Cisco SCE8000 Configuration Manual page 88

Configuring the Available Interfaces
•
About Access Control Lists
The SCE platform can be configured with Access Control Lists (ACLs), which are used to globally
permit or deny incoming connections on the management interface. An access list is an ordered list of
entries, each consisting of an IP address and an optional wildcard "mask" defining an IP address range,
and a permit/deny field.
The order of the entries in the list is important. The default action of the first entry that matches the
connection is used. If no entry in the Access List matches the connection, or if the Access List is empty,
the default action is deny.
Configuration of system access is done in two stages:
1.
2.
Creating an access list is done entry by entry, from the first to the last.
When the system checks for an IP address on an access list, the system checks each line in the access
list for the IP address, starting at the first entry and moving towards the last entry. The first match that
is detected (that is, the IP address being checked is found within the IP address range defined by the
entry) determines the result, according to the permit/deny flag in the matched entry. If no matching entry
is found in the access list, access is denied.
You can create up to 99 access lists.
An ACL is enabled by the ip access-class command. If an ACL is enabled, when a request comes in,
the SCE platform first checks if there is permission for access from that IP address. If not, the SCE does
not respond to the request. The basic IP interface is low-level, blocking the IP packets before they reach
the interfaces.
If no ACL is enabled, access is permitted from all IP addresses.
The SCE Platform will respond to ping commands only from IP addresses that are allowed access. Pings
Note
from a non-authorized address will not receive a response from the SCE platform, as ping uses ICMP
protocol.
Options
The following options are available:
•
•
•
The following keywords are available:
•
•
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
5-20
How to Enable an ACL, page 5-21
Creating an access list. (See
Enabling the access list. (See
number — the ID number assigned to the Access Control List
ip-address — the IP address of the interface to be permitted or denied. Enter in x.x.x.x format.
ip-address/mask — configures a range of addresses in the format x.x.x.x y.y.y.y where x.x.x.x
specifies the prefix bits common to all IP addresses in the range, and y.y.y.y is a wildcard-bits mask
specifying the bits that are ignored. In this notation, '0' means bits to ignore.
permit — the specified IP addresses have permission to access the SCE platform.
deny — the specified IP addresses are denied access to the SCE platform.
Chapter 5
How to Add Entries to an ACL, page
How to Enable an ACL, page
Configuring the Management Interface and Security
5-21)
5-21)
OL-16479-01