Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
291292293294295296297298299300
XSR Users Guide 257
Chapter 11 VPN Configuration Overview
Configuring the Virtual Private Network
ACL Configuration Rules
Consider a few general rules when configuring ACLs on the XSR:
Typically, two ACL sets are written, one set to filter IPSec/IKE traffic
(defined in crypto maps), and a simple set to filter non-IPSec traffic.
When crypto maps and ACLs are configured on the same interface, the
XSR gives precedence to the crypto map, which is always consulted
before the ACL for both inbound and outbound traffic. If IPSec
encrypts or decrypts packets by virtue of a crypto map configuration,
then the ACL is ignored.
ACLs entered independently are uni-directional but are rendered bi-
directional when later associated with a crypto map through the
match
address <acl #>
command.
A total of 500 ACL entries are permitted by the XSR with 64 MBytes of
RAM installed (99 ACL limit for IKE/IPSec).
Configuring ACLs
Three simple ACL examples illustrating various CLI options are detailed
below. Other crypto map ACLs, defined in greater detail, are configured later
in this chapter.
The first ACL example is fairly restrictive. It configures ACL 101 to permit
IKE (UDP port 500), GRE, and TCP traffic on any internal host to pass to host
141.15.6.17 (denying all other traffic) and ACL 102 to permit the same type of
traffic on host 141.15.6.17 to connect to any address (denying all other traffic).
The commands on FastEthernet port 2 set ACL 101 to filter inbound traffic,
and ACL 102 to filter outbound traffic. Some commands are abbreviated.
XSR(config)#acc 101 permit udp any host 192.168.2.17 eq 500
XSR(config)#access-list 101 permit gre any host 192.168.2.17
XSR(config)#acc 101 permit tcp any host 192.168.2.17 estab
XSR(config)#access-list 101 deny ip any any
XSR(config)#acc 102 permit udp host 192.168.2.17 any eq 500
XSR(config)#access-list 102 permit gre host 192.168.2.17 any
XSR(config)#acc 102 permit tcp host 192.168.2.17 any eq 80
XSR(config)#access-list 102 permit ip host 192.168.2.17 any
XSR(config)#access-list 102 deny ip any any