User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000

361

362

363

364

365

366

367

368

369

370

XSR User’s Guide 331

Chapter 13 Firewall CLI Commands

Configuring Security on the XSR

CAUTION

Use care not to overlap internal and external address ranges since internal

ranges take precedence over external ranges, and if an address exists in both

ranges, the internal address will be considered for policy matching. In

certain situations this may cause unexpected results, specifically if the other

address in a policy is also internal and you expect a match for a policy rule

to use that internal address against a wildcard such as ANY_EXTERNAL as

the second address. This rule will not be matched if the address you expect

to be part of ANY_EXTERNAL is also defined in an internal address range.

You can configure a network object from an internal address to any

address on the Internet as follows:

XSR(config)#ip firewall network Any_address 1.0.0.1 255.255.255.254

external or

XSR(config)#ip firewall network Internet 0.0.0.0 mask 0.0.0.0 external

 Network group - Defines a group of network objects. You can group up

to ten network objects for simpler configuration referenced by a

single name with

ip firewall network-group. The intrinsic, pre-

defined ANY_EXTERNAL and ANY_INTERNAL groups are

maintained automatically by the firewall as long as you have defined

at least one other internal or external group.

 Service - Specifies an application in terms of the protocol and source

and destination ports it uses with

ip firewall service. Packets

with the source port in the specified range will match this service as

will packets with the destination port. TCP and UDP protocols are

supported. Intrinsic services for all ports are ANY_TCP for TCP port

ranges, and ANY_UDP for UDP port ranges.

 Service group - Aggregates a number of service objects with

firewall service-group

. Typically, the service-group name is the

specified application. Up to 10 service objects can be grouped.

 Policy - Defines which applications can traverse the firewall and in

which direction with

ip firewall policy. Packets which match

addresses and service are processed by these actions: allow, allow-auth,

reject, log, reject, cls, etc. Configuration must observe these rules:

– Any address combination - You can define network addresses as

follows: external to internal, internal to external, and internal to

internal. External to external is not supported.

– Rule order - Earlier entered rules take precedence.

– Deny All for Unicast packets - The XSR firewall observes a DENY

ALL default policy. So, unless explicitly allowed, all packets are

dropped both ways.