3 layer-3 access control lists (acls), 4 layer-4 bridging and filtering, Layer-3 access control lists (acls) -12 – Riverstone Networks WICT1-12 User Manual

Page 558: Layer-4 bridging and filtering -12

Advertising
background image

25-12 Riverstone Networks RS Switch Router User Guide Release 8.0

Layer-3 Access Control Lists (ACLs)

Security Configuration

To allow ONLY the engineering manager access to the engineering servers, you must "punch" a hole through the
secure-port wall. A "source static-entry" overrides a "source secure port".

Destination secure port: To block access to all file servers on all ports from port et.1.1 use the following command:

To allow all engineers access to the engineering servers, you must "punch" a hole through the secure-port wall. A "dest
static-entry" overrides a "dest secure port".

25.3 LAYER-3 ACCESS CONTROL LISTS (ACLS)

Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through the RS. Each ACL consists of one
or more rules describing a particular type of IP or IPX traffic. An ACL can be simple, consisting of only one rule, or
complicated with many rules. Each rule tells the router to either permit or deny the packet that matches the rule's packet
description.

For information about defining and using ACLs on the RS, see

Chapter 24, "Access Control List Configuration."

25.4 LAYER-4 BRIDGING AND FILTERING

Layer-4 bridging is the RS’s ability to use layer-3/4 information to perform filtering or QoS during bridging. As
described in

Section 25.2, "Layer-2 Security Filters,"

above, you can configure ports to filter traffic using MAC

addresses. Layer-4 bridging adds the ability to use IP addresses, layer-4 protocol type, and port number to filter traffic
in a bridged network. Layer-4 bridging allows you to apply security filters on a “flat” network, where the client and
server may reside on the same subnet.

Note

Ports that are included in a layer-4 bridging VLAN must reside on updated RS
hardware.

filters add static-entry name eng-mgr source-mac 080060:123456 vlan 1 in-port-list

et.1.1 out-port-list et.1.2 restriction allow

filters add secure-port name engineers direction dest vlan 1

in-port-list et.1.1

filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1 in-port-list

et.1.1 out-port-list et.1.2 restriction allow

Advertising
Popular Brands
Popular manuals