Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
581582583584585586587588589590
SROS Command Line Interface Reference Guide Frame Relay Sub-Interface Config Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 589
Usage Examples
The following example associates the access policy UnTrusted (to allow inbound traffic to the Web server)
to the Frame Relay sub-interface labeled 1.16:
Enable the Secure Router OS security features:
(config)#ip firewall
Create the access list (this is the packet selector):
(config)#ip access-list extended InWeb
(config-ext-nacl)#permit tcp any host 63.12.5.253 eq 80
Create the access policy that contains the access list InWeb:
(config)#ip policy-class UnTrusted
(config-policy-class)#permit list InWeb
Associate the access list with the ethernet 0/1 interface:
(config)#interface frame-relay 1.16
(config-fr 1.16)#access-policy UnTrusted
Technology Review (Continued)
Creating access policies and lists to regulate traffic through the routed network is a four-step process:
Step 1:
Enable the security features of the
Secure Router OS
using the ip firewall command.
Step 2:
Create an access list to permit or deny specified traffic. Standard access lists provide pattern matching for
source IP addresses only. (Use extended access lists for more flexible pattern matching.) IP addresses
can be expressed in one of three ways:
1. Using the keyword any to match any IP address. For example, entering deny any will effectively shut
down the interface that uses the access list because all traffic will match the any keyword.
2. Using the host <A.B.C.D> to specify a single host address. For example, entering permit
196.173.22.253 will allow all traffic from the host with an IP address of 196.173.22.253.
3. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a “range”. Wildcard masks work in
reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care”. For
example, entering deny 192.168.0.0 0.0.0.255 will deny all traffic from the 192.168.0.0/24 network.
Step 3:
Create an access policy that uses a configured access list.
Secure Router OS
access policies are used to
permit, deny, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector
(access list) and an action (allow, discard, NAT). When packets are received on an interface, the
configured ACPs are applied to determine whether the data will be processed or discarded. Possible
actions performed by the access policy are as follows: