IP Add Access-Control

The IP access control system allows the IP forwarder to control packet forwarding based on source and destination IP addresses, IP protocol number, and on port number for the TCP and UDP protocols. This can control access to particular classes of IP addresses and services.

The IP access control system is based on one global ordered list of inclusive and exclusive access control entries. If access control is enabled, each IP packet being originated, forwarded, or received is compared to the access control list. Each entry in the list can be inclusive or exclusive, permitting or denying forwarding. Each entry has fields for source and destination IP address, optional IP protocol number, and optional port number for UDP and TCP.

For each received packet, the headers are compared to all specified fields in each entry. If the entry matches the packet and the entry is inclusive, then the packet is forwarded. If the entry is exclusive, the packet is dropped. If no entry in the entry list matches the packet, the packet is dropped.

Each entry has an IP address and mask, and a result, which is the value resulting from a logical AND of the address and mask, for both the source and destination IP address. An address in a received packet will be logically ANDed with the mask in an entry, and compared to the entry's result. For example, a mask of 255.0.0.0 AND-ed with an address that results in 26.0.0.0 will match any address with 26 in the first byte. A mask of 255.255.255.255 ANDed with an address that results in 192.67.67.20 matches only the IP host 192.67.67.20. A mask of 0.0.0.0 with a result of 0.0.0.0 is a wildcard, and matches any IP address.

This parameter adds an access control record to the end of the global access control list, allowing you to describe a class of packets to forward or drop, depending upon the type of the record.

The length and order of the IP access control list can affect the performance of the IP forwarder.

  1. Select Type to indicate whether packets are sent or dropped for a specific address or set of addresses.

    Select Include to cause the router to receive a packet and to forward it if it matches criteria in the remaining arguments.

    Select Exclude to cause the router to discard the packets.

  2. Enter the filter source IP address and mask address. The mask will be ANDed with the source IP address and then compared to the access control entry's source IP address value.

    Address Valid Values: any valid IP address

    Address Default Value: none

    Mask Valid Values: 0.0.0.0 to 255.255.255.255

    Mask Default Value: none

  3. Enter the filter destination IP address and mask address. The mask will be ANDed with the destination IP address and then compared to the access control entry's source IP address value.

    Address Valid Values: any valid IP address

    Address Default Value: none

    Mask Valid Values: 0.0.0.0 to 255.255.255.255

    Mask Default Value: none

  4. Enter the lower and upper bounds of a range of IP protocol numbers. A packet will match the access control entry only if its IP protocol number lies within this range.

    Valid Values: 0 to 255

    Default Value: 0

    The valid values and default apply to the lower and upper bounds of the IP protocol number range.

    Some commonly used protocol numbers are:

  5. Enter the lower and upper bounds of a range of IP TCP/UDP port numbers. A packet will match the access control entry only if its IP port number lies within this range.

    Valid Values: a port number in the range of [0 - 65535]

    Address Default Value: 0

    The valid values and default apply to the lower and upper bounds of the IP TCP/UDP port number range.

    Some commonly used port numbers are:

Select the Submit button.


IP Add Bootp-Server

Adds a BOOTP/DHCP server to a network configuration.

BOOTP is a bootstrap protocol used by a router or a diskless workstation to learn its IP address, the location of its boot file, and the boot server name. DHCP is Dynamic Host Configuration Protocol, used to configure a host over a network connection.

Acting as a bootp relay agent, your MSS Server accepts and forwards BOOTP/DHCP requests to the BOOTP/DHCP server.

Enter the Bootp Server address you want to add.

Address Valid Values: any valid Bootp server IP address

Address Default Value: none

Select the Submit button.


IP Add Filter

Filters are used to silently discard any packet received or originated by the router in which the destination IP address matches the filter.

Using the filter mechanism is more efficient than IP access control, although not as flexible. Unlike access control, filters also affect the operation of the IP routing protocols. However, filtering does not prevent OSPF from learning about networks and subnetworks.

The effect of this command is immediate; you do not have to reboot the router for it to take effect.

You must specify the destination IP address with its subnet mask. For example, to filter a subnet of a class B network, using the third byte for subnetting, the mask would be 255.255.255.0.

  1. Enter the destination interface address of the interface that is to be filtered.

    Address Valid Values: any valid IP address

    Address Default Value: none

  2. Enter the destination mask .

    Valid Values: 0.0.0.0 to 255.255.255.255

    Default Value: 0.0.0.0

Select the Submit button.


