Acl example 4-blocking all except certain packets, Acl example 4—blocking all except certain packets – Juniper Networks EX2500 User Manual

EX2500 Ethernet Switch Configuration Guide

60

„

Using ACL Filters

ex2500(config-if)# exit

ACL Example 4—Blocking All Except Certain Packets

Use this configuration to block all traffic except traffic of certain types.
HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is
denied.

1.

Configure one IP ACL for each type of traffic that you want to permit.

ex2500(config)# access-list ip 200 extended
ex2500(config-ext-nacl)# permit tcp any any eq 80
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 210 extended
ex2500(config-ext-nacl)# permit tcp any any eq 443
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 220 extended
ex2500(config-ext-nacl)# permit udp any any eq 67
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 230 extended
ex2500(config-ext-nacl)# permit udp any any eq 68
ex2500(config-ext-nacl)# exit

2.

Configure IP ACLs to deny all other traffic.

The ACLs that allow traffic must have a higher priority than the ACLs that deny
all traffic.

ex2500(config)# access-list ip 240 extended
ex2500(config-ext-nacl)# deny tcp any any
ex2500(config-ext-nacl)# exit
ex2500(config)# access-list ip 245 extended
ex2500(config-ext-nacl)# deny udp any any
ex2500(config-ext-nacl)# exit

3.

Configure one MAC ACL for each type of traffic that you want to permit (ARP).

ex2500(config)# access-list mac extended 10
ex2500(config-ext-macl)# permit any any arp
ex2500(config-ext-macl)# exit

4.

Assign the ACLs to a port.

ex2500(config)# interface port 7
ex2500(config-if)# ip access-group 200 in
ex2500(config-if)# ip access-group 210 in
ex2500(config-if)# ip access-group 220 in
ex2500(config-if)# ip access-group 230 in
ex2500(config-if)# ip access-group 240 in
ex2500(config-if)# ip access-group 245 in
ex2500(config-if)# mac access-group 10 in