Network Router User Manual

ManualsBrandsCabletron Systems ManualsNetwork RouterSMARTSWITCH ROUTER 9032578-05

291

292

293

294

295

296

297

298

299

300

Table Of Contents

Notices
Contents
About This Manual
- Related Documentation
- Document Conventions
Introduction
- Configuration Files
- Using the Command Line Interface
- Displaying and Changing Configuration Information
- Port Names
Hot Swapping Line Cards and Control Modules
- Hot Swapping Overview
- Hot Swapping Line Cards
- Hot Swapping a Secondary Control Module
- Hot Swapping a Switching Fabric Module (SSR 8600 only)
  - Removing the Switching Fabric Module
  - Installing a Switching Fabric Module
Bridging Configuration Guide
- Bridging Overview
  - Spanning Tree (IEEE 802.1d)
  - Bridging Modes (Flow-Based and Address-Based)
- VLAN Overview
- Configuring SSR Bridging Functions
- Monitoring Bridging
- Configuration Examples
  - Creating an IP or IPX VLAN
  - Creating a non-IP/non-IPX VLAN
SmartTRUNK Configuration Guide
- Overview
- Configuring SmartTRUNKs
- Monitoring SmartTRUNKs
- Example Configurations
ATM Configuration Guide
- ATM Overview
- Virtual Channels
  - Creating a Virtual Channel
- Service Class Definition
  - Creating a Service Class Definition
  - Applying a Service Class Definition
- Cell Scrambling
  - Enabling Cell Scrambling
- Cell Mapping
  - Selecting the Cell Mapping Format
- Creating a Non-Zero VPI
  - Setting the Bit Allocation for VPI
- Displaying ATM Port Information
- ATM Sample Configuration 1
Packet-over-SONET Configuration Guide
- Overview
  - Configuring IP Interfaces for PoS Links
- Configuring Packet-over-SONET Links
- Configuring Automatic Protection Switching
  - Configuring Working and Protecting Ports
- Specifying Bit Error Rate Thresholds
- Monitoring PoS Ports
- Example Configurations
DHCP Configuration Guide
- DHCP Overview
- Configuring DHCP
- Updating the Lease Database
- Monitoring the DHCP Server
- DHCP Configuration Examples
IP Routing Configuration Guide
- IP Routing Protocols
  - Unicast Routing Protocols
  - Multicast Routing Protocols
- Configuring IP Interfaces and Parameters
- Configuring Router Discovery
- Configuration Examples
  - Assigning IP/IPX Interfaces
VRRP Configuration Guide
- VRRP Overview
- Configuring VRRP
- Monitoring VRRP
  - ip-redundancy trace
  - ip-redundancy show
- VRRP Configuration Notes
RIP Configuration Guide
- RIP Overview
- Configuring RIP
- Monitoring RIP
- Configuration Example
OSPF Configuration Guide
- OSPF Overview
  - OSPF Multipath
- Configuring OSPF
- Monitoring OSPF
- OSPF Configuration Examples
BGP Configuration Guide
- BGP Overview
  - The SSR BGP Implementation
- Basic BGP Tasks
- BGP Configuration Examples
Routing Policy Configuration Guide
- Route Import and Export Policy Overview
- Configuring Simple Routing Policies
- Configuring Advanced Routing Policies
Multicast Routing Configuration Guide
- IP Multicast Overview
  - IGMP Overview
  - DVMRP Overview
- Configuring IGMP
- Configuring DVMRP
- Monitoring IGMP & DVMRP
- Configuration Examples
IP Policy-Based Forwarding Configuration Guide
- Overview
- Configuring IP Policies
- IP Policy Configuration Examples
- Monitoring IP Policies
Network Address Translation Configuration Guide
- Overview
- Configuring NAT
  - Setting Inside and Outside Interfaces
  - Setting NAT Rules
    - Static
    - Dynamic
- Forcing Flows through NAT
- Managing Dynamic Bindings
- NAT and DNS
- NAT and ICMP Packets
- NAT and FTP
- Monitoring NAT
- Configuration Examples
Web Hosting Configuration Guide
- Overview
- Load Balancing
- Web Caching
IPX Routing Configuration Guide
- IPX Routing Overview
  - RIP (Routing Information Protocol)
  - SAP (Service Advertising Protocol)
- Configuring IPX RIP & SAP
- Configuring IPX Interfaces and Parameters
- Configuring IPX Routing
- Monitoring an IPX Network
- Configuration Examples
Access Control List Configuration Guide
- ACL Basics
- Creating and Modifying ACLs
  - Editing ACLs Offline
  - Maintaining ACLs Using the ACL Editor
- Using ACLs
- Enabling ACL Logging
- Monitoring ACLs
Security Configuration Guide
- Security Overview
- Configuring SSR Access Security
- Layer-2 Security Filters
- Layer-3 Access Control Lists (ACLs)
- Layer-4 Bridging and Filtering
QoS Configuration Guide
- QoS & Layer-2/Layer-3/Layer-4 Flow Overview
- Traffic Prioritization for Layer-2 Flows
  - Configuring Layer-2 QoS
  - 802.1p Priority Mapping
- Traffic Prioritization for Layer-3 & Layer-4 Flows
  - Configuring IP QoS Policies
    - Setting an IP QoS Policy
    - Specifying Precedence for an IP QoS Policy
  - Configuring IPX QoS Policies
    - Setting an IPX QoS Policy
    - Specifying Precedence for an IPX QoS Policy
- Configuring SSR Queueing Policy
  - Allocating Bandwidth for a Weighted-Fair Queuing Policy
- Weighted Random Early Detection (WRED)
- ToS Rewrite
  - Configuring ToS Rewrite for IP Packets
- Monitoring QoS
- Limiting Traffic Rate
Performance Monitoring Guide
- Performance Monitoring Overview
- Configuring the SSR for Port Mirroring
- Monitoring Broadcast Traffic
RMON Configuration Guide
- RMON Overview
- Configuring and Enabling RMON
- Using RMON
- Configuring RMON Groups
  - Configuration Examples
- Displaying RMON Information
  - RMON CLI Filters
    - Creating RMON CLI Filters
    - Using RMON CLI Filters
- Troubleshooting RMON
- Allocating Memory to RMON
LFAP Configuration Guide
- Overview
- Cabletron’s Traffic Accounting Services
- Configuring the LFAP Agent on the SSR
- Monitoring the LFAP Agent on the SSR
WAN Configuration Guide
- WAN Overview
- Frame Relay Overview
  - Virtual Circuits
    - Permanent Virtual Circuits (PVCs)
- Configuring Frame Relay Interfaces for the SSR
- Monitoring Frame Relay WAN Ports
- Frame Relay Port Configuration
- Point-to-Point Protocol (PPP) Overview
  - Use of LCP Magic Numbers
- Configuring PPP Interfaces
- Monitoring PPP WAN Ports
- PPP Port Configuration
- WAN Configuration Examples
  - Simple Configuration File
  - Multi-Router WAN Configuration
New Features Supported on Line Cards
- Introduction
- SSR 8000/8600 Line Cards
- SSR 2000 Line Cards
- New Features that Require Specific Line Cards
- Summary
- Identifying a Line Card

