Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

321

322

323

324

325

326

327

328

329

330

Security ACL Configuration Scenario

RoamAbout Mobility System Software Configuration Guide 15-29

3. ConfigureanACEthatdeniesallIPtrafficfromanyIPaddressinthe10.10.11.0/24subnetto

anyaddressinthesamesubnet.

set security acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255

4. ConfigureanACEthatpermitsalltrafficthatdoesnotmatchtheACEsconfiguredabove:

set security acl ip c2c permit 0.0.0.0 255.255.255.255

5. CommittheACLtotheconfiguration:

commit security acl c2c

6. MaptheACLtotheoutboundandinboundtrafficdirectionsofVLANvlan‐1:

set security acl map c2c vlan vlan-1 out

set security acl map c2c vlan vlan-1 in

Security ACL Configuration Scenario

ThefollowingscenarioillustrateshowtocreateasecurityACLnamedacl‐99thatconsistsofone

ACEtopermitincomingpacketsfromoneIPaddress,andhowtomaptheACLtoaportanda

user:

1. TypethefollowingcommandtocreateandnameasecurityACLandadd

anACEtoit.

RBT-8100# set security acl ip acl-99 permit 192.168.1.1 0.0.0.0

2. ToviewtheACEyouhaveentered,typethefollowingcommand:

RBT-8100# show security acl editbuffer

ACL Type Status

---------------------------------- ---- -------------

acl-99 IP Not committed

3. Tosaveacl‐99anditsassociatedACEtotheconfiguration,typethefollowingcommand:

RBT-8100# commit security acl acl-99

success: change accepted.

4. Tomapacl‐99toport 9tofilterincomingpackets,typethefollowingcommand:

RBT-8100# set security acl map acl-99 port 9 in

mapping configuration accepted

BecauseeverysecurityACLinclud esan implicitruledenyingalltrafficthatisnotpermitted,

port 9nowacceptspacketsonlyfrom192.168.1.1,anddeniesallotherpackets.

5. Tomapacl‐99touserNatasha’ssessionswhenyouareusingthelocalRASdatabasefor

authentication,configureNatashainthe databasewith

theFilter‐Idattribu te.Typethe 

followingcommands:

RBT-8100# set authentication dot1x Natasha local

success: change accepted.

RBT-8100# set user natasha attr filter-id acl-99.in

success: change accepted.

6. Alternatively,youcanmapacl‐99toNatasha’ssessionswhenyouareusingaremoteRADIUS

serverforauthentication.ToconfigureNatashaforpass‐throughauthenticationtothe

RADIUSservershorebirds,typethefollowingcommand:

Note: The commands in steps 1 and 2 permit traffic to and from the gateway. If the subnet has more

than one gateway, add a similar pair of ACEs for each gateway. Add the gateway ACEs before the

ACEs that block all traffic to and from addresses within the subnet.