Cabletron Systems 9032578-05 manual Applying a Layer-4 Bridging ACL to a Port

Chapter 20: Security Configuration Guide

In the example in Figure 25 on page 286, to allow the consultants access to the file server for e-mail (SMTP) traffic, but not for Web (HTTP) traffic — and allow e-mail, Web, and FTP traffic between the engineers and the file server, you would create ACLs that allow only SMTP traffic on the port to which the consultants are connected and allow SMTP, HTTP, and FTP traffic on the ports to which the engineers are connected.

The following is an example:

acl 100 permit ip any any smtp acl 100 deny ip any any http

acl 200 permit any any smtp acl 200 permit any any http acl 200 permit any any ftp

ACL 100 explicitly permits SMTP traffic and denies HTTP traffic. Note that because of the implicit deny rule appended to the end of the ACL, all traffic (not just HTTP traffic) other than SMTP is denied.

ACL 200 explicitly permits SMTP, HTTP, and FTP traffic. The implicit deny rule denies any other traffic. See “Creating and Modifying ACLs” on page 264 for more information on defining ACLs.

Applying a Layer-4 Bridging ACL to a Port

Finally, you apply the ACLs to the ports in the VLAN. To do this, enter the following command in Configure Mode:

For the example in Figure 25 on page 286, to apply ACL 100 (which denies all traffic except SMTP) to the consultant port:

ssr(config)# acl 100 apply port et.1.1 output

To apply ACL 200 (which denies all traffic except SMTP, HTTP, and FTP) to the engineer port:

ssr(config)# acl 200 apply port et.1.3 output

Notes

•Layer-4 Bridging works for IP and IPX traffic only. The SSR will drop non-IP/IPX traffic on a Layer-4 Bridging VLAN. For Appletalk and DECnet packets, a warning is issued before the first packet is dropped.