Chapter 19: Access Control List Configuration Guide

266 SmartSwitch Router User Reference Manual

If you edit and save changes to an ACL that is currently being used or applied to an

interface, the changes will take effect immediately. There is no need to remove the ACL

from the interface before making changes and reapply it after changes are made. The

process is automatic.

Using ACLs

It is important to understand that an ACL is simply a definition of packet characteristics

specified in a set of rules. An ACL must be enabled in one of the following ways:

• Applying an ACL to an interface, which permits or denies traffic to or from the SSR.

ACLs used in this way are known as Interface ACLs.

• Applying an ACL to a service, which permits or denies access to system services

provided by the SSR. ACLs used in this way are known as Service ACLs.

• Applying an ACL to ports operating in Layer-4 bridging mode, which permits or

denies bridged traffic. ACLs used in this way are known as Layer-4 Bridging ACLs.

• Associating an ACL with ip-policy, nat, port mirroring, rate-limit, or web-cache

commands, which specifies the criteria that packets, addresses, or flows must meet in

order to be relevant to these SSR features. ACLs used in this way are known as Profile

ACLs.

These uses of ACLs are described in the following sections.

Applying ACLs to Interfaces

An ACL can be applied to an interface to examine either inbound or outbound traffic.

Inbound traffic is traffic coming into the SSR. Outbound traffic is traffic going out of the

SSR. For each interface, only one ACL can be applied for the same protocol in the same

direction. For example, you cannot apply two or more IP ACLs to the same interface in the

inbound direction. You can apply two ACLs to the same interface if one is for inbound

traffic and one is for outbound traffic, but not in the same direction. However, this

restriction does not prevent you from specifying many rules in an ACL. You just have to

put all of these rules into one ACL and apply it to an interface.

When a packet comes into the SSR at an interface where an inbound ACL is applied, the

SSR compares the packet to the rules specified by that ACL. If it is permitted, the packet is

allowed into the SSR. If not, the packet is dropped. If that packet is to be forwarded to go

out of another interface (that is, the packet is to be routed) then a second ACL check is

possible. At the output interface, if an outbound ACL is applied, the packet will be

compared to the rules specified in this outbound ACL. Consequently, it is possible for a

packet to go through two separate checks, once at the inbound interface and once more at

the outbound interface.

When you apply an ACL to an interface, you can also specify whether the ACL can be

modified or removed from the interface by an external agent (such as the Policy Manager