5-27
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 5 Configuring the Management Interface and Security
Configuring the Available Interfaces
You can create up to 99 access lists. Access lists can be associated with system access on the following
levels:
• Global (IP) level: If a global list is defined using the ip access-class command, when a request comes
in, the SCE platform first checks if there is permission for access from that IP address. If not, the
SCE does not respond to the request. Configuring the SCE platform to deny a certain IP address
would preclude the option of communicating with that address using any IP-based protocol
including Telnet, FTP, ICMP and SNMP. The basic IP interface is low-level, blocking the IP packets
before they reach the interfaces.
• Interface level: Access to each management interface (Telnet, SNMP, etc.) can be restricted to an
access list. Interface-level lists are, by definition, a subset of the Global list defined. If access is
denied at the global level, the IP will not be allowed to access using one of the interfaces. Once an
access list is associated with a specific management interface, that interface checks the access list
to find out if there is permission for a specific external IP address trying to access the management
interface.
It is possible to configure several management interfaces to the same access list, if this is the desired
behavior of the SCE platform.
If no ACL is associated to a management interface or to the global IP level, access is permitted from all
IP addresses.
Note The SCE Platform will respond to ping commands only from IP addresses that are allowed access. Pings
from a non-authorized address will not receive a response from the SCE platform, as ping uses ICMP
protocol.
Options
The following options are available:
• number — the ID number assigned to the Access Control List
• ip-address — the IP address of the interface to be permitted or denied. Enter in x.x.x.x format.
• ip-address/mask — configures a range of addresses in the format x.x.x.x y.y.y.y where x.x.x.x
specifies the prefix bits common to all IP addresses in the range, and y.y.y.y is a wildcard-bits mask
specifying the bits that are ignored. In this notation, ‘0’ means bits to ignore.
The following keywords are available:
• permit — the specified IP addresses have permission to access the SCE platform.
• deny — the specified IP addresses are denied access to the SCE platform.
To Next Page
Loading...
