Using Access Control Lists
Summit 200 Series Switch Installation and User Guide 125
Step 1—Deny IP Traffic.
First, create an access-mask that examines the IP protocol field for each packet. Then create two
access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP,
it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.
The following commands creates the access mask and access lists:
create access-mask ipproto_mask ipprotocol ports precedence 25000
create access-list denytcp ipproto_mask ipprotocol tcp ports 2,10 deny
create access-list denyudp ipproto_mask ipprotocol udp ports 2,10 deny
Figure 17 illustrates the outcome of the access control list.
Figure 17: Access control list denies all TCP and UDP traffic
Step 2—Allow TCP traffic.
The next set of access list commands permits TCP-based traffic to flow. Because each session is
bi-directional, an access list must be defined for each direction of the traffic flow. UDP traffic is still
blocked.
The following commands create the access control list:
create access-mask ip_addr_mask ipprotocol dest-ip/32 source-ip/32 ports precedence
20000
create access-list tcp1_2 ip_addr_mask ipprotocol tcp dest-ip 10.10.20.100/32
source-ip 10.10.10.100/32 ports 2 permit qp1
create access-list tcp2_1 ip_addr_mask ipprotocol tcp dest-ip 10.10.10.100/32
source-ip 10.10.20.100/32 ports 10 permit qp1
Figure 18 illustrates the outcome of this access list.
LC2400
To Next Page
Loading...
Need help?
General
