BinTec Dm752-I User manual

Access Control

bintec Dm752-I

bintec elmeg Manual

Access Control 1

Legal Notice

Warranty

This publication is subject to change.

bintec offers no warranty whatsoever for information contained in this manual.

bintec is not liable for any direct, indirect, collateral, consequential or any other damage connected to the delivery,

supply or use of this manual.

Manual bintec elmeg

2 Access Control

Table of Contents

I RelatedDocuments................................. 1

Chapter1 Introduction..................................... 2

1.1 AccessControlLists .................................. 2

Chapter2 Configuration.................................... 3

2.1 Introduction...................................... 3

2.2 Accessing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.3 MainConfigurationMenu................................ 4

2.3.1 ?(HELP) ....................................... 5

2.3.2 ACCESS-LIST..................................... 5

2.3.3 LIST ......................................... 6

2.3.4 NO.......................................... 7

2.3.5 EXIT......................................... 7

2.4 StandardAccessLists.................................. 7

2.4.1 ?(HELP) ....................................... 7

2.4.2 ENTRY........................................ 8

2.4.3 LIST ........................................ 10

2.4.4 MOVE-ENTRY.................................... 11

2.4.5 DESCRIPTION.................................... 11

2.4.6 NO......................................... 12

2.4.7 EXIT........................................ 12

2.5 ExtendedAccessLists ................................ 12

2.5.1 ?(HELP) ...................................... 13

2.5.2 ENTRY....................................... 13

2.5.3 LIST ........................................ 20

2.5.4 MOVE-ENTRY.................................... 21

2.5.5 DESCRIPTION.................................... 21

2.5.6 NO......................................... 21

2.5.7 EXIT........................................ 22

2.6 StatefulAccessLists................................. 22

2.6.1 ¿?(HELP)...................................... 23

2.6.2 DESCRIPTION.................................... 23

2.6.3 ENTRY....................................... 23

2.6.4 NO......................................... 35

2.7 ShowConfig..................................... 35

2.8 PracticalExample .................................. 36

2.8.1 Creating the access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.8.2 Associating the access List to the IPSec Protocol . . . . . . . . . . . . . . . . . . . . . 37

Chapter3 Monitoring..................................... 38

3.1 MonitoringCommands ................................ 38

bintec elmeg Table of Contents

Access Control i

3.1.1 ?(HELP) ...................................... 38

3.1.2 LIST ........................................ 38

3.1.3 CLEAR-CACHE................................... 43

3.1.4 SET-CACHE-SIZE.................................. 43

3.1.5 SHOW-HANDLES.................................. 43

3.1.6 HIDE-HANDLES................................... 43

Chapter4 Appendix..................................... 44

4.1 ReservedPorts.................................... 44

4.2 ReservedProtocols.................................. 44

4.3 Protocol Values in “Stateful” Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Table of Contents bintec elmeg

ii Access Control

I Related Documents

bintec Dm745-I Policy Routing

bintec Dm764-I Route Mapping

bintec Dm780-I Prefix Lists

bintec Dm786-I AFS

bintec Dm788-I New NAT Protocol

bintec Dm795-I Policy-Map Class-Map

bintec elmeg Related Documents

Access Control 1

Chapter 1 Introduction

1.1 Access Control Lists

Routers use Access Control Lists (ACL) to identify traffic passing through them.

Access lists can filter the packet or route flow passing through the router interfaces.

An IP access list is a sequential list of permission or negation conditions applied to source or destination IP ad-

dresses, source or destination ports or to higher layer IP protocols (such as IP, TCP etc.).

These can separate the traffic into different queues, according to priority.

Types of access lists:

Standard (1 – 99): checks the source addresses of those packets requesting

routing.

Extended (100 – 1999): checks both the source and destination addresses of

each packet. This kind of list can also verify specific protocols, number of ports

and other parameters.

Stateful (5000-9999): checks both the source and destination address for the

packet, as well as the state and the type of session. To configure stateful lists,

the AFS feature must be enabled (please see manual bintec Dm786-I AFS).

Access lists can be applied at both input (to avoid router overload) and output.

Access Control Lists themselves cannot limit the packet flow in the router. To do this, they must be associated to pro-

tocols that allow traffic filters to be established. Certain protocols allow for Access Control List management and in-

corporate a series of commands that associate the protocol to said lists. The following are some of the most common

protocols managing Access Control Lists: BRS, IPSec, Policy Routing, RIP.

Routing protocols, such as RIP, OSPF and BGP, are particularly interesting. They use Access Control Lists, either

directly or through Route Maps (please see manual bintec Dm764-I Route Mapping), to control the routes installed

in the routing table or the ones distributed to other devices. Other tools, such as Prefix Lists, are very similar to Ac-

cess Lists and have been specifically designed for route filtering (see manual bintec Dm780-I Prefix Lists).

