Manuals / Brands / Computer Equipment / Switch / Juniper Networks / Computer Equipment / Switch

Juniper Networks EX2500 ACL Example 4Blocking All Except Certain Packets

1 102

Download 102 pages, 1.06 Mb

EX2500 Ethernet Switch Configuration Guide

58 Using ACL Filters

ACL Example 4—Blocking All Except Certain Packets

Use this configuration to block all traffic except traffic of certain types.

HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is

denied.

1. Configure one IP ACL for each type of traffic that you want to permit.

ex2500(config)# access-list ip 200 extended

ex2500(config-ext-nacl)# permit tcp any any eq 80

ex2500(config-ext-nacl)# exit

ex2500(config)# access-list ip 210 extended

ex2500(config-ext-nacl)# permit tcp any any eq 443

ex2500(config-ext-nacl)# exit

ex2500(config)# access-list ip 220 extended

ex2500(config-ext-nacl)# permit udp any any eq 67

ex2500(config-ext-nacl)# exit

ex2500(config)# access-list ip 230 extended

ex2500(config-ext-nacl)# permit udp any any eq 68

ex2500(config-ext-nacl)# exit

2. Configure IP ACLs to deny all other traffic.

The ACLs that allow traffic must have a higher priority than the ACLs that deny

all traffic.

