Configuring IP Access Controls

The IP access control system allows the IP forwarder to control packet forwarding based on source and destination IP addresses, IP protocol number, and destination port number for the TCP and UDP protocols. This controls access to particular classes of IP addresses and services.

The IP access control system is based on one global ordered list of inclusive and exclusive access control entries. If access control is enabled, each IP packet being forwarded or received is subject to the access control list. Each entry in the list may be inclusive or exclusive, permitting or denying forwarding.

Enabling/Disabling Access Controls

If access controls are enabled and the access control entry list is empty, all packets are included. If access controls are enabled and the entry list is not empty, all packets not included by an entry in the list are dropped (excluded).

If IP access control is enabled, you must be careful with packets that the router originates and receives. Be sure not to filter out the RIP or OSPF packets being sent or received by the router. You can to do this by adding a wildcard inclusive entry as the last entry in the access control list. You can add specific entries for RIP or OSPF, or both, perhaps with restrictive addresses and masks. Note that some OSPF packets are sent to the class D multicast addresses 224.0.0.5 and 224.0.0.6, which is important if address checking is being done for routing protocols.

Procedure:

Step Action
1 Click the Access Control Enable/Disable drop-down box.
2 Click Enabled or Disabled.
3 Click Apply. 

Moving Access Control Records

You can change the order of an access control record by moving any one access control record before another.  For example, you can move an access control to the top of the access control list so that it executes before a record that may block a specific access.

Procedure:

Step Action
1 Enter the access control record number that you want to move from the record list (#) into the Access Control Operations box.
2 Enter the access control record number that you want to move from the record list (#) into the Access Control Operations box.

 

Field Descriptions

# Number of the access control record
Type Exclusive (E) or inclusive (I).
Source IP source address
Src Mask IP source mask address
Destination IP destination address
Dest Mask IP destination mask address
Start Prtcl An optional field that specifies a starting protocol number range.  Used with the End Prtcl field, this range specifies an inclusive range of IP protocols that match the entry.
End Prtcl An optional field that specifies an ending protocol number range.  Used with the Start Prtcl field, this range specifies an inclusive range of IP protocols that match the entry.
Start Port If a range of protocols was specified which include TCP and UDP protocol numbers, you may specify a TCP and UDP destination port number range with the Start-Port and End-Port fields, which are an inclusive range of TCP and UDP ports that matches this entry.
End Port If a range of protocols was specified which include TCP and UDP protocol numbers, you may specify a TCP and UDP destination port number range with the Start-Port and End-Port fields, which are an inclusive range of TCP and UDP ports that matches this entry.