User`s guide
312 XSR User’s Guide
Features Chapter 13
Configuring Security on the XSR
Access Control Lists
Access Control Lists (ACL) impose selection criteria for specific types of
packets, which when used in conjunction with other functions can restrict
Layer 3 traffic through the XSR. They are configured as follows:
Standard access lists (1-99) restrict traffic based on source IP addresses
Extended access lists (100-199) filter traffic from source and destination
IP addresses, protocol type (I C M P, T C P, U D P, G R E , E S P, A H ) , port
number ((TCP, UDP), and type/code (ICMP)
To configure ACLs, you define them by number only then apply them to an
interface. Any number of entries can be defined in a single ACL and may
actually conflict, but they are analyzed in the order in which they appear in
the
show access-lists command.
Input and output filters are applied separately and an interface can have only
one ACL applied to its input side, and one to its output side. Also, the ACL
netmask is complemented. For example, 0.0.0.255 indicates that the least
significant byte is ignored.
The XSR implementation of ACLs is limited by the following conditions:
The total number of ACL entries allowed is 500
For crypto maps and ACLs applied to the same interface, the XSR
gives precedence to the crypto map, which is always consulted before
the ACL on a port for both inbound and outbound traffic. If IPSec
encrypts or decrypts packets due to the crypto map configuration
then the ACL is ignored.
Packet Filtering
Packet filtering is configured via standard and extended access-list
commands. For more information, refer to the XSR CLI Reference Guide.
LANd Attack
Protection against LANd attacks is triggered when a packet arrives with the
IP source address equal to the IP destination address. This is an illegal IP
packet and it is discarded by the XSR when the protection is enabled with the
HostDos command. See the Firewall section for more details.