Dm752 Iv10 62 Access Control

Teldat Router
Access Control
Doc. DM752-I Rev. 10.62
September, 2008
INDEX
Chapter 1 Introduction .....................................................................................................1

1. Access Control Lists........................................................................................................... 2
Chapter 2 Configuration...................................................................................................3
1. Introduction ........................................................................................................................ 4
2. Accessing the Configuration .............................................................................................. 5
3. Main Configuration Menu.................................................................................................. 6
3.1. ? (HELP) ................................................................................................................. 7
3.2. ACCESS-LIST........................................................................................................ 7
3.3. LIST ........................................................................................................................ 7
a) LIST ALL-ACCESS-LISTS ...................................................................................... 7
b) LIST STANDARD-ACCESS-LISTS ......................................................................... 8
c) LIST EXTENDED-ACCESS-LISTS ......................................................................... 8
3.4. NO........................................................................................................................... 8
a) NO ACCESS-LIST................................................................................................... 9
3.5. EXIT ....................................................................................................................... 9
4. Standard Access Lists......................................................................................................... 10
4.1. ? (HELP) ................................................................................................................. 10
4.2. ENTRY ................................................................................................................... 10
a) ENTRY <id> DEFAULT......................................................................................... 11
b) ENTRY <id> PERMIT ............................................................................................ 11
c) ENTRY <id> DENY................................................................................................ 11
d) ENTRY <id> SOURCE........................................................................................... 11
• ENTRY <id> SOURCE ADDRESS............................................................ 12
e) ENTRY <id> DESCRIPTION................................................................................. 13
4.3. LIST ........................................................................................................................ 13
a) LIST ALL-ENTRIES ................................................................................................ 13
b) LIST ADDRESS-FILTER-ENTRIES........................................................................ 14
c) LIST ENTRY............................................................................................................ 14
4.4. MOVE-ENTRY ...................................................................................................... 14
4.5. DESCRIPTION....................................................................................................... 15
4.6. NO........................................................................................................................... 15
a) NO ENTRY .............................................................................................................. 15
b) NO DESCRIPTION................................................................................................. 16
4.7. EXIT ....................................................................................................................... 16
5. Extended Access Lists........................................................................................................ 17
5.1. ? (HELP) ................................................................................................................. 17
5.2. ENTRY ................................................................................................................... 17
a) ENTRY <id> DEFAULT......................................................................................... 18
b) ENTRY <id> PERMIT ............................................................................................ 18
c) ENTRY <id> DENY................................................................................................ 18
d) ENTRY <id> SOURCE........................................................................................... 19
• ENTRY <id> SOURCE ADDRESS............................................................ 19
• ENTRY <id> SOURCE PORT-RANGE..................................................... 20
e) ENTRY <id> DESTINATION ................................................................................. 21
• ENTRY <id> DESTINATION ADDRESS................................................. 21
• ENTRY <id> DESTINATION PORT-RANGE.......................................... 22
f) ENTRY <id> PROTOCOL...................................................................................... 23
g) ENTRY <id> PROTOCOL-RANGE ....................................................................... 23
h) ENTRY <id> DS-FIELD......................................................................................... 24
i) ENTRY <id> LABEL .............................................................................................. 24
- ii -
j) ENTRY <id> PRECEDENCE................................................................................. 24
k) ENTRY <id> TCP-SPECIFIC ESTABLISHED ...................................................... 24
l) ENTRY <id> TOS-OCTET ..................................................................................... 25
m) ENTRY <id> CONNECTION ................................................................................. 25
n) ENTRY <id> DESCRIPTION................................................................................. 25
5.3. LIST ........................................................................................................................ 26
a) LIST ALL-ENTRIES ................................................................................................ 26
b) LIST ADDRESS-FILTER-ENTRIES........................................................................ 26
c) LIST ENTRY............................................................................................................ 26
5.4. MOVE-ENTRY ...................................................................................................... 27
5.5. DESCRIPTION....................................................................................................... 27
5.6. NO........................................................................................................................... 28
a) NO ENTRY .............................................................................................................. 28
b) NO DESCRIPTION................................................................................................. 28
5.7. EXIT ....................................................................................................................... 28
6. Show Config....................................................................................................................... 29
7. Practical Example............................................................................................................... 30
• Creating the access control lists................................................................... 30
• Associating the access List to the IPSec Protocol........................................ 31
Chapter 3 Monitoring .......................................................................................................33
1. Monitoring Commands ...................................................................................................... 34
1.1. ? (HELP) ................................................................................................................. 34
1.2. LIST ........................................................................................................................ 35
a) LIST ALL................................................................................................................. 35
• LIST ALL ALL-ACCESS-LISTS ............................................................... 35
• LIST ALL ADDRESS-FILTER-ACCESS-LISTS ...................................... 36
• LIST ALL ACCESS-LIST .......................................................................... 37
b) LIST CACHE........................................................................................................... 37
• LIST CACHE ALL-ACCESS-LISTS ......................................................... 37
• LIST CACHE ADDRESS-FILTER-ACCESS-LISTS ................................ 38
• LIST CACHE ACCESS-LIST..................................................................... 38
c) LIST ENTRIES ........................................................................................................ 39
• LIST ENTRIES ALL-ACCESS-LISTS....................................................... 39
• LIST ENTRIES ADDRESS-FILTER-ACCESS-LISTS ............................. 40
• LIST ENTRIES ACCESS-LIST.................................................................. 40
1.3. CLEAR-CACHE..................................................................................................... 40
1.4. SET-CACHE-SIZE................................................................................................. 41
1.5. SHOW-HANDLES................................................................................................. 41
1.6. HIDE-HANDLES ................................................................................................... 41
Chapter 4 Appendix ..........................................................................................................42
1. Reserved Ports.................................................................................................................... 43
2. Reserved Protocols............................................................................................................. 44
- iii -
Chapter 1
Introduction
1. Access Control Lists
The routers use access control lists (ACL) to identify traffic passing through them.
The access lists can filter the packet or routes flow passing through the router interfaces.
An IP access list is a sequential list of permission or negation conditions which are applied to source
or destination IP addresses, source or destination ports or to higher layer IP protocols such as IP, TCP
etc.
These can separate the traffic into different queues according to priority.
Types of access lists:
Standard (1 – 99): checks the source addresses of those packets requesting routing.
Extended (100 – 1999): checks both the source and destination addresses of each packet.
This can also verify specific protocols, number of ports and other parameters.
The access lists can be applied at both the input (so avoiding router overload) as well as the output.
An access control list itself does not imply a filter to limit the packet flow in the router. The Access
Control Lists must be associated to a protocol. The protocol used by an Access Control List is used as
a tool permitting traffic filters to be established. The protocols allow Access Control List management
incorporating commands which permit the protocol to be associated to the said Lists. Typical
protocols managing Access Control Lists are, among others: BRS, IPSec, Policy Routing, RIP.
A particularly interesting set of protocols are the routing protocols, most important of which are RIP,
OSPF and BGP. These protocols use the Access Control Lists, either directly or through Route Maps
(please see manual Dm764-I “Route Mapping”), to control the routes installed in the routing table or
that are distributed to other devices. There are also other very similar tools to Access Lists which are
specially orientated to route filtering such as Prefix Lists (see manual Dm780-I “Prefix Lists”).
The Access Control Lists indicate to the associated protocol the entry search results. The reception
search result for a packet can be:
Access List
Permitted
Found
Denied
IP Packet
Not Found Not Found
The associated protocol determines what should happen to the IP packet in accordance with the Access
List application result.
TELDAT ROUTER– IPSec Introduction Doc.DM752-I

I-2 Rev.10.62
Chapter 2
Configuration
1. Introduction
Each entry in the list is a block of sentences and an action which is identified by a unique number (the
entry identifier or ID field). The sentence block is made up of a source IP address (or range of
addresses), a destination IP address (or range of destination IP addresses), a protocol (or range of
protocols), source and destination ports (or range of ports), IP service byte values and the identifier for
connection between interfaces that the packet passes through. It’s unnecessary to specify all of them,
only those required. The action represents the process assigned to the packets coinciding with the
associated block of sentences: PERMIT or DENY.
A standard or extended access control list is made up of a series of entries which define the properties
that a packet must have in order to pertain to this entry and consequently this list. Subsequently, this
standard access control list is assigned to a protocol.
List 1
Action
Sentence A
Entry 1 Sentence B
|
Sentence Z
Action
Sentence A
Entry 2 Sentence B
|
Sentence Z
Action
Sentence A
Entry n Sentence B
|
Sentence Z
An Access Control List itself does not imply a filter to limit packet flow in the router.
The Access Control Lists must be associated to a protocol.
The Access Control Lists indicate the entry search results to the associated protocol.
The search result can have the following values: Not Found, Permit or Deny. The
associated protocol determines what to do with a packet according to the result given by
the Access Control List.
ROUTER TELDAT – Access Control Configuration Doc.DM752-I