IP Add Packet-Filter

Defines a packet filter within the router configuration.

Packet filters work in the same way as access-controls. When the IP forwarder receives a packet, it checks to see whether any packet filters have been defined for it on the interface which the packet arrives. If a filter exists, and the packet is not excluded by it, the packet passes through the access control list defined for the entire router (as it is done at present). If the packet is being forwarded, it passes through any access control list specified for outgoing traffic on the interface over which the packet is about to be sent out. In either case, the router discards all packets that are not explicitly included by a filter.

  1. Enter a packet filter name.

    Valid Values: any 16-character name.

    You can include dashes (-) and underscores (_) in the name.

    Default Value: none

  2. Select IN or OUT for the direction of the filter.

    IN filters incoming traffic.

    OUT filters outgoing traffic.

  3. Enter the interface that this filter is applied to.

    Valid Values: any defined interface

    Default Value: none

    Use IP List ALL to list the defined interfaces.

Select the Submit button.


IP Add Route

Adds a static network/subnet/host route to the router's IP configuration.

When dynamic routing information is not available for a particular destination, static routes are used.

  1. Specify an IP address together with an address mask.

    If the destination IP address is a network address, then the IP mask must be a network mask. If the destination IP address is a subnet address, then the IP mask must be a subnet mask. If the destination IP address is a host address, then the IP mask must be a host mask (which means that the only valid value is 255.255.255.255.) The IP-mask must be accurate; if it is not, the static route will not be accepted.

    Address Valid Values: any valid IP address

    Address Default Value: none

    Mask Valid Values: 0.0.0.0 to 255.255.255.255

    Default Value: none

  2. Specify the next hop address.

    This parameter defines the IP address of the next hop (next destination router) to use for packets received at the router. This address must be on the same subnet as one of the router's directly connected interfaces.

    Valid Values: any valid IP address

    Default Value: none

  3. Specify a cost of routing a packet to the destination.

    The cost is the number of hops between the source address and the destination address of the static route.

    The cost is used to determine the shortest path to the destination. Lower costs are preferred. The next hop must be on the same subnet as one of the router's directly connected interfaces.

    Valid Values: an integer in the range of [1 - 16]

    Default Value: 1

Routes dynamically learned through OSPF and RIP can override static routes. For the RIP protocol, you can disable this override behavior with the Override Static Routes parameter.

The effect of this option is immediate; you do not have to reboot the router for it to take effect.

Select the Submit button.


IP Add UDP-Destination

Adds a UDP destination port number and IP address.

  1. Specify the UDP port number that will be forwarded to the IP address specified in the Destination IP address field.

    Note: Do not assign the same UDP port to multiple destinations.

    Valid Values: 0 to 65535

    Default Value: none

  2. Specify the IP address to which the router will forward the UDP port specified in the UDP Port field.

    Note: Do not assign the same UDP port to multiple destinations.

    Valid Values: any valid IP address

    Default Value: none

You can enter a broadcast or unicast IP address.

Repeat this option to add more than one IP address for the same UDP port. This causes the router to forward the packet to each of the IP addresses.

Select the Submit button.


IP Set Broadcast-Address

This option specifies the IP broadcast address that the router uses when broadcasting packets out a particular interface. IP broadcasts are most commonly used by the router when sending RIP update packets.

Broadcasts can take either the value local wire or the value network. Local-wire broadcast addresses are either all ones (255.255.255.255) or all zeros (0.0.0.0). Network-style broadcasts begin with the network and subnet portion of the IP interface address. The broadcast fill-pattern can be either 1 or 0. This indicates whether the rest of the broadcast address (that is, other than the network and subnet portions, if any) should be set to all ones or all zeros.

When receiving, the MSS Server router recognizes all forms of the IP broadcast address.

Enter an interface address that is to be the broadcast address.

Valid Values: any valid IP address (see examples in text above)

Default Value: none

Select the Submit button.


IP Set Cache-Size

This parameter specifies the maximum number of entries for the IP routing cache. The IP routing cache contains routing information for only the most recently routed destinations. The IP routing table contains routing information for all the routes.

The IP routing cache contains the following information on recently routed destinations:

If a destination is not in the cache, the router looks up the destination in the routing information table to make a forwarding decision.

Enter the number of cache entries.

Valid Values: 64 to 10000

Default Value: 64

Select the Submit button.


