|
|
Table Of Contents
Configuring an ATM Filter Expression
Configuring ATM Interface Access Control
ATM Filter Configuration Example
Configuring Per-Interface Address Registration with Optional Access Filters
Using Access Control
This chapter describes how to configure and maintain access control lists, which are used to permit or deny incoming calls or outgoing calls on an interfaces of Cisco DSLAMs with NI-2. This chapter includes these sections:
•
Configuring a Template Alias
•
•
•
•
Access Control Overview
The ATM signaling software uses the access control list to filter setup messages on an interface based on destination, source, or a combination of both. You can use access lists to deny connections known to be security risks and permit all other connections, or to permit only those connections considered acceptable and deny all the rest. For firewall implementation, denying access to security risks offers more control.
During initial configuration, perform these steps to use access control to filter setup messages:
Step 1
Step 2
Step 3
Step 4
Configuring a Template Alias
To configure an ATM template alias, use this command in global configuration mode:
Examples
This example creates a template alias named training using the ATM address template 47.1328 and the ellipses (...) to enter the trailing 4-bit hexadecimal digits in the address:
DSLAM(config)# atm template-alias training 47.1328...This example creates a template alias named bit_set with the ATM address template 47.9f9.(1*0*).88ab... that matches the 4 addresses that begin with
•
•
•
•
DSLAM(config)# atm template-alias bit_set 47.9f9(1*0*).88ab...This example creates a template alias named byte_wise with the ATM address template 47.9*F8.33... that matches all ATM addresses beginning with the 16 prefixes:
•
through
•
DSLAM(config)# atm template-alias byte_wise 47.9*F8.33...This example shows the template aliases configured in the previous examples using the show running-config privileged EXEC command:
DSLAM# show running-configBuilding configuration...Current configuration:!version XX.Xno service padservice udp-small-serversservice tcp-small-servers!hostname DSLAM!!username dtateip rcmd remote-username dplatzatm template-alias training 47.1328...atm template-alias bit_set 47.9f9(1*0*).88ab...atm template-alias byte_wise 47.9*f8.33...!<information deleted>Configuring ATM Filter Sets
To create an ATM address filter or time-of-day filter, use this command in global configuration mode:
atm filter-set name [index number] [permit | deny] {address-template | time-of-day {anytime | start-time end-time}}
Configure a global ATM address filter set.
Examples
This example creates a filter named filter_1 that permits access to the specific ATM address 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00:
DSLAM(config)# atm filter-set filter_1 permit 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00This example creates a filter named filter_2 that denies access to the specific ATM address 47.000.8100.5678.0003.c386.b301.0003.c386.b301.00, but allows access to all other ATM addresses:
DSLAM(config)# atm filter-set filter_2 deny 47.0000.8100.5678.0003.c386.b301.0003.c386.b301.00DSLAM(config)# atm filter-set filter_2 permit defaultThis example creates a filter named filter_3 that denies access to all ATM addresses that begin with the prefix 47.840F, but permits all other calls:
DSLAM(config)# atm filter-set filter_3 deny 47.840F...DSLAM(config)# atm filter-set filter_3 permit default
Note
In this example, the first filter set, filter_4, has its first filter configured to permit all addresses and its second filter configured to deny access to all addressees that begin with the prefix 47.840F. Since the default filter matches all addresses, the second filter is never used. Addresses that begin with prefix 47.840F are also permitted.
DSLAM(config)# atm filter-set filter_4 permit defaultDSLAM(config)# atm filter-set filter_4 deny 47.840F...This example creates a filter named filter_5 that denies access to all ATM addresses described by the ATM template alias bad_users:
DSLAM(config)# atm filter-set filter_5 deny bad_usersDSLAM(config)# atm filter-set filter_5 permit defaultThis example shows how to configure a filter set named tod1, with an index of 2, to deny calls between 11:15 a.m. and 10:45 p.m.:
DSLAM(config)# atm filter-set tod1 index 2 deny time-of-day 11:15 22:45DSLAM(config)# atm filter-set tod1 index 3 permit time-of-day anytimeThis example shows how to configure a filter set named tod1, with an index of 4, to permit calls any time:
DSLAM(config)# atm filter-set tod1 index 4 permit time-of-day anytimeThis example shows how to configure a filter set named tod2 to deny calls between 6:00 a.m. and 8:00 p.m.:
DSLAM(config)# atm filter-set tod2 deny time-of-day 20:00 06:00DSLAM(config)# atm filter-set tod2 permit time-of-day anytimeThis example shows how to configure a filter set named tod2 to permit calls at any time:
DSLAM(config)# atm filter-set tod2 permit time-of-day 3:30 3:30After you create a filter set using the previous configuration commands, it must be associated with an interface as an access group to actually filter any calls (see the "Configuring ATM Interface Access Control" section).
