[nsp] Filter-Id for AS5300

Mark Tinka mtinka at africaonline.co.ug
Wed Jul 30 09:37:23 EDT 2003 

Dennis Peng wrote:
> When you use the Filter-Id attribute, you can reference a numbered or
> named ACL that is preconfigured on the AS5300. So if you had
> something trivial like:  
> 
> access-list 101 deny icmp any any
> access-list 101 permit ip any any
> 
> Then in the RADIUS profile, you would do something like:
> 
> 	Filter-Id = "101"
> 
> By default, we will apply the ACL on the outbound side. To explicitly
> state which direction you want it applied, you can use the .in or
> .out suffix, ie:  
> 
> 	Filter-Id = "101.in"
> 
> If you don't want to pre-configure the ACL on the AS5300 and want it
> specified in the RADIUS profile, you can't use the Filter-Id
> attribute. Instead, you'll need to use Cisco-AVPair and the inacl
> attribute, like this;   
> 
> 	Cisco-AVPair = "ip:inacl#1=deny icmp any any"
> 	Cisco-AVPair = "ip:inacl#2=permit ip any any"
> 
> We do also support the Ascend-Data-Filter attribute for download
> ACL's from the RADIUS server. You'll need to specify the
> "non-standard" keyword in the radius-server host configuration line.  
> 
> Dennis

Many thanks for your response Dennis.

Actually, I was fiddling around yesterday afternoon and managed to setup a
named extended IP access list called emailonly. Of course, we already have
the value 'emailonly' in the Framed-Filter-Id attribute on our RADIUS box.
It seemed to work as soon as I configured the access list.

What I didn't understand, are two things; please kindly indulge me:

1. How come the named access list doesn't show up in the AS5300's running
configuration, but will show up under the 'show access-lists' command?

2. I would have thought that Cisco access lists always require association
with 'something' e.g. 'match ip address' when using route maps, or
'access-class' when securing an access terminal, or even 'ip access-group'
when associating an access list to an interface. But, this named access list
isn't 'associated' to anything, per se. How come RADIUS references it?

All help appreciated.

Regards,

Mark Tinka - CCNA
Network Engineer, Africa Online Uganda

More information about the cisco-nsp mailing list