Configuring IP Access Controls
The IP access control system allows the IP forwarder to control packet forwarding based
on source and destination IP addresses, IP protocol number, and destination port number
for the TCP and UDP protocols. This controls access to particular classes of IP addresses
and services.
The IP access control system is based on one global ordered list of inclusive and
exclusive access control entries. If access control is enabled, each IP packet being
forwarded or received is subject to the access control list. Each entry in the list may be
inclusive or exclusive, permitting or denying forwarding.
Enabling/Disabling Access Controls
If access controls are enabled and the access control entry list is empty, all packets
are included. If access controls are enabled and the entry list is not empty, all packets
not included by an entry in the list are dropped (excluded).
If IP access control is enabled, you must be careful with packets that the router
originates and receives. Be sure not to filter out the RIP or OSPF packets being sent or
received by the router. You can to do this by adding a wildcard inclusive entry as the
last entry in the access control list. You can add specific entries for RIP or OSPF, or
both, perhaps with restrictive addresses and masks. Note that some OSPF packets are sent
to the class D multicast addresses 224.0.0.5 and 224.0.0.6, which is important if address
checking is being done for routing protocols.
Procedure:
Step |
Action |
1 |
Click the Access Control Enable/Disable
drop-down box. |
2 |
Click Enabled or Disabled. |
3 |
Click Apply. |
Moving Access Control Records
You can change the order of an access control record by moving any one
access control record before another. For example, you can move an access control to
the top of the access control list so that it executes before a record that may block a
specific access.
Procedure:
Step |
Action |
1 |
Enter the access control record number that
you want to move from the record list (#) into the Access Control Operations box. |
2 |
Enter the access control record number that
you want to move from the record list (#) into the Access Control Operations box. |
Field Descriptions
# |
Number of the access control
record |
Type |
Exclusive (E) or inclusive (I). |
Source |
IP source address |
Src
Mask |
IP source mask address |
Destination |
IP destination address |
Dest
Mask |
IP destination mask address |
Start
Prtcl |
An optional field that
specifies a starting protocol number range. Used with the End Prtcl field,
this range specifies an inclusive range of IP protocols that match the entry. |
End
Prtcl |
An optional field that
specifies an ending protocol number range. Used with the Start Prtcl field,
this range specifies an inclusive range of IP protocols that match the entry. |
Start
Port |
If a range of
protocols was specified which include TCP and UDP protocol numbers, you may specify a TCP
and UDP destination port number range with the Start-Port and End-Port
fields, which are an inclusive range of TCP and UDP ports that matches this entry. |
End
Port |
If a range of
protocols was specified which include TCP and UDP protocol numbers, you may specify a TCP
and UDP destination port number range with the Start-Port and End-Port
fields, which are an inclusive range of TCP and UDP ports that matches this entry. |
|