Chapter 20: Security Configuration Guide

Note: If the consultant’s MAC is detected on a different port, all of its traffic will be blocked.

Example 2 : Secure Ports

Source secure port: To block all engineers on port 1 from accessing all other ports, enter the following command:

filters add secure-port name engineers direction source vlan 1 in-port-list et.1.1

To allow ONLY the engineering manager access to the engineering servers, you must "punch" a hole through the secure-port wall. A "source static-entry" overrides a "source secure port".

filters add static-entry name eng-mgr source-mac 080060:123456 vlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allow

Destination secure port: To block access to all file servers on all ports from port et.1.1 use the following command:

filters add secure-port name engineers direction dest vlan 1 in-port-list et.1.1

To allow all engineers access to the engineering servers, you must "punch" a hole through the secure-port wall. A "dest static-entry" overrides a "dest secure port".

filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allow

Layer-3 Access Control Lists (ACLs)

Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through the SSR. Each ACL consists of one or more rules describing a particular type of IP or IPX traffic. An ACL can be simple, consisting of only one rule, or complicated with many rules. Each rule tells the router to either permit or deny the packet that matches the rule's packet description.

For information about defining and using ACLs on the SSR, see “Access Control List Configuration Guide” on page 259.

SmartSwitch Router User Reference Manual

285

Page 311
Image 311
Cabletron Systems 9032578-05 manual Layer-3 Access Control Lists ACLs, Example 2 Secure Ports