Cabletron Systems 9032578-02 Router User Manual


  Open as PDF
of 207
 
Chapter 10: Security Configuration Guide
170 SmartSwitch Router User Reference Manual
Destination secure port: To block access to all file servers on all ports from port et.1.1 use
the following command:
To allow all engineers access to the engineering servers, you must "punch" a hole through
the secure-port wall. A "dest static-entry" overrides a "dest secure port".
Layer-3 Access Control Lists (ACLs)
Layer-3 & Layer-4 Traffic Filters (Access Control List)
Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through the
router. Each ACL or each list consists of one or more rules describing a particular type of
IP or IPX traffic. An ACL can be simple, consisting of only one rule, or complicated with
many rules. Each rule tells the router to either permit or deny the packet that matches the
rule's packet description.
Anatomy of an ACL Rule
Each ACL is identified by a name. The name can be a meaningful string, such as denyftp or
noweb or it can be a number such as 100 or 101.
Each rule has an action, that is, to permit or to deny the packet if a packet satisfies the
criterion defined by the rule.
A criterion describes one or more characteristics about a packet. In an ACL rule, these
characteristics are described as fields of a rule. Not all characteristics (fields) of a packet
(rule) need to be specified. If a particular field is not specified, it is treated as a wildcard or
"don't care" condition. However, if a field is specified, that particular field will be matched
against the packet. Each protocol can have a number of different fields to match. For
example, TCP can use socket port numbers while IPX can use a network node address to
define a rule. For IP, TCP and UDP ACLs, the following fields can be specified:
Source IP address
Destination IP address
Source port number
Destination port number
filters add secure-port name engineers direction dest vlan 1
in-port-list et.1.1
filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1
in-port-list et.1.1 out-port-list et.1.2 restriction allow
 previous next