|
|
This chapter describes how to configure and maintain access control lists, which are used to permit or deny incoming calls or outgoing calls on an interfaces of Cisco DSLAMs with NI-2. This chapter includes these sections:
During initial configuration, perform these steps to use access control to filter setup messages:
Step 2 Create the ATM filter set or filter expression based on your requirements.
Step 3 Associate the filter set or filter expression to an interface using the atm access-group command.
Step 4 Confirm the configuration.
To configure an ATM template alias, use this command in global configuration mode:
Command | Task |
|---|---|
|
This example creates a template alias named training using the ATM address template 47.1328 and the ellipses (...) to enter the trailing 4-bit hexadecimal digits in the address:
DSLAM(config)# atm template-alias training 47.1328...
This example creates a template alias named bit_set with the ATM address template 47.9f9.(1*0*).88ab... that matches the 4 addresses that begin with
DSLAM(config)# atm template-alias bit_set 47.9f9(1*0*).88ab...
This example creates a template alias named byte_wise with the ATM address template 47.9*F8.33... that matches all ATM addresses beginning with the 16 prefixes:
DSLAM(config)# atm template-alias byte_wise 47.9*F8.33...
This example shows the template aliases configured in the previous examples using the show running-config privileged EXEC command:
DSLAM# show running-config Building configuration... Current configuration: ! version XX.X no service pad service udp-small-servers service tcp-small-servers ! hostname DSLAM ! ! username dtate ip rcmd remote-username dplatz atm template-alias training 47.1328... atm template-alias bit_set 47.9f9(1*0*).88ab... atm template-alias byte_wise 47.9*f8.33... ! <information deleted>
To create an ATM address filter or time-of-day filter, use this command in global configuration mode:
Command | Task |
|---|---|
|
|
This example creates a filter named filter_1 that permits access to the specific ATM address 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00:
DSLAM(config)# atm filter-set filter_1 permit 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00
This example creates a filter named filter_2 that denies access to the specific ATM address 47.000.8100.5678.0003.c386.b301.0003.c386.b301.00, but allows access to all other ATM addresses:
DSLAM(config)# atm filter-set filter_2 deny 47.0000.8100.5678.0003.c386.b301.0003.c386.b301.00 DSLAM(config)# atm filter-set filter_2 permit default
This example creates a filter named filter_3 that denies access to all ATM addresses that begin with the prefix 47.840F, but permits all other calls:
DSLAM(config)# atm filter-set filter_3 deny 47.840F... DSLAM(config)# atm filter-set filter_3 permit default
 |
Note The order in which deny and permit filters are configured is very important. See the next example. |
In this example, the first filter set, filter_4, has its first filter configured to permit all addresses and its second filter configured to deny access to all addressees that begin with the prefix 47.840F. Since the default filter matches all addresses, the second filter is never used. Addresses that begin with prefix 47.840F are also permitted.
DSLAM(config)# atm filter-set filter_4 permit default DSLAM(config)# atm filter-set filter_4 deny 47.840F...
This example creates a filter named filter_5 that denies access to all ATM addresses described by the ATM template alias bad_users:
DSLAM(config)# atm filter-set filter_5 deny bad_users DSLAM(config)# atm filter-set filter_5 permit default
This example shows how to configure a filter set named tod1, with an index of 2, to deny calls between 11:15 a.m. and 10:45 p.m.:
DSLAM(config)# atm filter-set tod1 index 2 deny time-of-day 11:15 22:45 DSLAM(config)# atm filter-set tod1 index 3 permit time-of-day anytime
This example shows how to configure a filter set named tod1, with an index of 4, to permit calls any time:
DSLAM(config)# atm filter-set tod1 index 4 permit time-of-day anytime
This example shows how to configure a filter set named tod2 to deny calls between 6:00 a.m. and 8:00 p.m.:
DSLAM(config)# atm filter-set tod2 deny time-of-day 20:00 06:00 DSLAM(config)# atm filter-set tod2 permit time-of-day anytime
This example shows how to configure a filter set named tod2 to permit calls at any time:
DSLAM(config)# atm filter-set tod2 permit time-of-day 3:30 3:30
After you create a filter set using the previous configuration commands, it must be associated with an interface as an access group to actually filter any calls (see the "Configuring ATM Interface Access Control" section).
