The GoodGuys (Access List)
Overview of the GoodGuys List
The GoodGuys™ service allows
the user to define and limit the hosts that can configure, diagnose and manage
the router. The GoodGuys™ service is
part of the comprehensive ZyTrax security system (partnered with the
LockBox™ (firewall) and ThinProxy™ services).
CAUTION:
It is possible to create a lock-out state where no one can access the router
e.g. by defining an incorrect IP address or mask. Use extreme care when setting
up this facility. In the event that you inadvertently lock-out the router
follow the recovery procedure defined below.
Configuration
The GoodGuy table may be configured manually by using CoolFig’s (2.1+) ' SNMP view' or
the Control Server (4.00+) diagnostic utility. Both are available here.
The GoodGuys™ service is
configured using the MIB entries (up to 6 are allowed) in the
goodGuysTable (zytrax\router\system\goodGuysTable\goodGuysEntry).
The goodGuysTable table consists of the
following entries.
| MIB name |
Meaning |
| goodGuyIP |
Defines
either one IP address (goodGuyMask
is 255.255.255.255) or one IP address in a range that is allowed to access
the router with the permissions defined by
goodGuysSet. The router will attempt to confirm that a valid route
exists to this IP address so a valid IP address should be always be used.
|
| goodGuyMask |
Defines
the network mask that will be applied to the IP address defined in
goodGuyIP to determine the
permissions available. The value 255.255.255.255 defines a single address.
The mask 0.0.0.0 would allow NO IP addresses to access the router.
|
| goodGuysSet |
Defines the permissions available
to this entry as follows:
- 0 = no services allowed
- 1 = SNMP (Configuration and Monitoring)
-
- 2 = Telnet access
- 3 = SNMP and Telnet access
- 4 = Diagnostic Ping
- 5 = SNMP & Diagnostic Ping
- 6 = Diagnostic Ping & Telnet
- 7 = All services
- 8 + invalid (no services)
|
Notes
- To activate a new or updated
goodGuysTable the normal run time table update method should be
followed e.g. select goodGuysNum
then Update (without changing the value). The router will immediately use the
new values.
- To remove an entry set the value of goodGuyIP to 255.255.255.255.
- The GoodGuys™
checks are performed prior to any LockBox™
(firewall) checks thus ensuring it is not possible to inadvertently lock-out the
process of configuring the LockBox™.
Recovery from a router Lock-Out
A router ‘lockout’ typically occurs for the following reasons:
- You enter an incorrect IP address or Net Mask in the GoodGuys (Access
List) table.
- The allocated GoodGuys IP addresses are no longer valid or available.
NOTE: When you change the router's IP address the
GoodGuys list is automatically disabled to avoid accidental router ‘lockout’
states.
A router ‘lockout’ typically has the following symptoms:
- The router responds to a ‘Ping’ to its allocated IP address.
- The router responds to a ‘Ping’ to its alias IP address 192.22.22.2.
- The router continues to forward and route traffic normally.
- Any attempt to access the router (using Telnet, CoolFig etc) fails to get
any response.
- The router fails to respond to a diagnostic find command (using the
Diagnostic button on CoolFig main Toolbar).
If all the symptoms indicate a route ‘lockout’ use the following
procedure to recover the router (NOTE: Your PC must be connected on the
same LAN segment as your router for this procedure to work):
- Ping
the router using the IP address 192.22.22.2 it should always respond to this
address. If not reset the router and verify the ‘lockout’ symptoms again.
- Change
the IP address on your PC to 192.22.22.17 (net mask of 255.255.255.0, leave
the setting of default gateway untouched). Reboot your PC as necessary.
- Run
a diagnostic utility (CoolFig or NT_Ser) with a router IP address of
192.22.22.2 and reconfigure the goodGuyTable
correctly.
- Restore
your PC settings and reboot as necessary.
-
Verify
that you can read any MIB value or run a Telnet session.
