type of ICMP message used
as the lower range limit, while the second indicates the higher range limit. If you don’t want to establish a range,
simply enter two equal values
In this case, the aim of this command is to grant or deny certain ICMP messages or a set of types.
Please note that ICMP in the entry can only be configured using the entry <id> protocol icmp command.
• If this command is configured, then a packet is only a match if it complies with all of the above.
bintec elmeg 2 Configuration
Access Control 15
Syntax:
Extended Access List #>entry <id> source port-range <lower_port> <higher_port>
Example 1:
Extended Access List 100>entry 3 source port-range 2 4
Extended Access List 100>
This entry matches all TCP or UDP packets whose source port is between 2 and 4 (included).
Example 2:
Extended Access List 100>entry 3 protocol icmp
Extended Access List 100>entry 3 source port-range 3 3
Extended Access List 100>
This entry matches all type 3 ICMP packets (destination unreachable), regardless of the code.
2.5.2.5 ENTRY <id> DESTINATION
Establishes the IP parameters sentence under destination addressing.
Syntax:
Extended Access List #>entry <id> destination <parameter> [options]
The following options can be introduced in the IP destination sentence:
Extended Access List #>entry <id> destination ?
address IP address and mask of the source subnet
port-range source port range
2.5.2.5.1 ENTRY <id> DESTINATION ADDRESS
Establishes the destination IP address sentence. A mask is used to indicate the selected range of addresses. This
address may not be numbered, meaning you can enter an address associated to an interface that is unknown when
configuring the device. In cases where you want to specify a range of addresses you can, for practical reasons, take
two types of masks into consideration:
Standard subset mask: This corresponds to the masks normally used to define subnets. E.g. 255.255.255.0 (which is
equivalent to a /24 subnet).
Wildcard mask: This can be considered as a generalization of the previous type. Through a wildcard mask you can
delimit, more specifically, the address groups checked with the entry. To do this, the active bits in the wildcard mask
indicate the exact position of the address bit that must be checked by the entry. Please check the double examples
in the following table to better understand these concepts:
Address Wildcard mask Matching entry
172.24.0.127 255.255.0.255 Matches destination addresses 172.24.x.127 regardless of the value
of x. (E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches destination addresses x.x.x.67, regardless of the x values.
(E.g. 10.150.130.67)
0.0.130.0 0.0.254.0 Matches destination addresses x.x.130.x and x.x.131.x, regardless
of the x values. (E.g. 18.102.130.2, 192.168.131.125)
192.0.125.0 255.0.253.0 Matches destination addresses 192.x.125.x and 192.x.127.x, regard-
less of the x values. (E.g. 192.142.125.8, 192.3.127.135)
192.0.125.0 254.0.253.0 Matches destination addresses 192.x.125.x, 193.x.125.x,
192.x.127.x and 193.x.127.x, regardless of the x values. (E.g.
192.222.125.44, 193.111.127.201)
So that the user better understands the concepts associated to wildcard configuration, the positions of the mask bits
whose values are 0, must also be 0 in the address. Otherwise, the device will issue an error message and suggest
an address that adapts to the mask provided. The user must check whether this address matches the required con-
figuration.
For example, if you try to enter address 172.24.155.130 in the command with mask 255.255.254.255, the device will
issue an error message. This is because the last bit in the mask's third octet (254) does not match the one in the ad-
dress (155). In this case, the device will suggest address 172.24.154.130.
When configuring an IP address, you must enter the IP address and the mask. When configuring an interface, you
2 Configuration bintec elmeg
16 Access Control
Table of contents
