User's Manual Part 2



44JadeOSUserManual

Chapter7 Network Security

JadeOSisalwaysdeployedingateway,whichmuchdatagoesthroughit.Thenetwork

environmentofequipmentisverycomplexandfacesnetworksecuritythreat.This

chapterwilldescribeJadeOSnetworksecurityandhowtoconfigureit.

7.1AccessControlList(ACL)

AccessControlList(ACL)definesthenetworkaccess.ACListhecombinationofrules;

eachrulecanspecifyonematc hedruleandoneoperation.Matchedruleisbasedon

IPaddressorportnumber;operationis‘permit’or‘deny’ .TheACListomatchrules

insequence.

JadeOShaveanimplicitruleof‘deny’foreachACL,soyoushouldaddthecorre‐

spondingruleandspecifytheoperationis‘permit’ifyouwanttoallowonetypeof

trafficgothroughit.ThroughACL,wecancontrolusers’trafficexactlysothattoen‐

surenetworksecurity.

7.1.1StandardACL

StandardACLrulecanspecifytheoperationis‘deny’or‘permit’;thematchedruleis

any,ipaddressandnetworksegment.

Step1CreateastandardACLnamedtest‐standard

 (JadeOS) (config)#ip access-list standard test-standard

Step2Denyallthetrafficinnetworksegment192.168.1.0/255.255.255.0

(JadeOS) (config-std-test-standard)#deny 192.168.1.0 255.255.255.0

Step3Allowallthetrafficinnetworksegment192.168.0.0/255.255.0.0

(JadeOS) (config-std-test-standard)#permit 192.168.0.0 255.255.0.0

Step4Denyalltheothertraffic.

(JadeOS) (config-std-test-standard)#deny any

7.1.2ExtendedACL

ExtendedACLcanspecifytheoperationis‘deny’or‘permit’;thematchedrulecan

specifytheprotocolnumber(any,tcp,udp,icmp,igmp),sourceIPaddressornetwork

segment,destinationIPaddressornetworksegment,rangeofportnumber.

Step1CreateextendedACLnamedtest‐extended

 (JadeOS) (config)#ip access-list standard test-extended

