Cisco Cisco Expressway Maintenance Manual
Supported mechanisms
The Expressway supports the DiffServ (Differentiated Services) mechanism which puts the specified Tag value in the
TOS (Type Of Service) field of the IPv4 header or TC (Traffic Class) field of the IPv6 header.
TOS (Type Of Service) field of the IPv4 header or TC (Traffic Class) field of the IPv6 header.
Static Routes
You can define static routes from the Expressway to an IPv4 or IPv6 address range. Go to System > Network
interfaces > Static routes.
interfaces > Static routes.
On this page you can view, add, and delete static routes.
Static routes are sometimes required when using the Advanced Networking option and deploying the Expressway in
a DMZ. They may also be required in other complex network deployments.
a DMZ. They may also be required in other complex network deployments.
To add a static route:
1.
Enter the base destination address of the new static route from this Expressway
For example, enter
203.0.113.0
or
2001:db8::
2.
Enter the prefix length that defines the range
Extending the example, you could enter
24
to define the IPv4 range 203.0.113.0 - 203.0.113.255, or
32
to
define the IPv6 range 2001:db8:: to 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
The address range field shows the range calculated by the Expressway from the IP address and Prefix length.
3.
Enter the IP address of the gateway for your new route
4.
Select an ethernet interface for your new route
This option is only available if the second ethernet interface is enabled. Select LAN 1 or LAN 2 to force the
route via that interface, or select Auto to allow the Expressway to make this route on either interface.
route via that interface, or select Auto to allow the Expressway to make this route on either interface.
5.
Click Create route
The new static route is listed in the table. You can delete routes from this table if necessary.
Notes
■
commands.
■
You can configure routes for up to 50 network and host combinations.
■
Do not configure IP routes by logging in as
root
and using
ip route
statements.
Intrusion Protection
Configuring Firewall Rules
Firewall rules provide the ability to configure IP table rules to control access to the Expressway at the IP level. On the
Expressway, these rules have been classified into groups and are applied in the following order:
Expressway, these rules have been classified into groups and are applied in the following order:
■
Dynamic system rules: these rules ensure that all established connections/sessions are maintained. They also
include any rules that have been inserted by the automated detection feature as it blocks specific addresses.
Finally, it includes a rule to allow access from the loopback interface.
include any rules that have been inserted by the automated detection feature as it blocks specific addresses.
Finally, it includes a rule to allow access from the loopback interface.
■
Non-configurable application rules: this incorporates all necessary application-specific rules, for example to
allow SNMP traffic and H.323 gatekeeper discovery.
allow SNMP traffic and H.323 gatekeeper discovery.
■
User-configurable rules: this incorporates all of the manually configured firewall rules (as described in this
section) that refine — and typically restrict — what can access the Expressway. There is a final rule in this
group that allows all traffic destined for the Expressway LAN 1 interface (and the LAN 2 interface if the
Advanced Networking option key is installed).
section) that refine — and typically restrict — what can access the Expressway. There is a final rule in this
group that allows all traffic destined for the Expressway LAN 1 interface (and the LAN 2 interface if the
Advanced Networking option key is installed).
35
Cisco Expressway Administrator Guide
Network and System Settings