n
Layer 2 ACL Control
Configuration Example
You can only use number-based ACLs to implement the ACL control to Telnet
■
or SSH users.
When you use the basic or advanced ACL to implement the ACL control to
■
Telnet or SSH users, the incoming/outgoing requests are restricted based on the
source or destination IP addresses. Therefore, only the source-addr and the
wildcard, and dest-addr and the wildcard parameters, and the time-range
keyword in the corresponding command are valid. Similarly, when you use the
Layer 2 ACL to implement the ACL control to the Telnet or SSH users, the
incoming/outgoing requests are restricted based on the source MAC address.
Therefore, only the source-mac-addr and the source-mac-wildcard parameters,
and the time-range keyword in the corresponding command are valid.
When you use Layer 2 ACLs to implement the ACL control to the Telnet or SSH
■
users, only incoming requests are restricted.
If a user fails to log in due to ACL restriction, the system logs the user failure,
■
including the IP address, login method, user interface index value and failure
reason.
Network requirements
Only the Telnet users with source MAC addresses 00e0-fc01-0101 and
00e0-fc01-0303 are allowed to access the switch.
Network diagram
Figure 54 Network diagram for source MAC address control over Telnet users
PC
PC
Switch
Switch
Switch
Switch
Configuration procedure
# Define an Layer 2 ACL.
<SW8800>system-view
System View: return to User View with Ctrl+Z.
[SW8800] acl number 4000 match-order config
# Define rules.
[3Com-acl-link-4000] rule 1 permit ingress 00e0-fc01-0101 0000-0000-0000 [3C
om-acl-link-4000] rule 2 permit ingress 00e0-fc01-0303 0000-0000-0000
[3Com-acl-link-4000] rule 3 deny ingress any
[3Com-acl-link-4000] quit
# Enter user interface view
Configuring ACL for Telnet/SSH Users
211