Foundry Networks Switch and Router Installation And Configuration Manual page 1025

• If you configure them on Layer 2 and Layer 3 Switches, you specify the source and destination IP address of
the hosts or servers for which you are controlling access.
• If you configure Layer 4 policies on a ServerIron configured for Server Load Balancing (SLB), you specify the
virtual IP address (VIP) associated with the real servers.
Figure C.3 shows an example of TCP/UDP access policies. Although this example does not explicitly identify
these policies as inbound policies or outbound policies, when you apply the policies to individual ports you specify
whether they are for inbound or outbound traffic.
Source: Source:
209.157.22.69/24 209.157.22.11/24
Dest: Dest:
201.21.2.7/24 201.21.2.7/24
TCP eq FTP TCP eq HTTP
Figure C.3 TCP/UDP Access Policies
Actions
TCP/UDP access policies forward (permit) or drop (deny) IP packets based on the Layer 4 application information
in the packets.
Scope
You configure TCP/UDP access policies globally, then apply them to individual ports. When you apply a TCP/
UDP policy to a port, you specify whether the policy applies to inbound or outbound packets. You can use the
same policy in a port's inbound policy group and outbound policy group. When you configure a policy group, you
December 2000
TCP/UDP Access Policy Group for Port 3/1
PolicyID Action Source Destination
--------------------------------------------------------------------------------------------------------------
3 Deny 209.157.22.26/24 any
17 Deny 209.157.22.14/24 any
34 Deny 209.157.22.26/24 201.21.2.7/24
1024 Permit any any
Source:
Source:
209.157.22.69/24
209.157.22.26/24
Dest:
Dest:
201.21.2.7/24
201.21.2.7/24
TCP eq FTP
TCP eq HTTP
Denied
201.21.2.7/24
Server
--HTTP
--FTP
Policies and Filters
TCP/UDP Port
tcp eq ftp
Source:
192.168.69.69/24
Dest:
201.21.2.7/24
TCP eq FTP
Denied
Permitted
Bit
Bucket
C - 21