Access Control Lists indicate the entry search results to the associated protocol. The reception search result for a

packet can be:

The associated protocol determines what should happen to the IP packet in accordance with the Access List applica-

tion result.

1 Introduction bintec elmeg

2 Access Control

Chapter 2 Configuration

2.1 Introduction

Each entry in the list is a block of sentences and an action, and is identified by a unique number (the entry identifier

or ID field). The sentence block is made up of a source IP address (or range of addresses), a destination IP address

(or range of destination IP addresses), a protocol (or range of protocols), source and destination ports (or range of

ports), IP service byte values and the connection identifier for the interfaces the packet goes through. You only have

to specify those required. The action represents the process assigned to the packets that match the associated block

of sentences: PERMIT or DENY.

A Standard, Extended or Stateful Access Control List is made up of a series of entries (which define the properties

that a packet must have in order to belong to this entry and, consequently, to this list). This Access Control List is

then assigned to a protocol.

Note

Access Control Lists themselves cannot limit the packet flow in the router. To do this, they must be as-

sociated to a protocol.

Note

Access Control Lists provide the associated protocol with the entry search results. The latter can have

the following values: Not Found, Permit or Deny. The associated protocol determines what to do with a

packet according to the result given by the Access Control List.

2.2 Accessing the Configuration

Operations to create, modify or eliminate access lists are executed from a specific menu. There, you can also view

the lists that have been created.

In the router configuration structure, Access Controls are organized as a feature (FEATURE). To view the features

bintec elmeg 2 Configuration

Access Control 3

that allow you to configure the router, enter the feature command followed by a question mark (?).

Example:

Config>feature ?

access-lists Access generic access lists configuration

environment

bandwidth-reservation Bandwidth-Reservation configuration environment

control-access Control-access configuration environment

dns DNS configuration environment

frame-relay-switch Frame Relay Switch configuration environment

ip-discovery TIDP configuration environment

ldap LDAP configuration environment

mac-filtering Mac-filtering configuration environment

nsla Network Service Level Advisor configuration

nsm Network Service Monitor configuration environment

ntp NTP configuration environment

prefix-lists Access generic prefix lists configuration

environment

radius RADIUS protocol configuration environment

route-map Route-map configuration environment

scada-forwarder SCADA Forwarder configuration environment

sniffer Sniffer configuration environment

stun Stun facility configuration environment

syslog Syslog configuration environment

tms TMS configuration environment

vlan IEEE 802.1Q switch configuration environment

vrf VRF configuration environment

wrr-backup-wan WRR configuration environment

wrs-backup-wan WRS configuration environment

Config>

To access the Access Controls configuration menu, enter, from the configuration root menu (PROCESS 4), the word

feature, followed by access-lists.

Example:

Config>feature access-lists

-- Access Lists user configuration --

Access Lists config>

You will then access the main Access Controls functionality configuration menu. Here you can create, eliminate and

view the access lists.

Each Access Control List is made up of entries, where you can indicate criteria and the parameters that grant or

deny access.

There are three types of Access Control Lists: Standard, Extended and Stateful.

Very few parameters are used in the Standard lists to define the characteristics of each Access Control entry. Exten-

ded lists, however, allow you to define a larger number of selection parameters.

With Stateful lists, users can also specify the connection status (established, new, etc.) and type of connection (rtp,

peer to peer, etc.).

There are three submenus within the main Access Lists menu, one for each type of list. Each submenu is accessed

when editing a specific list, depending on whether the type selected is Extended, Standard, or Stateful.

2.3 Main Configuration Menu

Creates and deletes lists from the main Access Control configuration menu. You can also view the configuration of

the lists that have been created.

An access list is made up of a series of entries. Each entry in the list is a block of sentences and an action, and is

identified by a unique number (the entry identifier or ID field). The sentence block is made up of a source IP address

(or range of addresses), a destination IP address (or range of destination IP addresses), a protocol (or range of pro-

tocols), source and destination ports (or range of ports) and the connection identifier for all interfaces the packet

goes through. The action sets forth the criteria that must be applied to the IP packets meeting the requirements

defined by the sentences. The action can be one of two types: permit or deny.

2 Configuration bintec elmeg

4 Access Control

You can configure 9999 access lists in the router. Access lists whose identifiers take a value between 1 and 99 are

Standard Access Lists. Extended Access Lists take a value between 100 and 1999 and those between 5000 and

9999 are Stateful Access Lists.

The 9999 access lists are empty by default. An access list is considered empty when it does not contain any entries.

Depending on the type of list created (Standard/Extended/Stateful), entry configurations are carried out in a submenu

containing the same parameters for all entries of the same type. The following sections describe the configuration

mode for all parameters contained in these submenus.