To delete an ATM filter set, use this command in global configuration mode
:
Command | Task |
|---|---|
|
|
This example shows how to display and delete filter sets:
DSLAM# show atm filter-set ATM filter set tod1 deny From 11:15 Hrs Till 22:45 Hrs index 2 permit From 0:0 Hrs Till 0:0 Hrs index 4 ATM filter set tod2 deny From 20:0 Hrs Till 6:0 Hrs index 1 permit From 3:30 Hrs Till 3:30 Hrs index 2 DSLAM# configure terminal Enter configuration commands, one per line. End with CNTL/Z. DSLAM(config)# no atm filter-set tod1 index 2 DSLAM(config)# no atm filter-set tod2 DSLAM(config)# end DSLAM# %SYS-5-CONFIG_I: Configured from console by console DSLAM# show atm filter-set ATM filter set tod1 permit From 0:0 Hrs Till 0:0 Hrs index 4
In order, the commands in this example:
1. Display the existing filter sets using the show atm filter-set command.
2. Change to EXEC configuration mode.
3. Delete the specific filter-set tod1 index 1.
4. Delete the entire filter-set tod2.
5. Display the modified filter sets using the show atm filter-set command.
To create global ATM filter expressions, perform these steps in global configuration mode:
Step | Command | Task |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This example defines a simple filter expression that has only one term and no operators:
DSLAM(config)# atm filter-expr training filter_1
This example defines a filter expression using the not operator:
DSLAM(config)# atm filter-expr training not filter_1
This example defines a filter expression using the or operator:
DSLAM(config)# atm filter-expr training filter_2 or filter_1
This example defines a filter expression using the and operator:
DSLAM(config)# atm filter-expr training filter_1 and source filter_2
This example defines a filter expression using the xor operator:
DSLAM(config)# atm filter-expr training filter_2 xor filter_1
To subscribe an ATM interface to an existing ATM filter set or filter expression, perform these steps, beginning in global configuration mode:
Step | Command | Task |
|---|---|---|
|
| |
|
|
|
This example shows how to configure access control for outgoing calls on ATM interface 0/1:
DSLAM(config)# interface atm 0/1 DSLAM(config-if)# atm access-group training out
This example configures access control for both outgoing and incoming calls on ATM interface 0/1 and displays the configured ATM filters:
DSLAM(config)# interface atm 0/1 DSLAM(config-if)# atm access-group training out DSLAM(config-if)# atm access-group marketing in DSLAM# show atm filter-set ATM filter set tod1 deny From 11:15 Hrs Till 22:45 Hrs index 2 permit From 0:0 Hrs Till 0:0 Hrs index 4 ATM filter set tod2 deny From 20:0 Hrs Till 6:0 Hrs index 1 permit From 3:30 Hrs Till 3:30 Hrs index 2 DSLAM# show atm filter-expr training = dest filter_1
This section provides a complete access filter configuration example using the information described in the preceding sections.
The sample network configuration used in this filter set configuration scenario is shown in Figure 12-1.
This example shows how to configure the Filter Switch, shown in Figure 12-1, to deny access to all calls received on ATM interface 0/1 from the workstations directly attached to the Lab Switch, but to allow all other calls. The Filter Switch denies all calls if the calling party address begins with the prefix 47.0091.8100.0000.2222.2222.FFFF:
Filter Switch(config)# atm template-alias lab-sw 47.0091.8100.0000.2222.2222.FFFF... Filter Switch(config)# atm filter-set filter_1 deny lab-sw Filter Switch(config)# atm filter-set filter_1 permit default Filter Switch(config)# atm filter-expr exp1 src filter_1 Filter Switch(config)# Filter Switch(config)# interface atm 0/1 Filter Switch(config-if)# atm access-group exp1 in Filter Switch(config-if)# end Filter Switch# show atm filter-set ATM filter set filter_1 deny 47.0091.8100.0000.2222.2222.ffff... index 1 permit default index 2 Filter Switch# show atm filter-expr exp1 = src filter_1
The DSLAM allows you to configure per-interface access filters for ILMI address registration to override the global default of access filters.
To configure ILMI address registration and the optional access filters for a specified interface, perform these tasks, beginning in global configuration mode:
Step | Command | Task |
|---|---|---|
|
|
|
|
|
|
This example shows how to configure ILMI address registration on an individual interface to permit all groups with a matching ATM address prefix and displays the interface ILMI address registration access filter configuration:
DSLAM(config)# interface atm 0/1 DSLAM(config-if)# atm address-registration permit matching-prefix all-groups %ATM-5-ILMIACCFILTER: New access filter setting will be applied to registration of new addresses on ATM0/1. DSLAM(config-if)# DSLAM# show running-config Building configuration... Current configuration: ! version XX.X no service pad <Information Deleted> interface ATM0/0 no ip address atm maxvp-number 0 ! interface Ethernet0/0 ip address 172.20.41.110 255.255.255.0 ip access-group 102 out ! interface ATM0/1 no atm auto-configuration atm address-registration permit matching-prefix all-groups atm iisp side user atm pvc 100 200 atm signalling cug access permit-unknown-cugs both-direction permanent atm accounting ! interface ATM0/2 ! <information deleted>
Posted: Tue Sep 19 10:56:38 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.