Manualshelf

User Manual

ManualsBrandsCabletron ManualsCables & InterconnectsCabletron Tpfot-2 10BT Transceiver 1 RJ45 Utp to 1 St MMf
391392393394395396397398399400
Creating ACLs
374 Enterasys X-Pedition User Reference Manual
The following ACL illustrates this feature:
Any incoming TCP packet on interface int1 is examined, and if the packet is in response to an
internal request, it is permitted; otherwise, it is rejected. Note that the ACL contains no restriction
for outgoing packets on interface int1, since internal hosts are allowed to access the outside world.
Creating ACLs
To create a new ACL and apply its first rule, you must enter the corresponding ACL command
from the CLI. This creates a new ACL and allows you to begin applying ACL rules. To create an
ACL to permit IP traffic from the subnet 10.1.0.0 (with a 16 bit netmask) to any destination, enter
the following from the CLI:
Note: You may not apply ACLs to interface EN0 of the control module.
ACL rules are checks that the router uses to verify that each packet it receives is permitted on the
system. When you apply an ACL to an interface, the XP appends an implicit deny rule to that ACL.
The implicit deny rule denies all traffic. If you intend to allow all traffic that doesn’t match your
specified ACL rules to go through, you must explicitly define a rule to permit all traffic. Packets
that do not match any of the criteria you specify are rejected from the system.
The following command creates an ACL rule to deny any incoming TCP or UDP traffic coming
from a privileged port (less than 1024). If the incoming traffic is not TCP or UDP, then the XP
check only the source and destination addresses, not the port number. Therefore, this ACL will
deny all non-TCP and non-UDP traffic.
To create an additional ACL rule to permit Telnet traffic (port 23) from the host 10.23.4.8 to the
subnet 10.2.3.0:
Note: Please note that the rules within an ACL must belong to the same protocol family.
To activate the ACL, you must apply it using the apply option of the ACL command used. This
enables the ACL and causes the router to check all received packets to see if they are valid packets
that may travel through the network. The following example demonstrates how to apply the ACL
defined above:
acl 101 permit tcp established
acl 101 apply interface int1 input
xp(config)# acl 101 permit ip 10.1.0.0/16 any
xp(config)# acl 101 deny ip any any 1-1024 any
xp(config)# acl 101 permit ip 10.23.4.8 10.2.3.0/24
xp(config)# acl 101 apply interface all-ip