- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

411

412

413

414

415

416

417

418

419

420

Configuration Examples

16-34 Configuring Security on the XSR

XSR(config)#ip firewall policy radius internal internal Radius allow bidirectional

XSR(config)#ip firewall policy RADacct internal internal Radius_ACCT allow

bidirectional

Configuring Simple Security

This configuration offers simple protection for the XSR. The firewall feature set is not used. First,

perform standard port configuration:

XSR(config)#interface FastEthernet 1

XSR(config-if<F1>)#ip address 192.168.10.1 255.255.255.0

XSR(config-if<F1>)#no shutdown

XSR(config)#controller t1 0/2/0

XSR(config-controller<T1/2>)#no shutdown

XSR(config)#interface serial 2/0:0

XSR(config-if<S2/0:0>)#encapsulation ppp

XSR(config-if<S2/0:0>)#ip add 192.168.20.10 255.255.255.0

XSR(config-if<S2/0:0>)#no shutdown

Formulate access lists of allowed and prohibited network addresses:

XSR(config)#access-list 1 permit 192.168.10.0 0.0.0.255

XSR(config)#access-list 1 permit 192.168.20.0 0.0.0.255

XSR(config)#access-list 2 permit host 192.168.9.32

XSR(config)#access-list 100 deny ip any host 192.168.1.15

XSR(config)#access-list 100 deny any host 192.168.1.15 any

XSR(config)#access-list 100 deny ip tcp host 192.168.1.15 any

XSR(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

XSR(config)#access-list 100 permit ip any 192.168.1.0 0.0.0.255

Apply the access list to the network interfaces so that everything that is not permitted will

automatically be filtered out, by default.

XSR(config)#interface fastethernet 1

XSR(config-if<F1>)#ip access-group 1 in

XSR(config-if<F1>)#ip access-group 1 out

XSR(config)#interface serial 2/0:0

XSR(config-if<S2/0:0>)#ip access-group 1 in

XSR(config-if<S2/0:0>)#ip access-group 1 out

For security reasons, you can limit the traffic type to certain ICMP/UDP/TCP/AH, ESP, and GRE

ports. To use traffic type as a criteria, enter the extended

access-list command, with numbers

ranging from 100 to 199. The standard

access-list command employs numbers ranging from 1

to 99 and can filter traffic by source IP address(es) only.

Write ACLS to permit Telnet and HTTP sessions. When the access list is applied to the port only,

this type of traffic is allowed to pass through.

XSR(config)#access-list 100 permit tcp any any eq 21

XSR(config)#access-list 100 permit tcp any any eq 80

Create a username with an encrypted password (using the secret option) that is entered as clear text

(using the 0 option).

XSR(config)#username larry password secret 0 larryj