Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

301

302

303

304

305

306

307

308

309

310

Creating and Committing a Security ACL

15-4 Configuring and Managing Security ACLs

Creating and Committing a Security ACL

ThesecurityACLsyoucreatecanfilterpacketsbysourceaddress,IPprotocol,porttype,and

othercharacteristics.WhenyouconfigureanACEforasecurityACL,MSSstorestheACEinthe

editbufferuntilyoucommittheACLtobesavedtothepermanentconfiguration.Youmust

commita

securityACLbeforeyoucanapplyittoanauthenticateduser’ssessionormapittoa

VLAN,virtualport,orDistributedAP.EverysecurityACLmusthaveaname.

Setting a Source IP ACL

YoucancreateanACEthatfilterspacketsbasedonthesourceIPaddressandoptionallyapplies

CoSpackethandling.(ForCoSdetails,see“ClassofService”onpage 15‐5.)Youcanalso

determinewheretheACEisplacedinthesecurityACLbyusingthebeforeeditbuffer‐indexor



modifyeditbuffer‐indexvariableswithanindexnumber.Youcanusethehitscountertotrackhow

manypacketstheACLfilters.

ThesimplestsecurityACLpermitsordeniespacketsfromasourceIPaddress:

set security acl ip acl-name {permit [cos cos] | deny} source-ip-addr mask

[before editbuffer-index | modify editbuffer-index] [hits]

Examples

Forexample,tocreateACLacl‐1thatpermitsallpacketsfromIPaddress192.168.1.4,typethe

followingcommand:

RBT-8100#set security acl ip acl-1 permit 192.168.1.4 0.0.0.0

WiththefollowingbasicsecurityACLcommand,youcanspecifyanyoftheprotocolssupported

byMSS:

set security acl ip acl-name {permit [cos cos] | deny} {protocol} {source-ip-addr

mask destination-ip-addr mask} [precedence precedence] [tos tos] [before

editbuffer-index | modify editbuffer-index] [hits]

ThefollowingsamplesecurityACLpermitsallGenericRoutingEncapsulation(GRE)packets

fromsourceIPaddress19 2.168.1.11todes tinationIPaddress192.168.1.15,withaprecedencelevel

of0(routine),andatype‐of‐service(TOS)levelof0(normal).(Formoreinformationabouttype ‐of‐

serviceandprecedencelevels,seethe

RoamAboutMobilitySystemSoftwareCommandLineInterface

Reference.)GREisprotocolnumber47.

RBT-8100# set security acl ip acl-2 permit cos 2 47 192.168.1.11 0.0.0.0

192.168.1.15 0.0.0.0 precedence 0 tos 0 hits

ThesecurityACLacl‐2describedabovealsoappliestheCoSlevel 2(mediumpriority)tothe

permittedpackets.(ForCoS details,see“ClassofService”onpage 15‐5.)Thekeywordhitscounts

thenumberoftimesthisACLaffectspackettraffic.

Table 15‐1onpage 15‐5listscommonIPprotocol

numbers.(ForacompletelistofIPprotocol

namesandnumbers,seewww.iana.org/assignments/protocol‐numbers.)Forcommandsthatset

securityACLsforspecificprotocols,seethefollowinginformation:

•“SettinganICMPACL”onpage 15‐6

•“SettingaTCPACL”onpage 15‐8

•“SettingaUDPACL”onpage 15‐8