Deleting Filter Sets
To delete an ATM filter set, use this command in global configuration mode
:
Example
This example shows how to display and delete filter sets:
DSLAM# show atm filter-setATM filter set tod1deny From 11:15 Hrs Till 22:45 Hrs index 2permit From 0:0 Hrs Till 0:0 Hrs index 4ATM filter set tod2deny From 20:0 Hrs Till 6:0 Hrs index 1permit From 3:30 Hrs Till 3:30 Hrs index 2DSLAM# configure terminalEnter configuration commands, one per line. End with CNTL/Z.DSLAM(config)# no atm filter-set tod1 index 2DSLAM(config)# no atm filter-set tod2DSLAM(config)# endDSLAM#%SYS-5-CONFIG_I: Configured from console by consoleDSLAM# show atm filter-setATM filter set tod1permit From 0:0 Hrs Till 0:0 Hrs index 4In order, the commands in this example:
1.
2.
3.
4.
5.
Configuring an ATM Filter Expression
Use the following commands to create global ATM filter expressions in global configuration mode.
Examples
This example defines a simple filter expression that has only one term and no operators:
DSLAM(config)# atm filter-expr training filter_1This example defines a filter expression using the not operator:
DSLAM(config)# atm filter-expr training not filter_1This example defines a filter expression using the or operator:
DSLAM(config)# atm filter-expr training filter_2 or filter_1This example defines a filter expression using the and operator:
DSLAM(config)# atm filter-expr training filter_1 and source filter_2This example defines a filter expression using the xor operator:
DSLAM(config)# atm filter-expr training filter_2 xor filter_1Configuring ATM Interface Access Control
To subscribe an ATM interface to an existing ATM filter set or filter expression, perform these steps, beginning in global configuration mode:
1.
interface atm slot/port
Select the interface to be configured.
2.
atm access-group name [in | out]
Configure an existing ATM address pattern matching the filter expression.
Examples
This example shows how to configure access control for outgoing calls on ATM interface 0/1:
DSLAM(config)# interface atm 0/1DSLAM(config-if)# atm access-group training outThis example configures access control for both outgoing and incoming calls on ATM interface 0/1 and displays the configured ATM filters:
DSLAM(config)# interface atm 0/1DSLAM(config-if)# atm access-group training outDSLAM(config-if)# atm access-group marketing inDSLAM# show atm filter-setATM filter set tod1deny From 11:15 Hrs Till 22:45 Hrs index 2permit From 0:0 Hrs Till 0:0 Hrs index 4ATM filter set tod2deny From 20:0 Hrs Till 6:0 Hrs index 1permit From 3:30 Hrs Till 3:30 Hrs index 2DSLAM# show atm filter-exprtraining = dest filter_1ATM Filter Configuration Example
This section provides a complete access filter configuration example using the information described in the preceding sections.
The sample network configuration used in this filter set configuration scenario is shown in Figure 12-1.
Figure 12-1 ATM Access Filter Configuration Example
Example
This example shows how to configure the Filter Switch, shown in Figure 12-1, to deny access to all calls received on ATM interface 0/1 from the workstations directly attached to the Lab Switch, but to allow all other calls. The Filter Switch denies all calls if the calling party address begins with the prefix 47.0091.8100.0000.2222.2222.FFFF:
Filter Switch(config)# atm template-alias lab-sw 47.0091.8100.0000.2222.2222.FFFF...Filter Switch(config)# atm filter-set filter_1 deny lab-swFilter Switch(config)# atm filter-set filter_1 permit defaultFilter Switch(config)# atm filter-expr exp1 src filter_1Filter Switch(config)#Filter Switch(config)# interface atm 0/1Filter Switch(config-if)# atm access-group exp1 inFilter Switch(config-if)# endFilter Switch# show atm filter-setATM filter set filter_1deny 47.0091.8100.0000.2222.2222.ffff... index 1permit default index 2Filter Switch# show atm filter-exprexp1 = src filter_1Configuring Per-Interface Address Registration with Optional Access Filters
The DSLAM allows you to configure per-interface access filters for ILMI address registration to override the global default of access filters.
To configure ILMI address registration and the optional access filters for a specified interface, perform these tasks, beginning in global configuration mode:
Example
This example shows how to configure ILMI address registration on an individual interface to permit all groups with a matching ATM address prefix and displays the interface ILMI address registration access filter configuration:
DSLAM(config)# interface atm 0/1DSLAM(config-if)# atm address-registration permit matching-prefix all-groups%ATM-5-ILMIACCFILTER: New access filter setting will be applied to registrationof new addresses on ATM0/1.DSLAM(config-if)#DSLAM# show running-configBuilding configuration...Current configuration:!version XX.Xno service pad<Information Deleted>interface ATM0/0no ip addressatm maxvp-number 0!interface Ethernet0/0ip address 172.20.41.110 255.255.255.0ip access-group 102 out!interface ATM0/1no atm auto-configurationatm address-registration permit matching-prefix all-groupsatm iisp side useratm pvc 100 200atm signalling cug access permit-unknown-cugs both-direction permanentatm accounting!interface ATM0/2!<information deleted>
Posted: Fri Dec 3 13:00:41 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
