Configuring Router Acls - Motorola WS5100 Series Migration Giude

1. Creating a IP ACL (Standard/Extended)
ws5100(config)#access-list 1 permit 192.168.1.0/24 rule-precedence 10
ws5100(config)#access-list 101 pemit ip 192.168.1.0/24 any rule-precedence 10
2. Creating a MAC Extended ACL.
WS5100(config)#mac access-list extended macacl
WS5100(config-ext-macl)#permit any any type arp
3. Apply Port ACL to an interface.
WS5100(config)#interface eth1
WS5100(config-if)#ip access-group 1 in
WS5100(config-if)#ip access-group macacl in
4. View the applied ACL.
WS5100(config)#show ip access-group eth1
Interface eth1
Inbound IP Access List : 1
Inbound MAC Access List : macacl

10.4.2.2 Configuring Router ACLs

Router ACLs filter traffic which gets routed by the WS5100 across two VLANs. The administrator should
create appropriate IP (Extended or Standard) ACLs and apply them to either of the VLAN interfaces.
Router ACLs are applied only on VLAN interfaces and filter routed traffic between two different VLANs.
These ACLs are flow aware and user need not configure a separate rule to allow return traffic. The below
example shows this.
To configure a Router ACL on an Interface, let use the following example:
• The MU in VLAN1 has a IP of 192.168.1.140 and wired host in VLAN2 has a IP of 10.1.1.20.
• WS5100 VLAN1 IP is 192.168.1.110 and VLAN2 IP is 10.1.1.10.
The idea is to allow all traffic from wireless client to the wired client and deny all traffic from wired client
to the wireless client.
Follow the CLI command below apply Router ACL to an interface.
1. Create a Standard ACL to permit a host.
WS5100(config)#access-list 20 permit host 192.168.1.140
2. Create a Standard ACL to deny a host
WS5100(config)#access-list 30 deny host 10.1.1.20
3. Apply the ACL (20)on VLAN interface.
WS5100(config)#interface vlan1
WS5100(config-if)#ip access-group 20 in
WS5100(config-if)#exit
10-9
ACL