II - 4 Rev.10.62
2. Accessing the Configuration
Operations to create, modify or eliminate access lists are executed from a specific menu where you can
also view the created lists.
In the router configuration structure, the Access Controls are organized as a feature (FEATURE). To
view the features permitting you to configure the router, enter the feature command followed by a
question mark (?).
Example:
Config>feature ?
access-lists Access generic access lists configuration
environment
bandwidth-reservation Bandwidth-Reservation configuration environment
control-access Control-access configuration environment
dns DNS configuration environment
frame-relay-switch Frame Relay Switch configuration environment
ip-discovery TIDP configuration environment
ldap LDAP configuration environment
mac-filtering Mac-filtering configuration environment
nsla Network Service Level Advisor configuration
nsm Network Service Monitor configuration environment
ntp NTP configuration environment
prefix-lists Access generic prefix lists configuration
environment
radius RADIUS protocol configuration environment
route-map Route-map configuration environment
scada-forwarder SCADA Forwarder configuration environment
sniffer Sniffer configuration environment
stun Stun facility configuration environment
syslog Syslog configuration environment
tms TMS configuration environment
vlan IEEE 802.1Q switch configuration environment
vrf VRF configuration environment
wrr-backup-wan WRR configuration environment
wrs-backup-wan WRS configuration environment
Config>
To access the Access Controls configuration menu, introduce, from the configuration root menu
(PROCESS 4), the word feature, followed by access-lists.
Example:
Config>feature access-lists
-- Access Lists user configuration --

Access Lists config>
By doing this you access the main Access Controls functionality configuration menu. Here you can
create, eliminate and view the access lists.
Each access control list is made up of entries, where you can indicate criteria and the parameters
permitting or limiting access.
There are two types of access control lists: Standard and Extended.
Very few parameters are used in the Standard lists to define the characteristics of each Access Control
entry. Contrariwise, the Extended lists permit you to define a larger number of selection parameters.
There are two submenus within the main Access Lists menu, one for each type of list. Accessing each
submenu is produced when editing a specific list, depending on whether the type selected is Extended
or Standard.

II - 5 Rev.10.62
3. Main Configuration Menu
You can create and eliminate lists from the main Access Control configuration menu. You can also
view the configuration of the created lists.
An Access List consists of a series of entries. Each entry in the list is a block of sentences and an
action. Each entry is identified by a unique number (the entry identifier or ID field). The sentence
block is made up of a source IP address (or range of addresses), a destination IP address (or range of
destination IP addresses), a protocol (or range of protocols), source and destination ports (or range of
ports) and the identifier for connection between interfaces that the packet passes through. The action
determines the criteria applied to the IP packets fulfilling the condition indicated by the sentences.
The action can be one of two types, permit or deny.
You can configure 1999 access lists in the router. Access lists whose identifiers take a value of
between 1 and 99 are the Standard Access Lists. Those lists taking a value between 100 and 1999 are
the Extended Access Lists.
The 1999 Access Lists are empty by default. An access list is considered empty when it does not
contain any entries.
Depending on the type of created list (Standard/Extended), the entry configurations for each list are
carried out in a submenu pertaining to each and which contains the same parameters for all entries of
the same type. The description of the configuration mode for the parameters contained in these
submenus is explained in the following sections.
Should one of the entry parameters or options in the Access Control Lists not be configured, this will
not be taken into account when checking the access.
The order of the entries in the Access Control List is very important in cases where the
information the sentences refer to, overlap between different entries.
You must bear in mind that the order in which the entries in a list are dealt with is not
defined by the entry identifier number but by the order in which they have been
introduced. This order can be seen through the “list” command and modified by using
the “move-entry” command. I.e. if when moving through the list, beginning with the
first listed element or entry, an element is found matching the search criteria, no
further search is carried out and the action indicated by the said entry is executed.
Please note that the search order among the entries on an Access Control List
DIFFERS from that used in a Prefix List (please see manual Dm780-I “Prefix Listsl”)
where this order is given by the value of the identifier.
The following commands are available in the main Access Control menu:
Command Function
? (help) Lists the available commands or their options.
access-list Configures an access list.
list Displays the configuration of the access lists.
no Negates a command or sets the default value.

II - 6 Rev.10.62
3.1. ? (HELP)
Use this command to list the valid commands at the level the router is programmed. You can also use
this command after a specific command to list the available options.
Syntax:
Access Lists config>?
Example:
Access Lists config>?
access-list Configure an access-list
list Display access-lists configuration
no Negates a command or sets its defaults
exit
3.2. ACCESS-LIST
Use this command to access the submenu permitting you to configure entries in an access list. The
Access Lists are identified by a numerical value which can take values between 1 and 199 i.e. the
router permits you to configure 1999 Access Lists. Access lists whose identifiers take a value of
between 1 and 99 are the Standard Access Lists. Those lists taking a value between 100 and 1999 are
the Extended Access Lists. The Extended Access Lists configuration submenu can configure a larger
number of selection parameters. On introducing this command followed by an identifier, you pass to a
submenu where you can configure the Access List for the said identifier, the Access List type and its
identifier appearing at the new prompt.
Syntax:
Access Lists config>access-list ?
<1..99> Standard Access List number (1-99)
<100..1999> Extended Access List number (100-1999)
Example:
Access Lists config>access-list 101
Extended Access List 101>
3.3. LIST
The LIST command displays configuration information on the Access Control Lists feature.
Syntax:
Access Lists config>list ?
all-access-lists Display all access-lists configuration
standard-access-lists Display standard access-lists configuration
extended-access-lists Display extended access-lists configuration
a) LIST ALL-ACCESS-LISTS
Displays ALL the configuration information on the Access Control Lists
Syntax:
Access Lists config>list all-access-lists

II - 7 Rev.10.62
Example:
Access Lists config>list all-access-lists
Standard Access List 1, assigned to no protocol
1 PERMIT SRC=192.60.1.24/32
2 PERMIT SRC=0.0.0.0/0
Extended Access List 100, assigned to no protocol
1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0

PROT=10-255
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
b) LIST STANDARD-ACCESS-LISTS
Displays the configured Standard Access Control Lists.
Syntax:
Access Lists config>list standard-access-lists
Example:
Access Lists config>list standard-access-lists
1 PERMIT SRC=192.60.1.24/32
c) LIST EXTENDED-ACCESS-LISTS
Displays the configured Extended Access Control Lists.
Syntax:
Access Lists config>list extended-access-lists
Example:
Access Lists config>list extended-access-lists

PROT=10-255
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
3.4. NO
This command is used to disable functionalities or to set the default values in some parameters.

II - 8 Rev.10.62
Syntax:
Access Lists config>no ?
access-list Configure an access-list
a) NO ACCESS-LIST
Eliminates the contents of an Access Control List.
Syntax:
Access Lists config>no access-list <ID>
Example:
Access Lists config>no access-list 100
3.5. EXIT
Exits the Access Controls feature configuration environment and returns to the general configuration
prompt.
Syntax:
Access Lists config>exit
Example:
Access Lists config>exit
Config>

II - 9 Rev.10.62
4. Standard Access Lists
Access this menu when you wish to edit an Access Control List whose identifier is within value range
1 and 99 i.e. a Standard List.
The new submenu prompt indicates that this is a Standard list and also its Identifier.
Example:
Standard Access List 1>
The Standard Access Control Lists submenu admits the following subcommands:
Command Function
entry Configures an entry for this access-list.
list Displays the access lists configuration.
description Permits you to insert a textual description of an Access
Control List.
move-entry Changes the order of the entries.
no Negates a command or sets its default value.
4.1. ? (HELP)
This command is used to list the valid commands at the level the router is programmed. You can also
use this command after a specific command to list the available options.
Syntax:
Standard Access List #>?
Example:
Standard Access List 1>?
entry Configure an entry for this access-list
list Display this access-list configuration
move-entry move an entry within an access-list
description Configure a description for this access-list
exit
4.2. ENTRY
Permits you to create and modify an entry or element in an Access Control List.
This command must always be introduced followed by the identifier of the register number and a
sentence.

