Viewing acl statistics, Configuring acl port mirroring, Acl configuration examples – Juniper Networks EX2500 User Manual

Page 72: Acl example 1-blocking traffic to a host, Acl example 1—blocking traffic to a host

Advertising
background image

EX2500 Ethernet Switch Configuration Guide

58

„

Using ACL Filters

When you assign an ACL to a port, the ACL acts only upon ingress traffic, not egress
traffic.

To assign an ACL to a port:

ex2500(config)# interface port 1
ex2500(config-if)# ip access-group 128 in
ex2500(config-if)# exit

To delete an ACL from a port:

ex2500(config)# interface port 1
ex2500(config-if)# no ip access-group 128 in
ex2500(config-if)# exit

Viewing ACL Statistics

ACL statistics display how many packets hit (matched) each ACL. Use ACL statistics
to check filter performance, and debug the ACL filters. You must enable statistics
for each ACL that you want to monitor. Use the following command to enable
statistics for the ACL:

ex2500(config)# access-list ip standard 128 statistics

Use the following command to view ACL statistics:

ex2500(config)# show access-list counters

Configuring ACL Port Mirroring

To filter packets for monitoring or analysis, you can apply an ACL filter to mirror
packets that match the ACL. Packets that match the ACL filter are copied and
forwarded to a physical interface port.

The port receiving the mirrored packets must be a physical port and not a static
trunk group (portchannel), which is a virtual link, but the port can be a member of a
trunk group.

A port that has an ACL applied to it cannot receive packets filtered by its own ACL.

You can configure IP standard and extended ACLs and MAC extended ACLs for port
mirroring. For example, use the following command to configure an IP standard
ACL port mirror:

ex2500(config)# access-list ip standard 128 port mirror <port number>

For more information about port mirroring, see “Monitoring Ports with Port
Mirroring” on page 85.

ACL Configuration Examples

ACL Example 1—Blocking Traffic to a Host

Use this configuration to block traffic to a specific host. All traffic that ingresses
port 1 is denied if it is destined for the host at IP address

100.10.1.1.

Advertising
Popular Brands
Popular manuals