Network Router User Manual
Table Of Contents
- Notices
- Contents
- About This Manual
- Introduction
- Hot Swapping Line Cards and Control Modules
- Bridging Configuration Guide
- Bridging Overview
- VLAN Overview
- Configuring SSR Bridging Functions
- Monitoring Bridging
- Configuration Examples
- SmartTRUNK Configuration Guide
- ATM Configuration Guide
- Packet-over-SONET Configuration Guide
- DHCP Configuration Guide
- IP Routing Configuration Guide
- IP Routing Protocols
- Configuring IP Interfaces and Parameters
- Configuring IP Interfaces to Ports
- Configuring IP Interfaces for a VLAN
- Specifying Ethernet Encapsulation Method
- Configuring Jumbo Frames
- Configuring Address Resolution Protocol (ARP)
- Configuring Reverse Address Resolution Protocol (RARP)
- Configuring DNS Parameters
- Configuring IP Services (ICMP)
- Configuring IP Helper
- Configuring Direct Broadcast
- Configuring Denial of Service (DOS)
- Monitoring IP Parameters
- Configuring Router Discovery
- Configuration Examples
- VRRP Configuration Guide
- RIP Configuration Guide
- OSPF Configuration Guide
- BGP Configuration Guide
- Routing Policy Configuration Guide
- Route Import and Export Policy Overview
- Configuring Simple Routing Policies
- Configuring Advanced Routing Policies
- Multicast Routing Configuration Guide
- IP Policy-Based Forwarding Configuration Guide
- Network Address Translation Configuration Guide
- Web Hosting Configuration Guide
- Overview
- Load Balancing
- Web Caching
- IPX Routing Configuration Guide
- Access Control List Configuration Guide
- Security Configuration Guide
- QoS Configuration Guide
- Performance Monitoring Guide
- RMON Configuration Guide
- LFAP Configuration Guide
- WAN Configuration Guide
- WAN Overview
- Frame Relay Overview
- Configuring Frame Relay Interfaces for the SSR
- Monitoring Frame Relay WAN Ports
- Frame Relay Port Configuration
- Point-to-Point Protocol (PPP) Overview
- Configuring PPP Interfaces
- Monitoring PPP WAN Ports
- PPP Port Configuration
- WAN Configuration Examples
- New Features Supported on Line Cards
Chapter 19: Access Control List Configuration Guide
264 SmartSwitch Router User Reference Manual
you would have to create an ACL to allow responses from each specific outside host. If the
number of outside hosts that internal users need to access is large or changes frequently,
this can be difficult to maintain.
To address this problem, the SSR can be configured to accept outside TCP responses into
the internal network, provided that the TCP connection was initiated internally.
Otherwise, it will be rejected. To do this, enter the following command in Configure
Mode:
Note:
The ports that are associated with the interface to which the ACL is applied must
reside on updated SSR hardware. Please refer to Appendix A for details.
The following ACL illustrates this feature:
Any incoming TCP packet on interface int1 is examined, and if the packet is in response to
an internal request, it is permitted; otherwise, it is rejected. Note that the ACL contains no
restriction for outgoing packets on interface int1, since internal hosts are allowed to access
the outside world.
Creating and Modifying ACLs
The SSR provides two mechanisms for creating and modifying ACLs:
• Editing ACLs on a remote host and uploading them to to the SSR using TFTP or RCP
• Using the SSR’s ACL Editor
The following sections describe these methods.
Editing ACLs Offline
You can create and edit ACLs on a remote host and then upload them to the SSR with
TFTP or RCP. With this method, you use a text editor on a remote host to edit, delete,
replace, or reorder ACL rules in a file. Once the changes are made, you can then upload
the ACLs to the SSR using TFTP or RCP and make them take effect on the running system.
The following example describes how you can use TFTP to help maintain ACLs on the
SSR.
Allow TCP responses from external hosts,
provided the connection was established
internally.
acl <name> permit tcp established
acl 101 permit tcp established
acl 101 apply interface int1 input