Bay Networks 5393 User Manual page 34

Release 5.1 Supplement for Remote Annexes
CLI Command Filtering
You can make certain CLI commands unavailable to the user. This feature
uses the Annex-CLI-Filter (VSA Bay Networks 30) attribute to specify
a list of CLI commands that the user cannot access. You must specify
each filtered command in a separate attribute. Entering filtered commands
generates the error message "CLI: Command not found." This feature is
identical to the climask entry in the acp_userinfo file used with the ACP
security regime.
CLI IP Host Filtering
You can prevent the user from gaining access, via rlogin or telnet, to a
specific host or host-transport port combination. You can do this with a
list of Annex-Host-Restrict (VSA Bay Networks 31) and Annex-Host-
Allow (VSA Bay Networks 32) attributes. The values of each of these
attributes is a composite string value. The first four bytes contain, in
network order, the IP address that the user should be specifically restricted
from using or allowed to use. Trailing bytes that are zero are interpreted
to match all values of that byte. Thus, 132.245.0.0 means everything on
the 132.245.0.0 subnet, while 0.0.0.0 means every host on the entire
WAN. The remainder of the string is a printable comma-delimited list or
dash-delimited range of TCP or UDP ports that the user is restricted from
using or allowed to use. For example, "23,101" would restrict/allow usage
of ports 23 and 101, while "17-105" would restrict/allow usage of ports
17 to 105. This feature is identical to the acp_restrict file used with the
ACP security regime.
To determine if a user can gain access to a host-port, each attribute is
processed in the order in which it was received. Processing stops when a
host-port match is found. The user is restricted access if the attribute that
matched was an Annex-Host-Restrict (VSA Bay Networks 31)
attribute. Otherwise, the user is allowed access.
119346-A Rev. A
16