Identifying Traffic For Aaa Rules (Extended) - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
ACLs to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or
you need to enable the ICMP inspection engine (see the
page
You can apply one ACL of each type to each direction of an interface. You can also apply the same ACLs
on multiple interfaces.
To control network access for IP traffic, perform the following task:
•
Allowing Special Traffic through the Transparent Firewall
In routed firewall mode, some types of traffic are blocked even if you allow them in an ACL, including
unsupported dynamic routing protocols, DHCP (unless you configure DHCP relay), and multicast
traffic. Transparent firewall mode can allow any IP traffic through. Because these special types of traffic
are connectionless, you need to apply an ACL to both interfaces, so returning traffic is allowed through.
Table 10-2
Appendix D, "Addresses, Protocols, and Ports Reference,"
Table 10-2 Transparent Firewall Special Traffic
Traffic Type
BGP
DHCP
EIGRP
Multicast streams The UDP ports vary depending
OSPF
RIP (v1 or v2)
1. Border Gateway Protocol
2. Dynamic Host Configuration Protocol
3. Enhanced Interior Gateway Routing Protocol
Identifying Traffic for AAA rules (Extended)
ACLs can be used with AAA in several ways.
•
OL-6392-01
13-10). The ICMP inspection engine treats ICMP sessions as stateful connections.
Create and apply the ACL according to the
page
10-13.
lists common traffic types that you can allow through the transparent firewall. See
Protocol or Port
1
TCP port 179
2
UDP ports 67 and 68
3
Protocol 88
on the application.
Protocol 89
UDP port 520
To identify traffic for network access authorization using a TACACS+ server, perform the following
tasks:
Add the ACL using the
a.
Permit entries in the ACL mark matching traffic for authorization, while deny entries exclude
matching traffic from authorization.
Apply the ACL using the aaa authorization match command in the
b.
Authorization" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"ICMP Inspection Engine" section on
"Adding an Extended Access Control List" section on
Notes
—
If you enable the DHCP server, then the FWSM
does not pass DHCP packets.
—
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
—
—
"Adding an Extended Access Control List" section on page
12-24.
Access Control List Overview
for more protocols and ports.
"Configuring TACACS+
10-13.
10-3
Advertisement
Table of Contents
Troubleshooting