II - 10 Rev.10.62
A new entry is created every time you introduce this command, followed by an identifier that is not in
the list. Introducing an already existing identifier means that the introduced parameter value will be
modified.
Syntax:
Standard Access List #>entry <id> <sentence> [value]
The configuration options for a Global entry are as follows:
Standard Access List #>entry <id> ?
default Sets default values to an existing or a new entry
permit Configures type of entry or access control as permit
deny Configures type of entry or access control as deny
source Source menu: subnet or port
description Sets a description for the current entry
a) ENTRY <id> DEFAULT

Sets all the parameters for a Standard entry to their default values.
These are:
• PERMIT
• ADDRESS: 0.0.0.0/0
Syntax:
Standard Access List #>entry <id> default
Example:
Standard Access List 1>entry 3 default
b) ENTRY <id> PERMIT

Identifies the entry as PERMIT. This parameter indicates that all traffic fulfilling the register selection
parameters can pass through the Access Control. This command is an action indicator and
consequently determines the function of the entry sentences (inclusive/exclusive).
Syntax:
Standard Access List #>entry <id> permit
Example:
Standard Access List 1>entry 3 permit
c) ENTRY <id> DENY

Identifies the entry as DENY. This parameter indicates that all traffic fulfilling the register selection
parameters will NOT pass through the Access Control. This command is an action indicator and
consequently determines the function of the entry sentences (inclusive/exclusive).
Syntax:
Standard Access List #>entry <id> deny
Example:
Standard Access List 1>entry 3 deny
d) ENTRY <id> SOURCE

Establishes the IP parameters sentence in the message ‘source’ addressing.

II - 11 Rev.10.62
Syntax:
Standard Access List #>entry <id> source <parameter> [options]
The following options can be introduced in the IP source sentence.
Standard Access List #>entry <id> source ?
address IP address and mask of the source subnet
• ENTRY <id> SOURCE ADDRESS

Establishes the ‘source’ IP address sentence. The selected range of addresses is indicated using a
mask. This address may not be numbered i.e. you can enter an address associated to an interface
which is unknown when configuring the device because, for example, it will be assigned by a different
mechanism such as PPP.
In cases where you want to specify a range of addresses you can, for practical reasons, take two types
of masks into consideration:
• Standard subset mask: This corresponds to the masks normally used to define subnets. E.g.
255.255.255.0 which is equivalent to a /24 subnet.
• Wildcard mask: This can be considered as a generalization of the previous type. Through a
wildcard mask you can more specifically delimit the address groups which are checked with
the entry. To do this the active bits in the wildcard mask indicate the exact positions of the
address bits that must be checked by the entry. To better understand these concepts there are
some double examples, <address> <wildcard mask> and the groups of addresses that match
the entry:
Address Wildcard mask Matching entry

172.24.0.127 255.255.0.255 Matches source addresses 172.24.x.127 regardless of the
value of x. (E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches source addresses x.x.x.67, regardless of the x
values. (E.g. 10.150.130.67)
0.0.130.0 0.0.254.0 Matches source addresses x.x.130.x and x.x.131.x,

regardless of the x values. (E.g. 18.102.130.2,
192.168.131.125)
192.0.125.0 255.0.253.0 Matches source addresses 192.x.125.x and 192.x.127.x,

192.3.127.135)
192.0.125.0 254.0.253.0 Matches source addresses 192.x.125.x, 193.x.125.x,

192.x.127.x and 193.x.127.x, regardless of the x values.
(E.g. 192.222.125.44, 193.111.127.201)
With the aim that the user understands the concepts regarding the wildcard configuration, the
positions of the mask bits whose values are 0 must also be 0 in the address. Contrariwise, the
device will give an error and suggest an address that adapts to the provided mask (that the user must
evaluate to see if it corresponds to the required configuration).
Consequently, for example, if you try to enter address 172.24.155.130 in the command with mask
255.255.254.255, the device gives an error as in the third octet in the mask (254), the last bit doesn’t
correspond with its equal in the address (155). In this case the device will suggest address
172.24.154.130.
In cases of configuring an IP address, you must introduce the IP address and the mask. In cases of
configuring an Interface, you must introduce its number.

II - 12 Rev.10.62
Syntax:
a) IP Address
Standard Access List #>entry <id> source address <address> <mask>
b) Interface
Standard Access List #>entry <id> source address <interface>
Example:
a) IP Address
Standard Access List 1>entry 3 source address 192.168.4.5 255.255.255.255
Standard Access List 1>entry 4 source address 192.0.0.17 255.0.0.255

b) Interface
Standard Access List 1>entry 3 source address serial0/0
e) ENTRY <id> DESCRIPTION

Permits you to establish a text description on an entry with the aim of better understanding its purpose
or use later on.
Syntax:
Standard Access List 1>entry <id> description ?
<1..64 chars> Description text
Example:
Standard Access List 1>entry 1 description “primera entrada”
4.3. LIST
The LIST command displays the information on the Access Control List configuration which is being
edited i.e. the information whose identifier is indicated at the menu prompt.
Syntax:
Standard Access List #>list ?
all-entries Display any entry of this access-list
address-filter-entries Display the entries that match an ip address
entry Display one entry of this access-list
a) LIST ALL-ENTRIES
Displays all the Access Control List configuration entries i.e. the whole configuration.
Syntax:
Standard Access List #>list all-entries

II - 13 Rev.10.62
Example:
Standard Access List 1>list all-entries
1 DESCRIPTION: primera entrada

1 PERMIT SRC=192.60.1.24/32
b) LIST ADDRESS-FILTER-ENTRIES
Displays the Access Control List configuration entries containing a specific IP address.
Syntax:
Standard Access List #>list address-filter-entries <address> <subnet>
Example:
Standard Access List 1>list address-filter-entries 192.60.1.24 255.255.255.255

1 PERMIT SRC=192.60.1.24/32
c) LIST ENTRY
Displays a configuration entry from the Access Control List whose identifier is indicated after the
command.
Syntax:
Standard Access List #>list entry <id>
Example:
Standard Access List 1>list entry 1

1 PERMIT SRC=192.60.1.24/32
4.4. MOVE-ENTRY
Modifies the priority of an entry. This option permits you to place a specific entry in front of another
indicated entry within the Access Control List.
This command is introduced followed by the identifier of the entry you wish to modify and
subsequently introducing the identifier for the position in front of which you wish to place the entry.
When you wish to place an entry at the end of the list i.e. this takes the least priority, you need to
specify the end option.
Syntax:
Standard Access List #>move-entry <entry_to_move> {<entry_destination> | end}

II - 14 Rev.10.62
Example:
1 DENY SRC=0.0.0.0/0
2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
Standard Access List 1>move-entry 1 end

2 PERMIT SRC=234.233.44.33/32
3 PERMIT SRC=192.23.0.22/255.255.0.255
1 DENY SRC=0.0.0.0/0
4.5. DESCRIPTION
Use this command to insert a textual description on an access list. This serves to better understand its
purpose or function later on.
Syntax:
Standard Access List #>description ?
Example:
Standard Access List 1>description “lista para ipsec”
Standard Access List 1>list all

Description: lista para ipsec

1 PERMIT SRC=1.1.1.1/32
4.6. NO
Use this command to disable functionalities or to set default values in some parameters.
Syntax:
Standard Access List #>no ?
a) NO ENTRY
Eliminates an entry from the Access Control List. To do this, enter the identifier from the list you
wish to eliminate.
Syntax:
Standard Access List #>no entry <id>

II - 15 Rev.10.62
Example:
Standard Access List 1>no entry 3
b) NO DESCRIPTION
Eliminates the textual description associated to the Access Control List.
Syntax:
Standard Access List #>no descripition
Example:
Standard Access List 1>no description
4.7. EXIT
Exits the Standard Access Control list configuration environment and returns to the main Access
Control menu prompt.
Syntax:
Standard Access List #>exit
Example:
Standard Access List 1>exit

II - 16 Rev.10.62
5. Extended Access Lists
Access this menu when you wish to edit an Access Control List whose identifier is within value range
100 and 1999 i.e. an Extended List
The new submenu prompt indicates that this is an Extended list and also its identifier.
Example:
The Extended Access Control Lists submenu admits the following subcommands:
Command Function
entry Configures an entry for this access-list.
list Displays the access lists configuration.
move-entry Changes the order of the entries.
description Permits you to insert a textual description on an Access
Control List.
no Negates a command or sets its default value.
5.1. ? (HELP)
This command is used to list the valid commands at the level the router is programmed. You can also
use this command after a specific command to list the available options.
Syntax:
Extended Access List #>?
Example:
Extended Access List 100>?
list Display this access-list configuration
move-entry move an entry within an access-list
exit
5.2. ENTRY
Permits you to create and modify an entry or element in an Access Control List.
This command must always be introduced followed by the identifier of a sentence register number.
A new entry is created every time you introduce this command, followed by an identifier that is not in
the list. Introducing an already existing identifier means that the introduced parameter value will be
modified.

