User Manual
Enterasys X-Pedition User Reference Manual 413
Layer-3 Security Controls
Destination secure port: To block access to all file servers on all ports from port et.1.1 use the
following command:
To allow all engineers access to the engineering servers, you must “punch” a hole through the
secure-port wall. A “dest static-entry” overrides a “dest secure port”.
Layer-3 Security Controls
Access Control Lists (ACLs)
Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through the X-Pedition.
Each ACL consists of one or more rules describing a particular type of IP or IPX traffic. An ACL
can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the
router to either permit or deny the packet that matches the rule's packet description. For information
about defining and using ACLs on the X-Pedition, see Access Control List Configuration Guide on
page 369.
Note: You may not apply ACLs to interface EN0 of the control module.
Rate Limiting
This configuration mode command allows the X-Pedition to set limits on the amount of traffic any
port, interface, or vlan can receive.
Features Available
There are five different kinds of rate limiting: per flow rate limiting, aggregate rate limiting, port-
based rate limiting, flow aggregate rate limiting, and vlan rate limiting (L4-Bridging must be
enabled for vlan rate limiting). Per flow and aggregate rate limiting have flows defined through a
policy ACL—vlan and port-based rate limiting do not. For a more in-depth description of the
various kinds of rate limiting, refer to Limiting Traffic Rate on page 440.
Note: There are two rate limiting modes that can be set where appropriate: per flow (the default)
and aggregate.
Note: Aggregate and flow-aggregate rate limiting are not supported on 802.1q trunk ports.
filters add secure-port name engineers direction dest vlan 1
in-port-list et.1.1
filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1 in-port-list et.1.1 out-port-list et.1.2
restriction allow