Foundry Networks Switch and Router Installation And Configuration Manual page 398

Foundry Switch and Router Installation and Configuration Guide
Configuring Extended ACLs
This section describes how to configure extended ACLs.
• For configuration information on named ACLs, see "Configuring Named ACLs" on page 13-19.
• For configuration information on standard ACLs, see "Configuring Standard ACLs" on page 13-6.
Extended ACLs let you permit or deny packets based on the following information:
• IP protocol
• Source IP address or host name
• Destination IP address or host name
• Source TCP or UDP port (if the IP protocol is TCP or UDP)
• Destination TCP or UDP port (if the IP protocol is TCP or UDP)
The IP protocol can be one of the following well-known names or any IP protocol number from
0 – 255:
• Internet Control Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Internet Gateway Routing Protocol (IGRP)
• Internet Protocol (IP)
• Open Shortest Path First (OSPF)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can
configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a
specified source IP address to the website's IP address.
USING THE CLI
To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host 209.157.22.26,
enter the following commands.
BigIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log
BigIron(config)# access-list 101 permit ip any any
BigIron(config)# int eth 1/1
BigIron(config-if-1/1)# ip access-group 101 in
BigIron(config)# write memory
Here is another example of commands for configuring an extended ACL and applying it to an interface. These
examples show many of the syntax choices. Notice that some of the entries are configured to generate log entries
while other entries are not thus configured.
BigIron(config)# access-list 102 perm icmp 209.157.22.0/24 209.157.21.0/24
BigIron(config)# access-list 102 deny igmp host rkwong 209.157.21.0/24 log
BigIron(config)# access-list 102 deny igrp 209.157.21.0/24 host rkwong log
BigIron(config)# access-list 102 deny ip host 209.157.21.100 host 209.157.22.1 log
BigIron(config)# access-list 102 deny ospf any any log
BigIron(config)# access-list 102 permit ip any any
The first entry permits ICMP traffic from hosts in the 209.157.22.x network to hosts in the 209.157.21.x network.
The second entry denies IGMP traffic from the host device named "rkwong" to the 209.157.21.x network.
The third entry denies IGRP traffic from the 209.157.21.x network to the host device named "rkwong".
13 - 10 December 2000