II - 17 Rev.10.62
Syntax:
Extended Access List #>entry <id> <parameter> [value]
The configuration options for an Extended entry are as follows:
Extended Access List 100>entry 1 ?
default Sets default values to an existing or a new entry
permit Configures type of entry or access control as permit
deny Configures type of entry or access control as deny
source Source menu: subnet or port
destination Destination menu: subnet or port
protocol Protocol
protocol-range Protocol range
connection IP connection identifier (rule)
description Sets a description for the current entry
ds-field DSCP in IP packets
precedence Precedence in IP packets
tcp-specific Tcp specific filtering
tos-octet TOS octet value in IP packets
a) ENTRY <id> DEFAULT

Sets all the parameters for an Extended entry to its default values.
These are:
• PERMIT
• SOURCE: 0.0.0.0/0
• DESTINATION 0.0.0.0/0
• NO PROTOCOL-RANGE
• NO TOS-OCTET
• NO CONNECTION
• NO TCP-SPECIFIC
Syntax:
Extended Access List #>entry <id> default
Example:
Extended Access List 100>entry 3 default
b) ENTRY <id> PERMIT

Identifies the entry as PERMIT. This parameter indicates that all traffic fulfilling the register selection
parameters can pass through the Access Control. This command is an action indicator and
consequently determines the function of the entry sentences.
Syntax:
Extended Access List #>entry <id> permit
Example:
Extended Access List 100>entry 3 permit
c) ENTRY <id> DENY

Identifies the entry as DENY. This parameter indicates that all traffic fulfilling the register selection
parameters will NOT pass through the Access Control. This command is an action indicator and
consequently determines the function of the entry sentences.

II - 18 Rev.10.62
Syntax:
Extended Access List #>entry <id> deny
Example:
Extended Access List 100>entry 3 deny
d) ENTRY <id> SOURCE

Establishes the IP parameters sentence in the message ‘source’ addressing.
Syntax:
Extended Access List #>entry <id> source <parameter> [options]
The following options can be introduced in the IP source sentence.
Extended Access List #>entry <id> source ?
port-range source port range
• ENTRY <id> SOURCE ADDRESS

Establishes the ‘source’ IP address sentence. The selected range of addresses is indicated using a
mask. This address may not be numbered i.e. you can enter an address associated to an Interface
which is unknown when configuring the device because, for example, it will be assigned by a different
mechanism such as PPP.
In cases where you want to specify a range of addresses you can, for practical reasons, take two types
of masks into consideration:
• Wildcard mask: This can be considered as a generalization of the above type. Through a
some double examples, <address> <wildcard mask> and the groups of addresses that match
the entry:

172.24.0.127 255.255.0.255 Matches source addresses 172.24.x.127 regardless of the
value of x. (E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches source addresses x.x.x.67, regardless of the x
values. (E.g. 10.150.130.67)
0.0.130.0 0.0.254.0 Matches source addresses x.x.130.x and x.x.131.x,

192.168.131.125)
192.0.125.0 255.0.253.0 Matches source addresses 192.x.125.x and 192.x.127.x,

192.3.127.135)
192.0.125.0 254.0.253.0 Matches source addresses 192.x.125.x, 193.x.125.x,
(E.g. 192.222.125.44, 193.111.127.201)

II - 19 Rev.10.62
172.24.154.130.
Syntax:
a) IP Address
Extended Access List #>entry <id> source address <address> <mask>
b) Interface
Extended Access List #>entry <id> source address interface <interface>
Example:
a) IP Address
Extended Access List 100>entry 3 source address 192.168.4.5 255.255.255.255

b) Interface
Extended Access List 100>entry 3 source address interface serial0/0
• ENTRY <id> SOURCE PORT-RANGE

The meaning of this command depends on the type of protocol for the packet that’s being filtered.
• If the packet corresponds to TCP or UDP, this command establishes the sentence for the
packet ‘source’ port. This must be followed by two numbers. The first indicates the port
identifier in the lower port range and the second is the identifier in the higher port range.
In cases where you do not want a range, simply enter two equal values. The values of both
port identifiers can take values between 0 and 65535.
In this case therefore, the aim of this command is to permit or deny various TCP or UDP
source ports.
• If the packet corresponds to the ICMP protocol and the entry is configured to carry out
filtering over this protocol (using command entry <id> protocol icmp), this command
establishes the sentence for the type of ICMP packet. This must be followed by two
numbers which serve to specify a range. The first indicates the type of ICMP message
used as the lower range limit, while the second indicates the higher range limit. If you
don’t want to establish a range, simply enter two equal values.
In this case therefore, the aim of this command is to permit or deny a type of ICMP messages
or a set of types.
Please note that in order to achieve this behavior, it is essential to configure the ICMP protocol
in the entry only and exclusively through the entry <id> protocol icmp command.

II - 20 Rev.10.62
Syntax:
Extended Access List #>entry <id> source port-range <lower_port> <higher_port>
Example 1:
Extended Access List 100>entry 3 source port-range 2 4
This entry matches all TCP or UDP packets whose source port is between 2 and 4 (inclusive).
Example 2:
Extended Access List 100>entry 3 protocol icmp
This entry matches all type 3 ICMP packets (destination unreachable), regardless of its code.
e) ENTRY <id> DESTINATION
Establishes the IP parameters sentence in the messages ‘destination’ addressing.
Syntax:
Extended Access List #>entry <id> destination <parameter> [options]
The following options can be introduced in the IP destination sentence:
Extended Access List #>entry <id> destination ?
port-range source port range
• ENTRY <id> DESTINATION ADDRESS

Establishes the ‘destination’ IP address sentence. The selected range of addresses is indicated using a
mask. This address may not be numbered i.e. you can enter an address associated to an Interface
which is unknown when configuring the device because. In cases where you want to specify a range
of addresses you can, for practical reasons, take two types of masks into consideration:
• Wildcard mask: This can be considered as a generalization of the above type. Through a
some duplicated examples, <address> <wildcard mask> and the groups of addresses that
match the entry:

172.24.0.127 255.255.0.255 Matches destination addresses 172.24.x.127 regardless of
the value of x. (E.g. 172.24.12.127)
0.0.0.67 0.0.0.255 Matches destination addresses x.x.x.67, regardless of the x
values. (E.g. 10.150.130.67)
0.0.130.0 0.0.254.0 Matches destination addresses x.x.130.x and x.x.131.x,

192.168.131.125)
192.0.125.0 255.0.253.0 Matches destination addresses 192.x.125.x and 192.x.127.x,


II - 21 Rev.10.62
192.3.127.135)
192.0.125.0 254.0.253.0 Matches destination addresses 192.x.125.x, 193.x.125.x,

(E.g. 192.222.125.44, 193.111.127.201)
172.24.154.130.
Syntax:
a) IP Address
Extended Access List #>entry <id> destination address <address> <mask>
b) Interface
Extended Access List #>entry <id> destination address interface <interface>
Example:
a) IP Address
Extended Access List 100>entry 3 destination address 192.168.4.5 255.255.255.255

b) Interface
Extended Access List 100>entry 3 destination address interface serial0/0
• ENTRY <id> DESTINATION PORT-RANGE

