Cisco Systems OL-7396-01 Manual De Usuario
10-2
ATM Switch Router Software Configuration Guide
OL-7396-01
Chapter 10
Configuring ILMI
Configuring the Global ILMI System
To configure a new ATM address that replaces the previous ATM address, see
Configuring Global ILMI Access Filters
The ILMI access filter feature allows you to permit or deny certain ILMI registered addresses.
Note
If you want to allow certain addresses to be registered via ILMI, but restrict those addressees from being
advertised through PNNI, use the PNNI suppressed summary address feature instead. For additional
information, see the
advertised through PNNI, use the PNNI suppressed summary address feature instead. For additional
information, see the
or the summary-address
command in the ATM Switch Router Command Reference publication.
If end systems are allowed to register arbitrary addresses via ILMI, including addresses that do not match
the ILMI prefixes used on the interface, a security hole may be opened. The ILMI access filter feature
closes the security hole by permitting or denying ILMI registration of different classes of addresses.
the ILMI prefixes used on the interface, a security hole may be opened. The ILMI access filter feature
closes the security hole by permitting or denying ILMI registration of different classes of addresses.
The ILMI access filter allows you to configure two levels of access filters:
•
Globally, to configure the switch default access filter
•
At the interface level, to set the per-interface specific override
In either level, you can choose among the following options:
•
Permit all—Any ATM end system address (AESA) registered by an attached end system is
permitted.
permitted.
•
Permit prefix match—Only AESAs that match an ILMI prefix used on the interface are permitted.
•
Permit prefix match and well-known group addresses—AESAs that match an ILMI prefix used on
the interface as well as the well-known group addresses, including the old LECS address
(47.0079.0000.0000.0000.0000.0000.00A0.3E00.0001.00) and any address matching the ATM
Forum address prefix for well-known address (C5.0079.0000.0000.0000.0000.0000.00A0.3E) are
permitted.
the interface as well as the well-known group addresses, including the old LECS address
(47.0079.0000.0000.0000.0000.0000.00A0.3E00.0001.00) and any address matching the ATM
Forum address prefix for well-known address (C5.0079.0000.0000.0000.0000.0000.00A0.3E) are
permitted.
•
Permit prefix match and all group addresses—All group addresses, including the well-known group
addresses, as well as AESAs that match the ILMI prefix(es) used on the interface are permitted.
addresses, as well as AESAs that match the ILMI prefix(es) used on the interface are permitted.
To configure global ILMI access filters, use the following global configuration command:
Note
If you use Cisco's Simple Server Redundancy Protocol (SSRP) for LAN emulation in this network, ILMI
registration of well-known group addresses should be permitted. This allows the active LECS to register
the well-known LECS address with the switch. Either the permit all, permit matching-prefix
wellknown-groups, or permit matching-prefix all-groups option should be configured.
registration of well-known group addresses should be permitted. This allows the active LECS to register
the well-known LECS address with the switch. Either the permit all, permit matching-prefix
wellknown-groups, or permit matching-prefix all-groups option should be configured.
Command
Purpose
atm ilmi default-access permit {all |
matching-prefix [all-groups |
wellknown-groups]}
matching-prefix [all-groups |
wellknown-groups]}
Configures an ILMI default access filter.