EX2500 Ethernet Switch Configuration Guide
58 Using ACL Filters
ACL Example 4—Blocking All Except Certain Packets
Use this configuration to block all traffic except traffic of certain types.
HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is
denied.
1. Configure one IP ACL for each type of traffic that you want to permit.
ex2500(config)# access-list ip 200 extended
ex2500(config-ext-nacl)# permit tcp any any eq 80
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 210 extended
ex2500(config-ext-nacl)# permit tcp any any eq 443
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 220 extended
ex2500(config-ext-nacl)# permit udp any any eq 67
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 230 extended
ex2500(config-ext-nacl)# permit udp any any eq 68
ex2500(config-ext-nacl)# exit
2. Configure IP ACLs to deny all other traffic.
The ACLs that allow traffic must have a higher priority than the ACLs that deny
all traffic.
ex2500(config)# access-list ip 240 extended
ex2500(config-ext-nacl)# deny tcp any any
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 245 extended
ex2500(config-ext-nacl)# deny udp any any
ex2500(config-ext-nacl)# exit
3. Configure one MAC ACL for each type of traffic that you want to permit (ARP).
ex2500(config)# access-list mac extended 10
ex2500(config-ext-macl)# permit any any arp
ex2500(config-ext-macl)# exit
4. Assign the ACLs to a port.
ex2500(config)# interface port 7
ex2500(config-if)# ip access-group 200 in
ex2500(config-if)# ip access-group 210 in
ex2500(config-if)# ip access-group 220 in
ex2500(config-if)# ip access-group 230 in
ex2500(config-if)# ip access-group 240 in
ex2500(config-if)# ip access-group 245 in
ex2500(config-if)# mac access-group 10 in
To Next Page
Loading...
Need help?
General