The meaning of this command depends on the type of protocol for the packet being filtered.
• If the packet corresponds to TCP or UDP, this command establishes the sentence for the
packet ‘destination port. Must be followed by two numbers. The first indicates the port
identifier in the lower port range and the second is the identifier in the higher port range.
In cases where you do not want a range, simply enter two equal values. The values of both
port identifiers can take values between 0 and 65535.
In this case therefore, the aim of this command is to permit or deny access to various TCP or
UDP destination ports.
• If the packet corresponds to the ICMP protocol and the entry is configured to carry out
filtering over this protocol (using command entry <id> protocol icmp), this command
establishes the sentence for the ICMP packet code. This must be followed by two numbers
which serve to specify a range. The first indicates the type of ICMP message used as the

II - 22 Rev.10.62
lower range limit, while the second indicates the higher range limit. If you don’t want to
establish a range, simply enter two equal values.
In this case therefore, the aim of this command is to permit or deny a code for ICMP messages
or a set of codes. Used in conjunction with entry <id> source port-range <limit_inf>
<limit_sup>, previously analyzed, it’s possible to absolutely specify the type and code for the
ICMP messages you want to filter.
Please note that in order to achieve this behavior, it is essential to configure the ICMP protocol
in the entry only and exclusively through the entry <id> protocol icmp command.
Syntax:
Extended Access List #>entry <id> destination port-range <lower_port> <higher_port>
Example 1:
Extended Access List 100>entry 3 destination port-range 2 4
This entry matches all TCP or UDP packets whose destination port is between 2 and 4 (inclusive).
Example 2:
Extended Access List 100>entry 3 destination port-range 1 5
This entry matches all type 3 ICMP packets (destination unreachable), whose code is between 1 and 5
(inclusive).
f) ENTRY <id> PROTOCOL
Establishes the IP packet protocol sentence. This command must be followed by the protocol number
(value between 0 and 255) or name. If you specify IP protocol, any protocol is admitted.
This command permits or denies access to distinct protocols.
Syntax:
Extended Access List #>entry <id> protocol ?
<0..255> An IP protocol number
esp Encapsulation Security Payload
gre Generic Routing Encapsulation
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Example:
g) ENTRY <id> PROTOCOL-RANGE

Establishes the protocol sentence or the range of protocols for the IP packet. This command must be
followed by two numbers. The first indicates the protocol identifier in the lower range and the second
is the identifier in the higher range. In cases where you do not want a range, simply enter two equal
values. The values of both protocol identifiers can take values between 0 and 255.
The object of this command is to permit or deny access to various protocols.
Syntax:
Extended Access List #>entry <id> protocol-range <lower_port> <higher_port>

II - 23 Rev.10.62
Example:
Extended Access List 100>entry 3 protocol-range 21 44
h) ENTRY <id> DS-FIELD

Establishes the Access Control sentence based on the value of the dscp field for the IP packet Type of
Service byte. This can take values between 0 and 63
Syntax:
Extended Access List #>entry <id> ds-field <value>
Example:
Extended Access List 100>entry 3 ds-field 12
i) ENTRY <id> LABEL

Establishes the IP packet label sentence. The label is an internal parameter associated to each packet.
This consists of a number between 0 and 99 that can be used to select, classify and filter IP traffic.
By default all the IP packets have a label value associated equal to 0. It’s possible to change this value
through Policy Routing (please see manual Dm 745-I “Policy Routing”), using an appropriately
configured Route Map (please see manual Dm 764 “Route Mapping”). This traffic marked with a
label can be subsequently selected in an access list through entry <id> label.
Syntax:
Extended Access List #>entry <id> label <value>
Example:
Extended Access List 100>entry 3 label 12
j) ENTRY <id> PRECEDENCE

Establishes the Access Control sentence based on the value of the precedence field for the IP packet
Type of Service byte. This can take values between 0 and 7.
Syntax:
Extended Access List #>entry <id> precedence <value>
Example:
Extended Access List 100>entry 3 precedence 3
k) ENTRY <id> TCP-SPECIFIC ESTABLISHED

Establishes the Access Control sentence for the TCP packets based on if the TCP session has been
previously established or not. To find out if a TCP session is already established, check that the ACK
or the RST bit in the TCP packet header is present. If one of the two is there, then the session is
considered established.
Syntax:
Extended Access List #>entry <id> tcp-specific established-state
Example:
The following configuration shows an access list where all the TCP sessions established in entry 1
match.

II - 24 Rev.10.62
entry 1 default
entry 1 permit
entry 1 protocol tcp
entry 1 tcp-specific established-state
l) ENTRY <id> TOS-OCTET

Establishes the Access Control sentence based on the value of the IP packet Type of Service byte.
This can take values between 0 and 255. You can also specify a bits mask which determines the Type
of Service byte bits you wish to mark. The mask value can be between 1 and 255.
Syntax:
Extended Access List #>entry <id> tos-octet <value> [mask <mask>]
Example:
Extended Access List 100>entry 3 tos-octet 240 mask 254
m) ENTRY <id> CONNECTION

Permits you to associate the connection identifier between interfaces to an entry in the Access Control
List. This connection identifies the logical interface through which the packet is routed; it is
configured in the IP rules. On establishing this relation, you can also associate the traffic, not just
through the packet source or destination address etc but also through the specific interface connection.
Leaving the connection unspecified, or setting a zero connection means that the connection will not
consider this parameter when executing Access Control.
A question mark will appear next to the connection (e.g. Conn:?) if this does not exist when you list
the entry.
Syntax:
Extended Access List #>entry <id> connection <value>
Example:
Supposing we have the following rule defined in IP:
ID Local Address --> Remote Address Timeout Firewall NAPT

1 172.24.70.1 --> 172.24.70.2 0 NO NO
This identifies a specific connection, between a router’s local address and a remote (the rest of the
parameters are not considered). We will now define an entry in the Access Control List, using the
identifier for this connection ( 1 ) as a sentence:
Extended Access List 100>entry 10 connection 1
n) ENTRY <id> DESCRIPTION

Permits you to establish a textual description on an entry. This serves to better understand its purpose
or use later on.
Syntax:
Extended Access List 1>entry <id> description ?
Example:
Extended Access List 100>entry 1 description “primera entrada”

II - 25 Rev.10.62
5.3. LIST
The LIST command displays the information on the Access Control List configuration which is being
edited, i.e. the list whose identifier is indicated at the menu prompt.
Syntax:
Extended Access List #>list ?
all-entries Display any entry of this access-list
address-filter-entries Display the entries that match an ip address
entry Display one entry of this access-list
a) LIST ALL-ENTRIES
Displays all the Access Control List configurations entries i.e. the whole configuration.
Syntax:
Extended Access List #>list all-entries
Example:
Extended Access List 100>list all-entries

PROT=21
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
b) LIST ADDRESS-FILTER-ENTRIES
Displays the Access Control List configuration entries which contain a specific IP address.
Syntax:
Extended Access List #>list address-filter-entries <address> <subnet>
Example:
Extended Access List 100>list address-filter-entries 172.25.54.33 255.255.255.255

PROT=21
c) LIST ENTRY
Displays an Access Control List configuration entry, whose identifier is indicated after the command.
Syntax:
Extended Access List #>list entry <id>
Example:
Extended Access List 100>list entry 1
1 PERMIT SRC=172.25.54.33/32 DES=192.34.0.0/16 Conn:0 Label=22

PROT=21

II - 26 Rev.10.62
5.4. MOVE-ENTRY
Modifies the priority of an entry. This option permits you to place a specific entry before another
identified one within the Access Control List.
The command is introduced, followed by the identifier of the entry you wish to modify and
subsequently enter the identifier of the position which you wish to move the entry in front of. When
you wish to place an entry at the end of the list, i.e. having the least priority, you need to specify the
option end.
Syntax:
Extended Access List #>move-entry <entry_to_move> {<entry_destination> | end}
Example:

DPORT=1024-65535

PROT=33-102
3 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0
Extended Access List 100>move-entry 1 end


PROT=33-102
3 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

DPORT=1024-65535
5.5. DESCRIPTION
Use this command to insert a textual description on an access list. This serves to better understand its
purpose or function later on.
Syntax:
Extended Access List #>description ?
Example:
Extended Access List 1>description “lista para ipsec”
Extended Access List 1>list all

