User guide

ManualsBrandsCisco ManualsComputer equipmentSCE 1000 2xGBE

141

142

143

144

145

146

147

148

149

150

Chapter 6 Control Configuration

Configuring the Available Interfaces

SCE 1000 2xGBE Release 2.0.10 User Guide

OL-7117-02 6-3

Creating an access list is done entry by entry, from the first to the last.

When the system checks for an IP address on an access list, the system checks each line in the

access list for the IP address, starting at the first entry and moving towards the last entry. The first

match that is detected (that is, the IP address being checked is found within the IP address range

defined by the entry) determines the result, according to the permit/deny flag in the matched entry.

If no matching entry is found in the access list, access is denied.

You can create up to 99 access lists. Access lists can be associated with system access on the

following levels:

• Global (IP) level. If a global list is defined using the ip access-class command, when a request

comes in, the SCE 1000 first checks if there is permission for access from that IP address. If

not, the SCE does not respond to the request. Configuring the SCE 1000 to deny a certain IP

address would preclude the option of communicating with that address using any IP-based

protocol including Telnet, FTP, ICMP and SNMP. The basic IP interface is low-level, blocking

the IP packets before they reach the interfaces.

• Interface level. Access to each management interface (Telnet, SNMP, etc.) can be restricted to

an access list. Interface-level lists are, by definition, a subset of the Global list defined. If

access is denied at the global level, the IP will not be allowed to access using one of the

interfaces. Once an access list is associated with a specific management interface, that

interface checks the access list to find out if there is permission for a specific external IP

address trying to access the management interface.

It is possible to configure several management interfaces to the same access list, if this is the

desired behavior of the SCE 1000.

If no ACL is associated to a management interface or to the global IP level, access is permitted

from all IP addresses.

Note

The SCE Platform will respond to ping commands only from IP addresses that are allowed access. Ping

from a non-authorized address will not receive a response from the SCE unit, as ping uses ICMP

protocol

The following commands are relevant to access lists:

• access-list

• access-class number in

• ip access-class

• no access-list

• no ip access-class

• show ip access-class

Adding Entries to an Access List

To add an address to an access list allowing access to a particular address:

Step 1 To enter the Global Configuration Mode, type configure and press Enter.