Non-configured entry parameters or options in the Access Control Lists will not be taken into account when checking

the access.

Note

The order of the entries in the Access Control List is very important if the information the sentences

refer to stretches over different entries.

You must bear in mind that the order in which the entries in a list are dealt with is not defined by the

entry identifier number, but by the order in which they have been introduced. This order can be seen

through the list command and modified with the move-entry command. When moving through the list,

beginning with the first listed element or entry, if an element is found that matches the search criteria,

no further search is carried out and the action indicated by said entry is executed.

Please note that the search order among the entries on an Access Control List DIFFERS from that

used in a Prefix List (please see manual bintec Dm780-I Prefix Lists). In the latter case, this order is

given by the value of the identifier.

The following commands are available in the main Access Control menu:

Command Function

? (HELP) Lists the available commands or their options.

ACCESS-LIST Configures an access list.

LIST Displays the configuration of the access lists.

NO Negates a command or sets the default value.

2.3.1 ? (HELP)

Lists the valid commands at the level where the router is programmed. You can also use this command after a spe-

cific command to list the available options.

Syntax:

Access Lists config>?

Example:

Access Lists config>?

access-list Configure an access-list

list Display access-lists configuration

no Negates a command or sets its defaults

exit

Access Lists config>

2.3.2 ACCESS-LIST

Accesses the submenu that allows you to configure entries in an access list. Access lists are identified by a numeric-

al value that can take values between 1 and 9999 (i.e. the router allows you to configure 9999 access lists). Access

lists whose identifiers take a value between 1 and 99 are Standard Access Lists. Extended Access Lists take a value

between 100 and 1999, while those taking a value between 5000 and 9999 are Stateful Access Lists.

Once you have entered this command, followed by an identifier, you access a submenu where you can configure an

access list for said identifier. The type of access list and its identifier will appear in the new prompt.

Syntax:

Access Lists config>access-list ?

<1..99> Standard Access List number (1-99)

<100..1999> Extended Access List number (100-1999)

bintec elmeg 2 Configuration

Access Control 5

<5000..10000> Stateful access-list

Example:

Access Lists config>access-list 101

Extended Access List 101>

2.3.3 LIST

Displays configuration information on the Access Control Lists feature. Stateful Access Lists cannot be listed. To see

the content, execute show config.

Syntax:

Access Lists config>list ?

all-access-lists Display all access-lists configuration

standard-access-lists Display standard access-lists configuration

extended-access-lists Display extended access-lists configuration

2.3.3.1 LIST ALL-ACCESS-LISTS

Displays ALL the configuration information on the Access Control Lists, except for the Stateful Access Control Lists.

Syntax:

Access Lists config>list all-access-lists

Example:

Access Lists config>list all-access-lists

Standard Access List 1, assigned to no protocol

1 PERMIT SRC=192.60.1.24/32

2 PERMIT SRC=0.0.0.0/0

Extended Access List 100, assigned to no protocol

1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0

PROT=10-255

2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Access Lists config>

2.3.3.2 LIST STANDARD-ACCESS-LISTS

Displays the configured Standard Access Control Lists.

Syntax:

Access Lists config>list standard-access-lists

Example:

Access Lists config>list standard-access-lists

Standard Access List 1, assigned to no protocol

1 PERMIT SRC=192.60.1.24/32

2 PERMIT SRC=0.0.0.0/0

Access Lists config>

2.3.3.3 LIST EXTENDED-ACCESS-LISTS

Displays the configured Extended Access Control Lists.

Syntax:

Access Lists config>list extended-access-lists

Example:

Access Lists config>list extended-access-lists

Extended Access List 100, assigned to no protocol

1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0

2 Configuration bintec elmeg

6 Access Control

Table of contents

Popular IP Access Controllers manuals by other brands

ZKTeco

ZKTeco SpeedFace-V5L user manual

Jantar

Jantar REX A-1-9 quick start guide

2N Access Unit Configuration manual

Kedacom

Kedacom KSCA120 Series quick start guide

H3C

H3C WX2880X installation guide

G4S

G4S S870-EX Installation and user instructions

PRASTEL

PRASTEL M2000PE manual

Allegion

Allegion interflex IF-281 Cylinder manual

TECOM

TECOM TS1067E manual

Fermax

Fermax Memokey 100C Installer manual

Fermax

Fermax CITYLINE MEMOKEY User& installer's manual

Software House

Software House iSTAR Pro 2U RM Quick start installation guide

AKCP

AKCP SP+ manual

Bpt

Bpt HNA/102 installation instructions

Civintec

Civintec CV9601T-T-1F installation manual

BioMax

BioMax N-X90W user manual

ZKTeco

ZKTeco OP-200 quick start guide

FingerTec

FingerTec s-Kadex user guide