Description: lista para ipsec

PROT=33-102

II - 27 Rev.10.62
3 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

DPORT=1024-65535
5.6. NO
This command is used to disable functionalities or to set the default values in some parameters.
Syntax:
Extended Access List #>no ?
a) NO ENTRY
Eliminates an entry from the Access Control List. You must enter the identifier from list you wish to
remove.
Syntax:
Extended Access List #>no entry <id>
Example:
Extended Access List 100>no entry 3
b) NO DESCRIPTION
Eliminates the textual description associated to the Access Control List.
Syntax:
Extended Access List #>no description
Example:
Extended Access List 100>no description
5.7. EXIT
Exits the configuration environment of a General Access Control list and returns to the main Access
Control menu prompt.
Syntax:
Standard Access List #>exit
Example:
Extended Access List 100>exit

II - 28 Rev.10.62
6. Show Config
Show Config is a configuration console tool (PROCESS 4), which permits you to list the commands
required to configure a router from an empty configuration (no conf).
The command can be used both to copy configurations as well as to list them or simply to view them.
The Show Config part of the configuration internally defined by default, generating the commands of
the configuration which differs from this one.
Show Config can incorporate comments, which are placed after a semi-colon (‘;’)
The command can be executed from any menu, displaying the configuration introduced in all the
submenus which hang off the current.
Example:
Access Lists config>show conf
; Showing Menu and Submenus Configuration ...
; C3G IPSec Router 1 29 Version 10.1.xPA
access-list 1
;
entry 1 default
entry 1 permit
entry 1 source address 192.60.1.24 255.255.255.255
;
entry 2 default
entry 2 permit
;
exit
;
access-list 100
;
entry 1 default
entry 1 permit
entry 1 protocol-range 10 255
;
entry 2 default
entry 2 deny
;
exit
;
Using the commands list obtained in show config, you can copy, edit and modify it so it can be used as
a basis for subsequent configurations.

II - 29 Rev.10.62
7. Practical Example
The aim here is to create a new virtual private network (VPN) between Host A and Host B. The rest
of the traffic between the private networks will pass normally. We are going to create an IPSec
Tunnel between both Hosts.
To do this, we first need to create the Access Control List that the IPSec will use as a traffic filter.
This example only shows how to create the Access Lists configuration and the association of the IPSec
Tunnel to it.
HOST A HOST B
172.24.51.57 172.60.1.163
200.200.200.1 200.200.200.2
Public Network 1 Public Network Public Network 2
Router 1 Router 2
• Creating the access control lists

The configuration to be introduced in Router 1 is as follows:


The configured access list will have the following aspect:
Using the SHOW CONFIG command, the configuration can be displayed and be used on another
occasion introducing it in the console as it appears below:

II - 30 Rev.10.62
Extended Access List 101>show conf
entry 1 default
entry 1 permit
entry 1 destination address 172.60.1.163 255.255.255.255
;
The configuration to be introduced in Router 2 is as follows:


The configured access list will have the following aspect:
Extended Access List 101>show conf

entry 1 default
entry 1 permit
entry 1 destination address 172.24.51.57 255.255.255.255
;
• Associating the access List to the IPSec Protocol

To complete the IPSec Security policies databases (SPD), you need to map the Access Control List
elements to the selected Templates.
In this case, the operation is the same in both routers as the Access Control list has been placed in both
routers with the same identifier (101).

II - 31 Rev.10.62
Config>p ip
-- Internet protocol user configuration --

IP config>ipse
-- IPSec user configuration --

IPSec config>assign-access-list 101
IPSec config>template 2 def
IPSec config>map-template 101 2
IPSec config>
IPSec config>show conf

assign-access-list 101
;
template 2 default
template 2 manual esp des md5
;
map-template 101 2
IPSec config>

II - 32 Rev.10.62
Chapter 3
Monitoring
1. Monitoring Commands
This section is dedicated to the commands permitting you to use the monitoring tools for the Access
Control Lists feature. To introduce these commands you need to access the Access Lists feature
monitoring prompt.
To access the Access Lists feature monitoring environment, introduce the FEATURE ACCESS
LISTS command at the general monitoring prompt (+).
Example:
+ feature access lists
-- Access Lists user console --
Access Lists>
The router has a cache which maintains all the last found addresses with the aim of minimizing the
search period within the Access Lists. The entries for each list which are introduced in the cache are
indicated in the lists.
The following commands are available within the Access Control List feature monitoring
environment:
Command Function
? (HELP) Lists the available commands or their options.
LIST Displays the access lists configuration.
CLEAR-CACHE Deletes all the entries in the Access Lists cache.
SET-CACHE-SIZE Configures the available number of cache entries.
SHOW-HANDLES Listing this presents the associated handles.
HIDE-HANDLES Listing this hides the associated handles.
1.1. ? (HELP)
This command is used to list the valid commands at the layer where the router is programmed. You
can also use this command after a specific command to list the available options.
Syntax:
Access Lists>?
Example:
Access Lists>?
LIST
CLEAR-CACHE
SET-CACHE-SIZE
SHOW-HANDLES
HIDE-HANDLES
EXIT
Access Lists>
ROUTER TELDAT – Access Control Monitoring Doc.DM752-I

III - 34 Rev.10.62
1.2. LIST
The LIST command displays the configuration information on the Access Control List which is
active. As an information statistic, the number of occurrences that have transpired in an entry i.e. the
number of times a packet has coincided with the entry sentences (Hits) appear.
The router has a cache which maintains all the last found addresses with the aim of minimizing the
search period within the Access Lists. The entries for each list which are introduced in the cache are
indicated in some lists.
Syntax:
Access Lists>list ?
ALL
CACHE
ENTRIES
a) LIST ALL
Displays all the entry configurations in the Access Control Lists i.e. all the configuration. The
configured entries are presented together with those that are in the cache. This command should be
followed by other commands in order to specify the information to be displayed in further detail.
Syntax:
Access Lists>list all ?
ALL-ACCESS-LISTS
ADDRESS-FILTER-ACCESS-LISTS
ACCESS-LIST
• LIST ALL ALL-ACCESS-LISTS

Displays all the access control lists for the active configuration. The configured entries together with
those in the cache are presented.
Example:
Access Lists>list all all-access-lists
ACCESS LIST ENTRIES

3 PERMIT SRC=234.233.44.33/32
Hits: 0
1 DENY SRC=192.23.0.22/255.255.0.255
Hits: 0
ACCESS LIST CACHE. Hits = 0, Miss = 0

Cache size: 32 entries, Promotion zone: 6 entries
ACCESS LIST ENTRIES

PROT=21
Hits: 0
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Hits: 0

PROT=21-44 SPORT=34-56 DPORT=2-4
Hits: 0
Extended Access List 101, assigned to IPSec

III - 35 Rev.10.62
ACCESS LIST ENTRIES

1 PERMIT SRC=172.24.51.57/32 DES=172.60.1.163/32 Conn:0 Label=22
Hits: 0

Hits: 0

ACCESS LIST ENTRIES

TOS OCTET=0
Hits: 0
Access Lists>
• LIST ALL ADDRESS-FILTER-ACCESS-LISTS

Displays all the Access Control List entries which contain the subnet IP address and mask included in
the search pattern introduced after the command. The available lists are also presented. The
configured entries together with those in the cache are also presented. If the introduced IP address and
mask are 0.0.0.0 all the Access Lists are listed.
Syntax:
Access Lists>list all address-filter-access-lists <IPaddress> <subnet>
Example:
Access Lists>list all address-filter-access-lists 172.24.51.57 255.255.255.255
ACCESS LIST ENTRIES

ACCESS LIST ENTRIES

ACCESS LIST ENTRIES

Hits: 0

ACCESS LIST ENTRIES

Access Lists>

III - 36 Rev.10.62
• LIST ALL ACCESS-LIST
Displays all the entries from an Access Control List.
Syntax:
Access Lists>list all access-list <id>
Example:
Access Lists>list all access-list 100

ACCESS LIST ENTRIES

PROT=21
Hits: 0
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Hits: 0
3 PERMIT SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:33?

