[nsp] Filter-Id for AS5300

Mark Tinka mtinka at africaonline.co.ug
Thu Jul 31 10:55:36 EDT 2003


'Dennis Peng' wrote:
>>> 
>>> Dennis
>> 
>> Many thanks for your response Dennis.
>> 
>> Actually, I was fiddling around yesterday afternoon and managed to
>> setup a named extended IP access list called emailonly. Of course, we
>> already have the value 'emailonly' in the Framed-Filter-Id attribute
>> on our RADIUS box. It seemed to work as soon as I configured the
>> access list. 
>> 
>> What I didn't understand, are two things; please kindly indulge me:
>> 
>> 1. How come the named access list doesn't show up in the AS5300's
>> running configuration, but will show up under the 'show access-lists'
>> command?
> 
> If you configured an named IP ACL called "emailonly", that should be
> shown in the running config. There would be something wrong if it
> doesn't show. Can you send the log which depicts what you are
> describing?   
> 
>> 2. I would have thought that Cisco access lists always require
>> association with 'something' e.g. 'match ip address' when using route
>> maps, or 'access-class' when securing an access terminal, or even 'ip
>> access-group' when associating an access list to an interface. But,
>> this named access list isn't 'associated' to anything, per se. How
>> come RADIUS references it?
> 
> The router will translate Filter-Id="emailonly" into "ip access-group
> emailonly out" and apply that configuration to the interface the user
> is connected to. That's how the per-user ACL is applied.  
> 
> Does that answer you question?
> 
> Dennis

Hi Dennis. Thanks for your response.

The named access-list 'emailonly' does not exist in my running
configuration, but shows up when I run 'show access-lists'. See below, the
ouput:

AS5300#sh ip access-lists emailonly
Extended IP access list emailonly (per-user)
    10 permit tcp any any eq smtp (101084 matches)
    20 permit tcp any any eq pop3 (288176 matches)
    30 permit tcp any any eq domain (186 matches)
    40 permit udp any any eq domain (7222 matches)
    50 permit tcp any host x.x.x.x eq www (46 matches)
    51 permit tcp any host x.x.x.x eq www (759 matches)
    52 permit tcp any host x.x.x.x eq www (1 match)
    53 permit tcp any host x.x.x.x eq 443
    60 permit icmp any any echo (339 matches)
    70 permit icmp any any echo-reply (13 matches)
    80 permit tcp any eq smtp any (3 matches)
    90 permit tcp any eq pop3 any
    100 permit tcp host x.x.x.x eq www any
    101 permit tcp host x.x.x.x eq www any
    102 permit tcp host x.x.x.x eq www any
    103 permit tcp host x.x.x.x eq 443 any
    110 permit tcp any eq domain any (10 matches)
    120 permit udp any eq domain any
    130 deny ip any any (176524 matches)
AS5300#

As you can see, the access list is somewhere on the router. But, it doesn't
show up in the running nor the startup configurations. However, when I do
configure other named access lists, they do show up in the running
configuration. Very very strange.

The AS5300 is running 12.3(1a) IOS with 128MB RAM.

Regards,

Mark Tinka - CCNA
Network Engineer, Africa Online Uganda




More information about the cisco-nsp mailing list