Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Firewall Feature Set Commands

XSR CLI Reference Guide 16-123

objectssuchasANY_EXTERNALanduser‐definedobjectnamesarecase‐sensitive.Refertotheip

firewall policy

commandforapplicablepolicyandgatingrulelimits.

Syntax

ip firewall network-group name name1 ... name10

Syntax of the “no” Form

Thenoformofthiscommanddisablesthenetworkgroup:

no ip firewall network-group name

Mode

Globalconfiguration:XSR(config)#

Example

Thefollowingexampledefinesnetworkobjectssalesandremote‐accessandaddsthemtothe

networkgroupsprivate‐netandsalesremote‐access:

XSR(config)#ip firewall network sales 192.168.100.0 ma 255.255.255.0 i

XSR(config)#ip fi network remote-access 10.1.1.0 m 255.255.255.0 i

XSR(config)#ip firewall network-group private-net sales remote-access

ip firewall policy

Thiscommandconfiguresafirewallpolicycomprisedofpolicyobjects.Eachobject/ruleistagged

withanamewhichplacesthepoliciesinorderusingabeforeandafterkeyword.Thispermitsyou

toenterpoliciesinanorderdifferentthanwhichtheywillbeapplied.

TheXSRfirewallenforcesadeny

allpolicybydefault.So,unlessthereisapolicyobjectconfigured

toallowtrafficinaparticulardirection,packetswillnotpassthroughthefirewall.Thiseliminates

theneedtodefinecatch‐allrejectpoliciesineachdirection.

Policiesapplytotrafficdirectedattherouter,aswell.So,policy

objectsmustbedefinedtoallow

managementtrafficintotherouter.Beawarethattheconsoleportisalwaysavailablefor

managementpurposes.

Anameforanyfirewallobjectmustusethesealpha‐numericcharactersonly:

A‐Z(upperorlower

case),

0‐9,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpre‐defined

objectssuchasANY_EXTERNALanduser‐definedobjectnamesarecase‐sensitive.

name

Networkgroupobjectname.Limit:16characters.

name1 to name10

Nameofthenetworkornetwork‐groupobjects.

Notes: Citing a policy’s intent in the name is useful if its function is not apparent from the definition.

Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash.

Because there is one gating rule for each network source/destination expansion, a potentially

enormous number of gating rules can be generated by just a single firewall policy. For example,

when a large network that has an ANY_INTERNAL group with 200 network addresses is used as

the source address, and another group of 10 network addresses is used as the destination address,

2000 gating rules are defined for the policy. Accordingly, a limit is applied to their total, depending on

the amount of installed RAM.

previous next