Extreme Networks Summit 300-48 User Manual

Using Access Control Lists

Summit 300-48 Switch Software User Guide

117

Step 1 – Deny IP Traffic.

First, create an access-mask that examines the IP protocol field for each packet. Then create two
access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP,
it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.

The following commands creates the access mask and access lists:

create access-mask ipproto_mask ipprotocol ports precedence 25000

create access-list denytcp ipproto_mask ipprotocol tcp ports 1:2,1:10 deny

create access-list denyudp ipproto_mask ipprotocol udp ports 1:2,1:10 deny

Figure 8 illustrates the outcome of the access control list.

Figure 8: Access control list denies all TCP and UDP traffic

Step 2 – Allow TCP traffic.

The next set of access list commands permits

TCP-based traffic to flow. Because each session is

bi-directional, an access list must be defined for each direction of the traffic flow. UDP traffic is still
blocked.

The following commands create the access control list:

create access-mask ip_addr_mask ipprotocol dest-ip/32 source-ip/32 ports precedence

20000

create access-list tcp1_2 ip_addr_mask ipprotocol tcp dest-ip 10.10.20.100/32

source-ip 10.10.10.100/32 ports 1:2 permit qp1

create access-list tcp2_1 ip_addr_mask ipprotocol tcp dest-ip 10.10.10.100/32

source-ip 10.10.20.100/32 ports 1:10 permit qp1

Figure 9 illustrates the outcome of this access list.

LB48010

10.10.10.1

10.10.10.100

10.10.20.100

10.10.20.1

NET20 VLAN

NET10 VLAN

TCP

UDP

ICMP