Table of Contents
Advertisement
IP Access Lists (ACLs)
Access Control List Examples
This section presents three access control list examples:
• Using the permit-establish keyword
• Filtering ICMP packets
• Using a rate limit
Using the Permit-Established Keyword
This example uses an access list that permits TCP sessions (Telnet, FTP, and HTTP) to be established in
one direction.
The switch, shown in Figure 20, is configured as follows:
• Two VLANs, NET10 VLAN and NET20 VLAN, are defined.
• The NET10 VLAN is connected to port 2 and the NET20 VLAN is connected to port 10
• The IP addresses for NET10 VLAN is 10.10.10.1/24.
• The IP address for NET20 VLAN is 10.10.20.1/24.
• The workstations are configured using addresses 10.10.10.100 and 10.10.20.100.
• IP Forwarding is enabled.
Figure 20: Permit-established access list example topology
10.10.10.1
10.10.20.1
10.10.10.100
10.10.20.100
NET10 VLAN
NET20 VLAN
ES4K009
The following sections describe the steps used to configure the example.
Step 1—Deny IP Traffic.
First, create an access-mask that examines the IP protocol field for each packet. Then create two
access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP,
it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.
The following commands creates the access mask and access lists:
create access-mask ipproto_mask ipprotocol ports precedence 25000
create access-list denytcp ipproto_mask ipprotocol tcp ports 2,10 deny
create access-list denyudp ipproto_mask ipprotocol udp ports 2,10 deny
Figure 21 illustrates the outcome of the access control list.
ExtremeWare 7.2e Installation and User Guide
147
- Quick Links:
- Spanning Tree Protocol
Hide quick links:
Advertisement
Table of Contents