Hits: 0
Access Lists>
b) LIST CACHE
Displays all the configured Access Control Lists and within each displays entries in the cache. This
command should be followed by other commands in order to specify the information to be displayed
in further detail. Only information on the entries in the cache is presented through this command.
Syntax:
Access Lists>list cache ?
ALL-ACCESS-LISTS
ACCESS-LIST
• LIST CACHE ALL-ACCESS-LISTS

Displays all the Access Control List entries which are in the cache.
Example:
Access Lists>list cache all-access-lists


Hits: 1


III - 37 Rev.10.62
Access Lists>
• LIST CACHE ADDRESS-FILTER-ACCESS-LISTS

Displays all the configured Access Control Lists and in each displays the entries in the cache which
contain the subnet IP address and mask included in the search pattern introduced after the command.
This command should be followed by other commands in order to specify the Access Lists to be
displayed in further detail. If the introduced IP address and mask are 0.0.0.0 all the Access Lists are
listed.
Syntax:
Access Lists>list cache address-filter-access-lists <IPaddress> <subnet>
Example:
Access Lists>list cache address-filter-access-lists 172.24.51.57 255.255.255.255


PROT=21
Hits: 2


Access Lists>
• LIST CACHE ACCESS-LIST

Displays all the entries, from one Access Control List, which are in the cache.
Syntax:
Access Lists>list cache access-list <id>
Example:
Access Lists>list cache access-list 100


PROT=21

III - 38 Rev.10.62
Hits: 2
Access Lists>
c) LIST ENTRIES
Displays Access Control Lists entries which are in the active configuration. This command should be
followed by other commands in order to specify the information to be displayed in further detail. This
command does not present information on the entries in the cache.
Syntax:
Access Lists>list entries ?
ALL-ACCESS-LISTS
ACCESS-LIST
• LIST ENTRIES ALL-ACCESS-LISTS

Displays all the active configuration Access Control Lists’ entries.
Example:
Access Lists>list entries all-access-lists
ACCESS LIST ENTRIES

3 PERMIT SRC=234.233.44.33/32
Hits: 0
1 DENY SRC=192.23.0.22/255.255.0.255
Hits: 0
ACCESS LIST ENTRIES

PROT=21
Hits: 0
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Hits: 0

Hits: 0
ACCESS LIST ENTRIES

Hits: 0

Hits: 0
ACCESS LIST ENTRIES

TOS OCTET=0
Hits: 0
Access Lists>

III - 39 Rev.10.62
• LIST ENTRIES ADDRESS-FILTER-ACCESS-LISTS
Displays all the active configuration Access Control Lists’ entries which contain the subnet IP address
and mask included in the search pattern introduced after the command. If the introduced IP address
and mask are 0.0.0.0 all the Access Lists are listed.
Syntax:
Access Lists>list entries address-filter-access-lists <IPaddress> <subnet>
Example:
Access Lists>list entries address-filter-access-lists 172.24.51.57 255.255.255.255
ACCESS LIST ENTRIES
ACCESS LIST ENTRIES
ACCESS LIST ENTRIES

Hits: 0
ACCESS LIST ENTRIES

Access Lists>
• LIST ENTRIES ACCESS-LIST

Displays all the entries for one Access Control List.
Syntax:
Access Lists>list entries access-list <id>
Example:
Access Lists>list entries access-list 100
ACCESS LIST ENTRIES

PROT=21
Hits: 0
2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Hits: 0

Hits: 0
Access Lists>
1.3. CLEAR-CACHE
Eliminates all the entries for a specific Access Control List from the cache processing the Access
Control Lists.

III - 40 Rev.10.62
Syntax:
Access Lists>clear-cache <id>
Example:
Access Lists>clear-cache 100
Cache cleared.
Access Lists>
1.4. SET-CACHE-SIZE
Permits you to configure the cache size for an Access Control List. The number of entries the cache
permits defines the size.
Syntax:
Access Lists>set-cache-size <id> <size>
Example:
Access Lists>set-cache-size 100 33
Cache cleared.
Access Lists>
1.5. SHOW-HANDLES
On introducing this command, among the data presented using the LIST command, information
appears to debug in each entry.
1.6. HIDE-HANDLES
On introducing this command, among the data presented using the LIST command, this disables the
command to display information to debug in each entry.

III - 41 Rev.10.62
Chapter 4
Appendix
1. Reserved Ports
In the TCP and UDP transport layer protocols, widely used over IP version 4 (IPv4) [RFC791], there
is a field known as “port”. This field is made up of 16 bits.
The ports are used by TCP to name the logical connection ends where conversations are maintained.
With the aim of providing services to unknown callers, a contact port is defined for the said service.
There is a list which assigns port numbers which are predetermined for specific services.
For possible expansions, this same port assignation is used with UDP.
The port numbers are divided into three ranges:
- Reserved (0-1023)
- Registered (1024-49151)
- Dynamic or private (49152-65535)
The following list shows some of the most used Reserved Ports:
Keyword Decimal Description

------- ------- -----------
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]

ftp 21/udp File Transfer [Control]
telnet 23/tcp Telnet

telnet 23/udp Telnet
smtp 25/tcp Simple Mail Transfer

smtp 25/udp Simple Mail Transfer
nameserver 42/tcp Host Name Server

nameserver 42/udp Host Name Server
domain 53/tcp Domain Name Server

domain 53/udp Domain Name Server
tftp 69/tcp Trivial File Transfer

tftp 69/udp Trivial File Transfer
gopher 70/tcp Gopher

gopher 70/udp Gopher
http 80/tcp World Wide Web HTTP

http 80/udp World Wide Web HTTP
snmp 161/tcp SNMP

snmp 161/udp SNMP
snmptrap 162/tcp SNMPTRAP

snmptrap 162/udp SNMPTRAP
ROUTER TELDAT – Access Control Appendix Doc.DM752-I

IV - 43 Rev.10.62
2. Reserved Protocols
In IP version 4 (Ipv4) [RFC791], you’ll find a field titled protocol. This identifies the next protocol
layer. The protocol field consists of 8 bits. In IP version 6 (Ipv6) [RFC1883], this field is known as
“Next Header”.
Internet Protocols number assigning:
Decimal Keyword Protocol References

------- ------- -------- ----------
0 HOPOPT IPv6 Hop-by-Hop Option [RFC1883]
1 ICMP Internet Control Message [RFC792]
2 IGMP Internet Group Management [RFC1112]
3 GGP Gateway-to-Gateway [RFC823]
4 IP IP in IP (encapsulation) [RFC2003]
5 ST Stream [RFC1190,RFC1819]
6 TCP Transmission Control [RFC793]
7 CBT CBT [Ballardie]
8 EGP Exterior Gateway Protocol [RFC888,DLM1]
9 IGP any private interior gateway [IANA]
(used by Cisco for their IGRP)
10 BBN-RCC-MON BBN RCC Monitoring [SGC]
11 NVP-II Network Voice Protocol [RFC741,SC3]
12 PUP PUP [PUP,XEROX]
13 ARGUS ARGUS [RWS4]
14 EMCON EMCON [BN7]
15 XNET Cross Net Debugger [IEN158,JFH2]
16 CHAOS Chaos [NC3]
17 UDP User Datagram [RFC768,JBP]
18 MUX Multiplexing [IEN90,JBP]
19 DCN-MEAS DCN Measurement Subsystems [DLM1]
20 HMP Host Monitoring [RFC869,RH6]
21 PRM Packet Radio Measurement [ZSU]
22 XNS-IDP XEROX NS IDP [ETHERNET,XEROX]
23 TRUNK-1 Trunk-1 [BWB6]
24 TRUNK-2 Trunk-2 [BWB6]
25 LEAF-1 Leaf-1 [BWB6]
26 LEAF-2 Leaf-2 [BWB6]
27 RDP Reliable Data Protocol [RFC908,RH6]
28 IRTP Internet Reliable Transaction [RFC938,TXM]
29 ISO-TP4 ISO Transport Protocol Class 4 [RFC905,RC77]
30 NETBLT Bulk Data Transfer Protocol [RFC969,DDC1]
31 MFE-NSP MFE Network Services Protocol [MFENET,BCH2]
32 MERIT-INP MERIT Internodal Protocol [HWB]
33 SEP Sequential Exchange Protocol [JC120]
34 3PC Third Party Connect Protocol [SAF3]
35 IDPR Inter-Domain Policy Routing Protocol [MXS1]
36 XTP XTP [GXC]
37 DDP Datagram Delivery Protocol [WXC]
38 IDPR-CMTP IDPR Control Message Transport Proto [MXS1]
39 TP++ TP++ Transport Protocol [DXF]
40 IL IL Transport Protocol [Presotto]
41 IPv6 Ipv6 [Deering]
42 SDRP Source Demand Routing Protocol [DXE1]
43 IPv6-Route Routing Header for IPv6 [Deering]
44 IPv6-Frag Fragment Header for IPv6 [Deering]
45 IDRP Inter-Domain Routing Protocol [Sue Hares]

