The IP access control system allows the IP forwarder to control packet forwarding based on source and destination IP addresses, IP protocol number, and on port number for the TCP and UDP protocols. This can control access to particular classes of IP addresses and services.
The IP access control system is based on one global ordered list of inclusive and exclusive access control entries. If access control is enabled, each IP packet being originated, forwarded, or received is compared to the access control list. Each entry in the list can be inclusive or exclusive, permitting or denying forwarding. Each entry has fields for source and destination IP address, optional IP protocol number, and optional port number for UDP and TCP.
For each received packet, the headers are compared to all specified fields in each entry. If the entry matches the packet and the entry is inclusive, then the packet is forwarded. If the entry is exclusive, the packet is dropped. If no entry in the entry list matches the packet, the packet is dropped.
Each entry has an IP address and mask, and a result, which is the value resulting from a logical AND of the address and mask, for both the source and destination IP address. An address in a received packet will be logically ANDed with the mask in an entry, and compared to the entry's result. For example, a mask of 255.0.0.0 AND-ed with an address that results in 26.0.0.0 will match any address with 26 in the first byte. A mask of 255.255.255.255 ANDed with an address that results in 192.67.67.20 matches only the IP host 192.67.67.20. A mask of 0.0.0.0 with a result of 0.0.0.0 is a wildcard, and matches any IP address.
This parameter adds an access control record to the end of the global access control list, allowing you to describe a class of packets to forward or drop, depending upon the type of the record.
The length and order of the IP access control list can affect the performance of the IP forwarder.
Select Include to cause the router to receive a packet and to forward it if it matches criteria in the remaining arguments.
Select Exclude to cause the router to discard the packets.
Address Valid Values: any valid IP address
Address Default Value: none
Mask Valid Values: 0.0.0.0 to 255.255.255.255
Mask Default Value: none
Address Valid Values: any valid IP address
Address Default Value: none
Mask Valid Values: 0.0.0.0 to 255.255.255.255
Mask Default Value: none
Valid Values: 0 to 255
Default Value: 0
The valid values and default apply to the lower and upper bounds of the IP protocol number range.
Some commonly used protocol numbers are:
Valid Values: a port number in the range of [0 - 65535]
Address Default Value: 0
The valid values and default apply to the lower and upper bounds of the IP TCP/UDP port number range.
Some commonly used port numbers are:
Select the Submit button.
BOOTP is a bootstrap protocol used by a router or a diskless workstation to learn its IP address, the location of its boot file, and the boot server name. DHCP is Dynamic Host Configuration Protocol, used to configure a host over a network connection.
Acting as a bootp relay agent, your MSS Server accepts and forwards BOOTP/DHCP requests to the BOOTP/DHCP server.
Enter the Bootp Server address you want to add.
Address Valid Values: any valid Bootp server IP address
Address Default Value: none
Select the Submit button.
Using the filter mechanism is more efficient than IP access control, although not as flexible. Unlike access control, filters also affect the operation of the IP routing protocols. However, filtering does not prevent OSPF from learning about networks and subnetworks.
The effect of this command is immediate; you do not have to reboot the router for it to take effect.
You must specify the destination IP address with its subnet mask. For example, to filter a subnet of a class B network, using the third byte for subnetting, the mask would be 255.255.255.0.
Address Valid Values: any valid IP address
Address Default Value: none
Valid Values: 0.0.0.0 to 255.255.255.255
Default Value: 0.0.0.0
Select the Submit button.
Packet filters work in the same way as access-controls. When the IP forwarder receives a packet, it checks to see whether any packet filters have been defined for it on the interface which the packet arrives. If a filter exists, and the packet is not excluded by it, the packet passes through the access control list defined for the entire router (as it is done at present). If the packet is being forwarded, it passes through any access control list specified for outgoing traffic on the interface over which the packet is about to be sent out. In either case, the router discards all packets that are not explicitly included by a filter.
Valid Values: any 16-character name.
You can include dashes (-) and underscores (_) in the name.
Default Value: none
IN filters incoming traffic.
OUT filters outgoing traffic.
Valid Values: any defined interface
Default Value: none
Use IP List ALL to list the defined interfaces.
Select the Submit button.
When dynamic routing information is not available for a particular destination, static routes are used.
If the destination IP address is a network address, then the IP mask must be a network mask. If the destination IP address is a subnet address, then the IP mask must be a subnet mask. If the destination IP address is a host address, then the IP mask must be a host mask (which means that the only valid value is 255.255.255.255.) The IP-mask must be accurate; if it is not, the static route will not be accepted.
