Filter
Top Products
12-13
ATM Switch Router Software Configuration Guide
OL-7396-01
Chapter 12 Using Access Control
Configuring Per-Interface Address Registration with Optional Access Filters
Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Switch(config)# access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
Switch(config)# interface ethernet0
Switch(config-if)# ip access-group 102 in
As another example, suppose you have a network connected to the Internet, and you want any host on
an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want
IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of
a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same two port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet have a destination port of 25. Outbound packets will have the port numbers reversed. The fact
that the secure system behind the switch always accepts mail connections on port 25 is what makes it
possible to separately control incoming and outgoing services. The access list can be configured on
either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and
the mail host’s address is 128.88.1.2. The keyword established is used only for the TCP protocol to
indicate an established connection. A match occurs if the TCP datagram has the acknowledgment (ACK)
or RST bits set, indicating that the packet belongs to an existing connection.
Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Switch(config)# interface ethernet0
Switch(config-if)# ip access-group 102 in
Configuring Per-Interface Address Registration with Optional
Access Filters
The ATM switch router allows configuration of per-interface access filters for Integrated Local
Management Interface (ILMI) address registration to override the global default of access filters.
To configure ILMI address registration and the optional access filters for a specified interface, perform
the following tasks, beginning in global configuration mode:
Example
The following example shows how to configure ILMI address registration on an individual interface to
permit all groups with a matching ATM address prefix:
Switch(config)# interface atm 3/0/0
Switch(config-if)# atm address-registration permit matching-prefix all-groups
%ATM-5-ILMIACCFILTER: New access filter setting will be applied to registration
of new addresses on ATM3/0/0.
Switch(config-if)#
Command Purpose
Step 1
Switch(config)# interface atm card/subcard/port
Switch(config-if)#
Specifies an ATM interface and enters interface
configuration mode.
Step 2
Switch(config-if)# atm address-registration
permit {all | matching-prefix [all-groups |
wellknown-groups]}
Configures ILMI address registration and the
optional access filters for a specified interface.