Asante Technologies IC36240 user manual Configuring Common Access Lists

Page 64

6.4.6 Configuring Common Access Lists

This section provides examples the most common ACLs used when configuring a network. Change the IP addresses in the following examples when using them in your network.

The following example shows denying special-use address sources.

Switch(config)# access-list 110 deny ip 127.0.0.0 0.255.255.255 any Switch(config)# access-list 110 deny ip 192.0.2.0 0.0.0.255 any Switch(config)# access-list 110 deny ip 224.0.0.0 31.255.255.255 any Switch(config)# access-list 110 deny ip host 255.255.255.255 any

The following example shows explicitly permitting ICMP.

Switch(config)# access-list 110			permit icmp any		any
Switch(config)#	access-list	110	permit	icmp any	any tos
Switch(config)#	access-list	110	deny	icmp any	any

The following example shows explicitly permitting UDPs with an operator equal to 53.

Switch(config)# access-list 110 permit udp any any eq 53

The following example shows explicitly permitting legitimate business traffic.

Switch(config)# access-list 110 permit tcp any any Internet-routableestablished Switch(config)# access-list 110 permit udp any range 1 1023 Internet-routable subnet gt 1023

The following example shows explicitly permitting ftp data connections.

Switch(config)# access-list 110 permit tcp any any eq 20 Internet-routable subnet gt 1023

The following example shows explicitly permitting tftp data and multimedia connections.

Switch(config)# access-list 110 permit udp any any gt 1023 Internet-routable subnet gt 1023

The following example shows explicitly permitting incoming DNS queries.

Switch(config)# access-list 110 permit udp any any gt 1023 host <primary DNS server> eq 53

The following example shows explicitly permitting zone transfer DNS queries to primary DNS server.

Switch(config)# access-list 110 permit tcp host secondary DNS server gt 1023 host primary DNS server eq 53

The following example shows explicitly permitting older DNS zone transfers.

Switch(config)# access-list 110 permit tcp host secondary DNS server eq 53 host primary DNS server eq 53