Address Valid Values: any valid IP address
Address Default Value: none
Mask Valid Values: 0.0.0.0 to 255.255.255.255
Default Value: none
This parameter defines the IP address of the next hop (next destination router) to use for packets received at the router. This address must be on the same subnet as one of the router's directly connected interfaces.
Valid Values: any valid IP address
Default Value: none
The cost is the number of hops between the source address and the destination address of the static route.
The cost is used to determine the shortest path to the destination. Lower costs are preferred. The next hop must be on the same subnet as one of the router's directly connected interfaces.
Valid Values: an integer in the range of [1 - 16]
Default Value: 1
Routes dynamically learned through OSPF and RIP can override static routes. For the RIP protocol, you can disable this override behavior with the Override Static Routes parameter.
The effect of this option is immediate; you do not have to reboot the router for it to take effect.
Select the Submit button.
Note: Do not assign the same UDP port to multiple destinations.
Valid Values: 0 to 65535
Default Value: none
Note: Do not assign the same UDP port to multiple destinations.
Valid Values: any valid IP address
Default Value: none
Repeat this option to add more than one IP address for the same UDP port. This causes the router to forward the packet to each of the IP addresses.
Select the Submit button.
Broadcasts can take either the value local wire or the value network. Local-wire broadcast addresses are either all ones (255.255.255.255) or all zeros (0.0.0.0). Network-style broadcasts begin with the network and subnet portion of the IP interface address. The broadcast fill-pattern can be either 1 or 0. This indicates whether the rest of the broadcast address (that is, other than the network and subnet portions, if any) should be set to all ones or all zeros.
When receiving, the MSS Server router recognizes all forms of the IP broadcast address.
Enter an interface address that is to be the broadcast address.
Valid Values: any valid IP address (see examples in text above)
Default Value: none
Select the Submit button.
This parameter specifies the maximum number of entries for the IP routing cache. The IP routing cache contains routing information for only the most recently routed destinations. The IP routing table contains routing information for all the routes.
The IP routing cache contains the following information on recently routed destinations:
Enter the number of cache entries.
Valid Values: 64 to 10000
Default Value: 64
Select the Submit button.
The route is specified by the IP address of the default gateway and the distance (cost) to the default gateway.
All packets having unknown destinations are forwarded to the default gateway.
Valid Values: any valid IP address
Default Value: 0.0.0.0 with a gateway cost of 1.
Valid Values: an integer in the range of [1 - 16]
Default Value: 1
Select the Submit button.
You must first provide the subnet address. Then, you must provide the IP address of the default subnet gateway and the distance (cost) to the default subnet gateway to specify the route.
All packets destined for unknown subnets of a known subnetted network are forwarded to the subnetted network's default subnet gateway.
Valid Values: any valid IP address
Default Value: 0.0.0.0 with a gateway cost of 1.
Valid Values: an integer in the range of [1 - 16]
Address Default Value: 1
Select the Submit button.
The primary reason for defining an internal address is to provide an address for a TCP connection that will not become inactive when an interface becomes inactive. The internal IP address also provides some value when unnumbered interfaces are used. It is the first choice as a source address for packets originated by this router and transmitted over an unnumbered interface. The stability of this address makes it easier to keep track of such packets.
This address is always reachable, regardless of the state of the interface. If the internal IP address and the router ID are set in the same router, the internal IP address takes precedence over the router ID.
Enter the internal address you want to assign to the router.
Valid Values: any valid IP address.
Default Value: none
Select the Submit button.
Use this option in the following environment:
When you issue this command, you will be prompted whether to originate a RIP default for the other routing protocols your router is running.
This default route will direct traffic bound for a non-RIP network to a boundary router. Originating a single default route means that the boundary router does not have to distribute the other network's routing information to the other nodes in its network.
Valid Values: an integer in the range of [1 - 16]
Default Value: 1
If you answered Yes, enter the from AS number (Autonomous System).
AS numbers are assigned by Stanford Research Institute Network Information Center.
Valid Values: an integer in the range of [0 - 65535]
Default Value: 0
Also, enter the to network number.
Valid Values: any valid IP address
Default Value: none
Valid Values: an integer in the range of [1 - 16]
Default Value: 1
Select the Submit button.
Enter the buffer size you want to use.
Default Value: 12000
Select the Submit button.
Setting the routing table size too small causes dynamic routing information to be discarded. Setting the routing table size too large wastes router memory resources.
Enter the number of entries (table size) you want to have in the routing table.
Valid Values: an integer number of entries in the range of [1 - 65535]
Default Value: 768 entries
Select the Submit button.