Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.2 T

ACL Default Direction

Downloads

Table Of Contents

ACL Default Direction

Contents

Prerequisites for ACL Default Direction

Information About ACL Default Direction

The radius-server attribute 11 direction default Command

Benefits of ACL Default Direction

How to Configure ACL Default Direction

Configuring the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id)

Verifying the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id)

Configuration Examples for ACL Default Direction

Default Direction of Filters via RADIUS Attribute 11 (Filter-Id): Example

RADIUS User Profile with Filter-Id: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

radius-server attribute 11 direction default


ACL Default Direction

First Published: October 15, 2001
Last Updated: February 23, 2007

The ACL Default Direction feature allows you to change the filter direction (where filter direction is not specified) to inbound packets only; that is, you can configure your server to filter packets that are coming toward the network.

History for the ACL Default Direction Feature

Release
Modification

12.2(4)T

This feature was introduced.

12.2(28)SB

This feature was integrated into Cisco IOS Release 12.2(28)SB.

12.2(31)SB3

This feature was integrated into Cisco IOS Release 12.2(31)SB3.


Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for ACL Default Direction

Information About ACL Default Direction

How to Configure ACL Default Direction

Configuration Examples for ACL Default Direction

Additional References

Command Reference

Prerequisites for ACL Default Direction

Before you can change the default direction of filters from RADIUS, you must perform the following tasks:

Configure your network access server (NAS) for authentication, authorization, and accounting (AAA) and to accept incoming calls.

For more information, refer to the AAA chapters of the Cisco IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Dial Technologies Configuration Guide, Release 12.4.

Create a filter on your NAS.

For more information, refer to the section "Configuring IP Services" section of the chapter IP Addressing and Services of the Cisco IOS IP Addressing Services Configuration Guide, Release 12.4.

Add a filter definition for a RADIUS user; for example, Filter-Id = "myfilter".

Information About ACL Default Direction

Before changing the default direction of filters for your access control lists (ACLs) from RADIUS, you should understand the following concepts:

The radius-server attribute 11 direction default Command

Benefits of ACL Default Direction

The radius-server attribute 11 direction default Command

The radius-server attribute 11 direction default command allows you to change the default direction of filters for your ACLs via RADIUS. (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user.) Enabling this command allows you to change the filter direction to inbound—which stops traffic from entering a router, and reduces resource consumption—rather than keeping the outbound default direction, where filtering occurs only as the traffic is about to leave the network.

Benefits of ACL Default Direction

The ACL Default Direction feature allows you to change the default direction, which is outbound, of filters for your ACLs to inbound via the radius-server attribute 11 direction default command.

How to Configure ACL Default Direction

This section contains the following procedures:

Configuring the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id) (required)

Verifying the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id) (optional)

Configuring the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id)

To configure the default direction of filters from RADIUS via attribute 11, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server attribute 11 direction default [inbound | outbound]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

radius-server attribute 11 direction default [inbound | outbound]

Example:

Router(config)# radius-server attribute 11 direction default inbound

Specifies the default direction of filters from RADIUS to inbound or outbound.

Verifying the ACL Default Direction from RADIUS via Attribute 11 (Filter-Id)

To verify the default direction of filters from RADIUS and to verify that RADIUS attribute 11 is being sent in access accept requests, perform the following steps.

SUMMARY STEPS

1. enable

2. more system:running-config

3. debug radius

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

more system:running-config

Example:

Router# more system:running-config

Displays the contents of the current running configuration file.

Step 3 

debug radius

Example:

Router# debug radius

Displays information associated with RADIUS. The output of this command shows whether attribute 11 is being sent in access accept requests.

