Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual

Also see for CyberSWITCH 5500: Quick start Manual

Contents

Central Site Remote Access Switch 307CONFIGURING A DVANCED IP ROUTINGIP FiltersThe corporate dial-in access is realized with a WAN Direct Interface, using a pool of IP addressesfrom the corporate LAN for dynamic assignment to the dial-in devices. These devices must firstpass Authentication processing, so there is a level of security inherent on this interface that is notpresent on the Internet interface. Once authenticated, the devices are basically allowed to generatetraffic in the same way that they can when operating from within the corporate LAN. This includesthe ability to initiate TCP connections to the external Internet. Correspondingly, the strategy for thisfilter is different. Its purpose is to enforce the stated requirement of not allowing any external accessto the Netserver or the CyberSWITCH itself.Now suppose that a situation arises in which it is temporarily necessary to allow remote access tothe Netserver (for example, reconfiguration by a qualified member of staff who is offsite). Using theIP Address from which the temporary access will take place, this can be accomplished by enablingthe Exception Filter. When traffic arrives from the Internet, the Exception filter will be executedfirst, thereby allowing an override of the existing conditions of the Input filter. The Exception filterwould be set up as follows (the remote access is originated from address 201.55.89.100).FORWARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 255.255.255.255, 128.131.25.10IP Prot: ANYPermits any host to access the FTPServer.FORWARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 255.255.255.255, 128.131.25.12IP Prot: ANYPermits any host to access the WWWServerFORWARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 0.0.0.0., 0.0.0.0IP Prot: TCPTCP Src Port: RANGE 0 65535TCP Dst Port: RANGE 0 65535TCP Control: ESTABLISHEDPermits TCP traffic only from sessionswhich have already been initiated bycorporate hosts.FORWARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 0.0.0.0., 0.0.0.0IP Prot: ICMPPermits all ICMP packets to enter (in-cluding ECHO packets for PING).DISCARD All other packet types No-match action.DISCARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 255.255.255.255, 128.131.25.11IP Prot: ANYDenies access to the Netserver.DISCARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 255.255.255.255, 128.131.25.15IP Prot: ANYDenies access to the CyberSWITCH it-self.DISCARD IP Src 0.0.0.0, 0.0.0.0IP Dst: 255.255.255.255, 193.57.50.1IP Prot: ANYDenies access to the CyberSWITCH it-self.FORWARD All other packet types No-match action