ex2500(config)# access-list ip 240 extended

ex2500(config-ext-nacl)# deny tcp any any

ex2500(config-ext-nacl)# exit

ex2500(config)# access-list ip 245 extended

ex2500(config-ext-nacl)# deny udp any any

ex2500(config-ext-nacl)# exit

3. Configure one MAC ACL for each type of traffic that you want to permit (ARP).

ex2500(config)# access-list mac extended 10

ex2500(config-ext-macl)# permit any any arp

ex2500(config-ext-macl)# exit

4. Assign the ACLs to a port.

ex2500(config)# interface port 7

ex2500(config-if)# ip access-group 200 in

ex2500(config-if)# ip access-group 210 in

ex2500(config-if)# ip access-group 220 in

ex2500(config-if)# ip access-group 230 in

ex2500(config-if)# ip access-group 240 in

ex2500(config-if)# ip access-group 245 in

ex2500(config-if)# mac access-group 10 in

Contents

Main Configuration Guide Release 3.0 ii Table of Contents Part 1 EX2500 Ethernet Switch Applications Page Page Part 2 Appendixes Part 3 Indexes List of Figures Page List of Tables Page About This Guide Objectives Audience Supported Platforms xii Documentation Conventions Table 1: Notice Icons Icon Meaning Description Table 2: EX2500 Text and Syntax Conventions Convention Usage Examples List of Technical Publications Documentation Feedback Requesting Technical Support Self-Help Online Tools and Resources Opening a Case with JTAC Part 1 EX2500 Ethernet Switch Applications Page Chapter 1 Accessing the Switch Configuring the Management Interface Dynamic Host Configuration Protocol Using Telnet Using the EX2500 Web Device Manager Configuring EX2500 Web Device Manager Access via HTTP Configuring EX2500 Web Device Manager Access via HTTPS Using SNMP SNMPv1, SNMPv2 SNMPv3 Default Configuration User Configuration Configuring SNMP Trap Hosts SNMPv1 Trap Host Configuration SNMPv2 Trap Host Configuration SNMPv3 Trap Host Configuration Securing Access to the Switch RADIUS Authentication and Authorization How RADIUS Authentication Works Configuring RADIUS on the Switch RADIUS Authentication Features in the EX2500 Switch Switch User Accounts RADIUS Attributes for EX2500 User Privileges TACACS+ Authentication How TACACS+ Authentication Works TACACS+ Authentication Features in the EX2500 Switch Page Command Authorization and Logging Configuring TACACS+ Authentication on the Switch Secure Shell Configuring SSH Features on the Switch SSH Encryption of Management Messages Generating RSA Host and Server Keys for SSH Access SSH Integration with RADIUS and TACACS+ Authentication End User Access Control Considerations for Configuring End User Accounts User Access Control Listing Current Users Logging In to an End User Account Chapter 2 VLANs VLAN Overview VLANs and Port VLAN ID Numbers VLAN Numbers PVID Numbers VLAN Tagging Page Figure 2: Port-Based VLAN Assignment r o f B VLAN Topologies and Design Considerations VLAN Configuration Rules Multiple VLANs Configuration Example Page Private VLANs Private VLAN Ports Private VLAN Configuration Guidelines Private VLAN Configuration Example Chapter 3 Spanning Tree Protocol Spanning Tree Overview Bridge Protocol Data Units (BPDUs) Determining the Path for Forwarding BPDUs Bridge Priority Port Priority Port Path Cost Spanning Tree Group Configuration Guidelines Changing the Spanning Tree Mode Assigning a VLAN to a Spanning Tree Group Creating a VLAN Rules for VLAN Tagged Ports Adding and Removing Ports from STGs Rapid Spanning Tree Protocol Port State Changes Port Type and Link Type Edge Port Link Type RSTP Configuration Guidelines RSTP Configuration Example Per VLAN Rapid Spanning Tree Default Spanning Tree Configuration Why Do We Need Multiple Spanning Trees? PVRST Configuration Guidelines Configuring PVRST Multiple Spanning Tree Protocol MSTP Region Common Internal Spanning Tree MSTP Configuration Guidelines Multiple Spanning Tree Groups Configuration Example Fast Uplink Convergence Configuration Guidelines Configuring Fast Uplink Convergence Chapter 4 Ports and Trunking Trunking Overview Statistical Load Distribution Built-In Fault Tolerance Before Configuring Static Trunks Trunk Group Configuration Rules Port Trunking Configuration Example Page Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Page LACP Configuration Guidelines Configuring LACP Optionally Reducing LACP Timeout Page Chapter 5 Quality of Service QoS Overview Using ACL Filters Ports ACL Filter Permit/Deny Classify Packets Perform Actions MAC Extended ACLs IP Standard ACLs IP Extended ACLs Understanding ACL Priority Port 1 access group ACL IP Extended 128: Port number = 80 Action = permit ACL IP Extended 129: Port number = 23 Action = deny ACL IP Extended 130: Port number = less than 100 Action = permit Assigning ACLs to a Port Viewing ACL Statistics ACL Configuration Examples ACL Example 1Blocking Traffic to a Host ACL Example 2Blocking Traffic from a Source to a Destination ACL Example 3Blocking HTTP Traffic ACL Example 4Blocking All Except Certain Packets Using Storm Control Filters Broadcast Storms Configuring Storm Control Using DSCP Values to Provide QoS Differentiated Services Concepts 7 6 5 4 3 2 1 0 Per Hop Behavior EX2500 Ethernet Switch Configuration Guide 62 QoS Levels ex2500# qos dscp transmit-queue <DSCP value (0-63)> <COSq (0-7)> DSCP Mapping Use the following command to turn on DSCP re-marking globally: ex2500# qos dscp enable Using 802.1p Priority to Provide QoS 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 Queuing and Scheduling Chapter 6 Remote Monitoring RMON Overview RMON Group 1Statistics RMON Group 2History History MIB Object ID Configuring RMON History RMON Group 3Alarms Alarm MIB Objects Configuring RMON Alarms RMON Group 9Events Page Chapter 7 IGMP IGMP Snooping FastLeave IGMPv3 Snooping IGMP Snooping Configuration Example Static Multicast Router Chapter 8 High Availability Through Uplink Failure Detection High Availability Overview Failure Detection Pair Spanning Tree Protocol with UFD UFD Configuration Guidelines UFD Configuration Example Monitoring UFD Page Page Page Appendix A Monitoring Ports with Port Mirroring Port Mirroring Overview Configuring Port Mirroring Page Page Index Numerics A B C H I J L M Q R S T U V W