64

Asante IntraCore IC36240

User’s Manual

Image 64

Contents IntraCore IC36240 Series Layer 2+ Gigabit Ethernet Switch User’s Manual IntraCore IC36240Table of Contents Password Service Password-Encryption Snmp Configuration Commands Trunk Ieee 802.1q Technical Support and Warranty Features IntroductionPackage Contents Front and Back Panel DescriptionsLEDs LEDManagement and Configuration Console InterfaceInstallation Overview Hardware Installation and SetupSafety Overview Installing into an Equipment Rack Recommended Installation ToolsPower Requirements Environmental RequirementsSFP Mini Gbic Ports Installing the Optional External Power SupplyEquipment Rack Guidelines Connecting to the Network Connecting Power1 10/100/1000BaseT Ports Cabling Procedures Gigabit Ethernet Ports Cabling Procedures Pin Number Pair Number & Wire ColorsAsante IntraCore IC36240 Initial Software Setup Connecting to a ConsoleConnecting to a PC User Access Verification PasswordPrivileges Commands Passwords and Privileges CommandsEnable Password Password Service Password-EncryptionLogin Security Configuring an IP AddressUsername Command Password and login CommandsRestoring Factory Defaults System Boot ParametersSetting a Default IP Gateway Address Switchconfig# ip default-gatewayUnderstanding the Command Line Interface CLI User Top User Exec ModeAccess Each Command Mode Document ConventionsPrivileged Top Privileged Exec Mode Command Show ? PurposeGlobal Configuration Mode Command Exit End Ctrl-Z Purpose Switch# configureInterface Configuration Mode Spanning-Tree Configuration ModeVlan Configuration Mode Advanced Features Supported within the Command ModeSpanning-tree mst configuration Command Help Purpose Example of Context Sensitive HelpChecking Command Syntax Switch# configure ?Using CLI Command History Using the No and Default Forms of CommandsUsing Command-Line Editing Features and Shortcuts Keystrokes/Command PurposeCompleting a Partial Command Name Moving Around on the Command LineKeystrokes Purpose Editing Command Lines That Wrap Deleting Entries Redisplaying the Current Command LineScrolling Down a Line or a Screen Controlling Capitalization Transposing Mistyped CharactersKeystrokes Managing the System and Configuration Files Setting the System ClockSwitch# clock ? Switch# clock set 092930 28 January Switch# reload crChanging the Password Testing Connections with Ping TestsSpecifying the Hostname Enabling the System LogManaging Configuration Files Displaying the Operating ConfigurationConfiguring from the Terminal Switch# show running-configCopying Configuration Files to a Network Server Newname# copy running-config startup-configSwitch# copy startup-config ? Switch# copy running-config Tftp Switch# copy running-configSwitch# copy running-config tftp//192.168.0.1/my-config Configuring Snmp AuthenticationAccess Control Switch# copy tftp//192.168.123.59/my-confg running-configSecurity Levels Create or Modify Access Control for Snmp CommunitySupport Command Purpose Snmp-server community string view Establish the Contact and Location of the Snmp AgentConfiguring Spanning Tree Snmp Configuration CommandsSpanning Tree Parameters Spanning-tree mst?Spanning Tree Port Configuration Rapid Spanning Tree Protocol RstpPort Priority Port Path CostConfiguring Switch/Bridge Priority Switchconfig# spanning-tree priority priorityRapid Convergence Enabling Rapid Spanning TreeConfiguring Link Type Configuring an Edge PortConfiguring Port Path Cost Configuring Port PriorityMultiple Spanning-Tree MST Configuring Vlan VlanMAC Address Table Switchconfig# mac-address-table aging-timeShow mac-address-table Assign IP Addresses to Switch Configuring IPClass Address or Range Status Establish Address Resolution Define a Static ARP CacheConfiguring Igmp Managing IP Multicast TrafficIgmp Overview Forwarding Unknown Multicast PacketsUsing Access Lists Switchconfig-if-veth1#ip igmp query-intervalCommand Purpose Ip igmp query-max-response-time Host-query messagesUsing a Classification ACL Asante IntraCore IC36240 Create a Standard Access List Create an Expanded Access List Create a MAC Access ListSwitchconfig# mac access-list standard Access-list 101 ? Access-list 101 deny ?Access-list 101 deny tcp ? Access-list 101 deny tcp 192.168.123.0 0.0.0.255 ?Creating an Access List with a Name Applying an Access List to an InterfaceAccess-list ? Access-list standard ?Configuring Common Access Lists Switchconfig# access-list 110 permit udp any any eqAccess-list 101 deny ip any any Vlan Configuration Creating or Modifying a VlanSwitchconfig-vlan#port-member delete eth Switch# show vlanDeleting a Vlan Vlan Port Membership Modes Static AccessTrunk Ieee 802.1q Command Purpose Switchconfig# vlan dot1q tag native Switchconfig# endQuality of Service Configuration Configuring Weighted Fair QueuingMonitoring Weighted Fair Queuing Lists Priority QueuingConfiguring Traffic Shaping for an Interface Traffic ShapingDefining the Priority List Monitoring Priority Queuing ListsConfiguring Rate Limit Configuring Traffic Shaping for an Access ListMonitoring the Traffic Shaping Configuration Generic Traffic Shaping ExampleAsante IntraCore IC36240 Configuring the Switch Using the GUI Main Configuration MenuInformation Screens Front Panel Information ScreenAssign IP Addresses to Switch General Information ScreenClass Address or Range Status Port Configuration Menu Individual Port Configuration ScreenAsante IntraCore IC36240 Press go Spanning Tree Protocol Configuration STP Port Configuration Global STP Bridge Configuration Snmp Configuration Asante IntraCore IC36240 Address Table Screen Asante IntraCore IC36240 Asante IntraCore IC36240 Vlan Configuration Asante IntraCore IC36240 Click Apply Igmp Configuration Asante IntraCore IC36240 Asante IntraCore IC36240 Web CLI Screen System Clock Menu Save Appendix a Basic Troubleshooting Problem Possible SolutionsAppendix B Specifications Physical CharacteristicsEnvironmental Range PerformanceTechnical Support and Warranty Standards ComplianceAppendix C FCC Compliance and Warranty Statements FCC Compliance Statement Important Safety InstructionsIntraCare Warranty Statement Appendix D Online Warranty Registration Access List IndexIgmp LED Safety Priority Queuing Vlan