Configuration Examples for ACL Default Direction

This section provides the following configuration examples:

Default Direction of Filters via RADIUS Attribute 11 (Filter-Id): Example

RADIUS User Profile with Filter-Id: Example

Default Direction of Filters via RADIUS Attribute 11 (Filter-Id): Example

The following example shows how to configure RADIUS attribute 11 to change the default direction of filters. In this example, the filtering is applied to inbound packets only.

radius-server attribute 11 direction default inbound

RADIUS User Profile with Filter-Id: Example

The following is an example of a RADIUS user profile (Merit Daemon format) that includes RADIUS attribute 11 (Filter-Id): 

client Password = "password1"

        Service-Type = Framed,

        Framed-Protocol = PPP,

        Filter-Id = "myfilter.out"

The RADIUS user profile shown in this example produces the following reply from the NAS: 

RADIUS: Send to unknown id 79 10.51.13.4:1645, Access-Request, len 85

RADIUS: authenticator 84 D3 B5 7D C2 5B 70 AD - 1E 5C 56 E8 3A 91 D0 6E

RADIUS: User-Name           [1]   8  "client"

RADIUS: CHAP-Password       [3]   19  *

RADIUS: NAS-Port            [5]   6   20030

RADIUS: NAS-Port-Type       [61]  6   ISDN                      [2]

RADIUS: Called-Station-Id   [30]  6   "4321"

RADIUS: Calling-Station-Id  [31]  6   "1234"

RADIUS: Service-Type        [6]   6   Framed                    [2]

RADIUS: NAS-IP-Address      [4]   6   10.1.73.74


RADIUS: Received from id 79 10.51.13.4:1645, Access-Accept, len 46

RADIUS: authenticator 9C 6C 66 E2 F1 42 D6 4B - C1 7D D4 5E 9D 09 BB A1

RADIUS: Service-Type        [6]   6   Framed                    [2]

RADIUS: Framed-Protocol     [7]   6   PPP                       [1]

RADIUS: Filter-Id           [11]  14

RADIUS: 6D 79 66 69 6C 74 65 72 2E 6F 75 74 [myfilter.out]

Additional References

The following sections provide references related to the ACL Default Direction feature.

Related Documents

Related Topic
Document Title

Cisco IOS Dial Technologies configuration

Cisco IOS Dial Technologies Configuration Guide, Release 12.4

Cisco IOS security configuration

Cisco IOS Security Configuration Guide, Release 12.4

Cisco IOS security commands

Cisco IOS Security Command Reference, Release 12.4T

Cisco IOS Security Command Reference, Release 12.2SB

Cisco IOS Security Command Reference, Release 12.2 SR

Configuring IP services

"Configuring IP Services" section of the chapter "IP Addressing and Services" of the Cisco IOS IP Addressing Services Configuration Guide, Release 12.4.


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 2865

Remote Authentication Dial-In User Service (RADIUS)


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register on Cisco.com.

http://www.cisco.com/techsupport


Command Reference

This section documents the following new command.

radius-server attribute 11 direction default

radius-server attribute 11 direction default

To specify the default direction of filters from RADIUS, use the radius-server attribute 11 direction default command in global configuration mode. To remove this functionality from your configuration, use the no form of this command.

radius-server attribute 11 direction default [inbound | outbound]

no radius-server attribute 11 direction default [inbound | outbound]

Syntax Description

inbound

(Optional) Filtering is applied to inbound packets only.

outbound

(Optional) Filtering is applied to outbound packets only.


Command Default

If this command is not enabled, filters are treated as outbound.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2(31)SB3

This feature was integrated into Cisco IOS Release 12.2(31)SB3.


Usage Guidelines

Use the radius-server attribute 11 direction default command to change the default direction of filters from RADIUS (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user). Enabling this command allows you to change the filter direction to inbound—which stops traffic from entering a router and prevents resource consumption—rather than keeping the outbound default direction, where filtering occurs only as the traffic is about to leave the network.

Examples

The following example shows how to configure RADIUS attribute 11 to change the default direction of filters. In this example, the filtering is applied to inbound packets only. 

radius-server attribute 11 direction default inbound

The following is an example of a RADIUS user profile (Merit Daemon format) that includes RADIUS attribute 11 (Filter-Id): 

client Password = "password1"

        Service-Type = Framed,

        Framed-Protocol = PPP,

        Filter-Id = "myfilter.out"

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2001, 2006-2007 Cisco Systems, Inc. All rights reserved.