IP Set Default Network Gateway

Configures a route to the default network gateway. You should assume that the router's default gateway has more complete routing information than the router itself.

The route is specified by the IP address of the default gateway and the distance (cost) to the default gateway.

All packets having unknown destinations are forwarded to the default gateway.

  1. Enter the interface address that is to be the default network gateway

    Valid Values: any valid IP address

    Default Value: 0.0.0.0 with a gateway cost of 1.

  2. Enter a cost associated with the gateway address.

    Valid Values: an integer in the range of [1 - 16]

    Default Value: 1

Select the Submit button.


IP Set Default Subnet Gateway

Configures a route to the default subnet gateway. You can configure a separate default subnet gateway for each subnetted network.

You must first provide the subnet address. Then, you must provide the IP address of the default subnet gateway and the distance (cost) to the default subnet gateway to specify the route.

All packets destined for unknown subnets of a known subnetted network are forwarded to the subnetted network's default subnet gateway.

  1. Enter the interface address that is to be the default network gateway

    Valid Values: any valid IP address

    Default Value: 0.0.0.0 with a gateway cost of 1.

  2. Enter a cost associated with the gateway address.

    Valid Values: an integer in the range of [1 - 16]

    Address Default Value: 1

Select the Submit button.


IP Set Internal IP Address

This parameter specifies the internal IP address that belongs to the router as a whole, and not to any particular interface. This IP address is independent of the state of any interface and is always considered active.

The primary reason for defining an internal address is to provide an address for a TCP connection that will not become inactive when an interface becomes inactive. The internal IP address also provides some value when unnumbered interfaces are used. It is the first choice as a source address for packets originated by this router and transmitted over an unnumbered interface. The stability of this address makes it easier to keep track of such packets.

This address is always reachable, regardless of the state of the interface. If the internal IP address and the router ID are set in the same router, the internal IP address takes precedence over the router ID.

To delete the internal IP address, specify the Internal IP Address as 0.0.0.0.

Enter the internal address you want to assign to the router.

Valid Values: any valid IP address.

Default Value: none

Select the Submit button.


IP Set Originate-RIP-Default

Causes the router to advertise itself as the default gateway.

Use this option in the following environment:

Traffic in the RIP network for destinations that are not known by RIP can follow the default path to this router. The more complete routing information in this node's route table can then be used to forward the traffic along an appropriate path towards its destination. You can configure the router to originate the default only when routes are known to this router that will not be advertised in the RIP network.

When you issue this command, you will be prompted whether to originate a RIP default for the other routing protocols your router is running.

This default route will direct traffic bound for a non-RIP network to a boundary router. Originating a single default route means that the boundary router does not have to distribute the other network's routing information to the other nodes in its network.

  1. Answering "Yes" to Always originate default route? means a default route is always originated.

  2. When the router does decide to originate a RIP default, it uses the "original default cost" number. This number specifies the cost that RIP will advertise with the default route. The cost is used to advertise the shortest path for the default route to its border node.

    Valid Values: an integer in the range of [1 - 16]

    Default Value: 1

  3. Answering "Yes" to the BGP question originates a default whenever there are BGP routes in the routing table.

    If you answered Yes, enter the from AS number (Autonomous System).

    AS numbers are assigned by Stanford Research Institute Network Information Center.

    Valid Values: an integer in the range of [0 - 65535]

    Default Value: 0

    Also, enter the to network number.

    Valid Values: any valid IP address

    Default Value: none

  4. Answering "Yes" to the if OSPF routes available question causes the router to advertise itself as default when OSPF routes are in the routing table.

  5. When the router does decide to originate a RIP default, it uses the "original default cost" number. This number specifies the cost that RIP will advertise with the default route. The cost is used to advertise the shortest path for the default route to its border node.

    Valid Values: an integer in the range of [1 - 16]

    Default Value: 1

Select the Submit button.


IP Set Reassembly-Size

Configures the size of the buffers that are used for the reassembly of fragmented IP packets.

Enter the buffer size you want to use.

Default Value: 12000

Select the Submit button.


IP Set Routing Table-Size

Sets the size of the router's IP routing table. This table contains all the routing information (both statically and dynamically learned) for the router.

Setting the routing table size too small causes dynamic routing information to be discarded. Setting the routing table size too large wastes router memory resources.

Enter the number of entries (table size) you want to have in the routing table.

Valid Values: an integer number of entries in the range of [1 - 65535]

Default Value: 768 entries

Select the Submit button.