IV - 44 Rev.10.62
46 RSVP Reservation Protocol [Bob Braden]
47 GRE General Routing Encapsulation [Tony Li]
48 MHRP Mobile Host Routing Protocol [David Johnson]
49 BNA BNA [Gary Salamon]
50 ESP Encapsulating Security Payload [RFC1827]
51 AH Authentication Header [RFC1826]
52 I-NLSP Integrated Net Layer Security TUBA [GLENN]
53 SWIPE IP with Encryption [JI6]
54 NARP NBMA Address Resolution Protocol [RFC1735]
55 MOBILE IP Mobility [Perkins]
56 TLSP Transport Layer Security Protocol [Oberg]
using Kryptonet key management
57 SKIP SKIP [Markson]
58 IPv6-ICMP ICMP for IPv6 [RFC1883]
59 IPv6-NoNxt No Next Header for IPv6 [RFC1883]
60 IPv6-Opts Destination Options for IPv6 [RFC1883]
61 any host internal protocol [IANA]
62 CFTP CFTP [CFTP,HCF2]
63 any local network [IANA]
64 SAT-EXPAK SATNET and Backroom EXPAK [SHB]
65 KRYPTOLAN Kryptolan [PXL1]
66 RVD MIT Remote Virtual Disk Protocol [MBG]
67 IPPC Internet Pluribus Packet Core [SHB]
68 any distributed file system [IANA]
69 SAT-MON SATNET Monitoring [SHB]
70 VISA VISA Protocol [GXT1]
71 IPCV Internet Packet Core Utility [SHB]
72 CPNX Computer Protocol Network Executive [DXM2]
73 CPHB Computer Protocol Heart Beat [DXM2]
74 WSN Wang Span Network [VXD]
75 PVP Packet Video Protocol [SC3]
76 BR-SAT-MON Backroom SATNET Monitoring [SHB]
77 SUN-ND SUN ND PROTOCOL-Temporary [WM3]
78 WB-MON WIDEBAND Monitoring [SHB]
79 WB-EXPAK WIDEBAND EXPAK [SHB]
80 ISO-IP ISO Internet Protocol [MTR]
81 VMTP VMTP [DRC3]
82 SECURE-VMTP SECURE-VMTP [DRC3]
83 VINES VINES [BXH]
84 TTP TTP [JXS]
85 NSFNET-IGP NSFNET-IGP [HWB]
86 DGP Dissimilar Gateway Protocol [DGP,ML109]
87 TCF TCF [GAL5]
88 EIGRP EIGRP [CISCO,GXS]
89 OSPFIGP OSPFIGP [RFC1583,JTM4]
90 Sprite-RPC Sprite RPC Protocol [SPRITE,BXW]
91 LARP Locus Address Resolution Protocol [BXH]
92 MTP Multicast Transport Protocol [SXA]
93 AX.25 AX.25 Frames [BK29]
94 IPIP IP-within-IP Encapsulation Protocol [JI6]
95 MICP Mobile Internetworking Control Pro. [JI6]
96 SCC-SP Semaphore Communications Sec. Pro. [HXH]
97 ETHERIP Ethernet-within-IP Encapsulation [RDH1]
98 ENCAP Encapsulation Header [RFC1241,RXB3]
99 any private encryption scheme [IANA]
100 GMTP GMTP [RXB5]
101 IFMP Ipsilon Flow Management Protocol [Hinden]
102 PNNI PNNI over IP [Callon]
103 PIM Protocol Independent Multicast [Farinacci]

IV - 45 Rev.10.62
104 ARIS ARIS [Feldman]
105 SCPS SCPS [Durst]
106 QNX QNX [Hunter]
107 A/N Active Networks [Braden]
108 IPComp IP Payload Compression Protocol [RFC2393]
109 SNP Sitara Networks Protocol [Sridhar]
110 Compaq-Peer Compaq Peer Protocol [Volpe]
111 IPX-in-IP IPX in IP [Lee]
112 VRRP Virtual Router Redundancy Protocol [Hinden]
113 PGM PGM Reliable Transport Protocol [Speakman]
114 any 0-hop protocol [IANA]
115 L2TP Layer Two Tunneling Protocol [Aboba]
116 DDX D-II Data Exchange (DDX) [Worley]
117 IATP Interactive Agent Transfer Protocol [Murphy]
118 STP Schedule Transfer Protocol [JMP]
119 SRP SpectraLink Radio Protocol [Hamilton]
120 UTI UTI [Lothberg]
121 SMP Simple Message Protocol [Ekblad]
122 SM SM [Crowcroft]
123 PTP Performance Transparency Protocol [Welzl]
124 ISIS over IPv4 [Przygienda]
125 FIRE [Partridge]
126 CRTP Combat Radio Transport Protocol [Sautter]
127 CRUDP Combat Radio User Datagram [Sautter]
128 SSCOPMCE [Waber]
129 IPLT [Hollbach]
130 SPS Secure Packet Shield [McIntosh]
131 PIPE Private IP Encapsulation within IP [Petri]
132 SCTP Stream Control Transmission Protocol [Stewart]
133 FC Fibre Channel [Rajagopal]
134 RSVP-E2E-IGNORE [RFC3175]
135-254 Unassigned [IANA]
255 Reserved [IANA]

IV - 46 Rev.10.62

Dm752 Iv10 62 Access Control

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Dm752 Iv10 62 Access Control

Загружено:

Авторское право:

Доступные форматы

Teldat Router

Chapter 1 Introduction .....................................................................................................1

Not Found Not Found

TELDAT ROUTER– IPSec Introduction Doc.DM752-I

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

-- Access Lists user configuration --

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Extended Access List 101>

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Standard Access List 1, assigned to no protocol

Extended Access List 100, assigned to no protocol

1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0

2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Access Lists config>

Standard Access List 1, assigned to no protocol

Access Lists config>

Extended Access List 100, assigned to no protocol

1 PERMIT SRC=172.34.53.23/32 DES=0.0.0.0/0 Conn:0

2 DENY SRC=0.0.0.0/0 DES=0.0.0.0/0 Conn:0

Access Lists config>

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Standard Access List 1>

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

a) ENTRY <id> DEFAULT

b) ENTRY <id> PERMIT

c) ENTRY <id> DENY

d) ENTRY <id> SOURCE

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

• ENTRY <id> SOURCE ADDRESS

Address Wildcard mask Matching entry

0.0.130.0 0.0.254.0 Matches source addresses x.x.130.x and x.x.131.x,

192.0.125.0 255.0.253.0 Matches source addresses 192.x.125.x and 192.x.127.x,

192.0.125.0 254.0.253.0 Matches source addresses 192.x.125.x, 193.x.125.x,

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Standard Access List 1>entry 4 source address 192.0.0.17 255.0.0.255

e) ENTRY <id> DESCRIPTION

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Standard Access List 1, assigned to no protocol

1 DESCRIPTION: primera entrada

Standard Access List 1>

Standard Access List 1, assigned to no protocol

1 DESCRIPTION: primera entrada

Standard Access List 1>

Standard Access List 1, assigned to no protocol

1 DESCRIPTION: primera entrada

Standard Access List 1>

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Standard Access List 1, assigned to no protocol

Standard Access List 1>move-entry 1 end

Standard Access List 1, assigned to no protocol

Standard Access List 1>

Standard Access List 1, assigned to no protocol

1 DESCRIPTION: primera entrada

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

Extended Access List 100>

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

a) ENTRY <id> DEFAULT

b) ENTRY <id> PERMIT

c) ENTRY <id> DENY

ROUTER TELDAT – Access Control Configuration Doc.DM752-I

d) ENTRY <id> SOURCE