EX2500 Ethernet Switch Configuration Guide

ACL Example 4—Blocking All Except Certain Packets

Use this configuration to block all traffic except traffic of certain types. HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is denied.

1.Configure one IP ACL for each type of traffic that you want to permit.

ex2500(config)# access-list ip 200 extended ex2500(config-ext-nacl)#permit tcp any any eq 80 ex2500(config-ext-nacl)#exit ex2500(config)# access-list ip 210 extended ex2500(config-ext-nacl)#permit tcp any any eq 443 ex2500(config-ext-nacl)#exit

ex2500(config)# access-list ip 220 extended ex2500(config-ext-nacl)#permit udp any any eq 67 ex2500(config-ext-nacl)#exit

ex2500(config)# access-list ip 230 extended ex2500(config-ext-nacl)#permit udp any any eq 68 ex2500(config-ext-nacl)#exit

2.Configure IP ACLs to deny all other traffic.

The ACLs that allow traffic must have a higher priority than the ACLs that deny all traffic.

ex2500(config)# access-list ip 240 extended ex2500(config-ext-nacl)#deny tcp any any ex2500(config-ext-nacl)#exit ex2500(config)# access-list ip 245 extended ex2500(config-ext-nacl)#deny udp any any ex2500(config-ext-nacl)#exit

3.Configure one MAC ACL for each type of traffic that you want to permit (ARP).

ex2500(config)# access-list mac extended 10 ex2500(config-ext-macl)#permit any any arp ex2500(config-ext-macl)#exit

4.Assign the ACLs to a port.

ex2500(config)# interface port 7 ex2500(config-if)#ip access-group 200 in ex2500(config-if)#ip access-group 210 in ex2500(config-if)#ip access-group 220 in ex2500(config-if)#ip access-group 230 in ex2500(config-if)#ip access-group 240 in ex2500(config-if)#ip access-group 245 in ex2500(config-if)#mac access-group 10 in

58„ Using ACL Filters

Page 72
Image 72
Juniper Networks EX2500 manual ACL Example 4-Blocking All Except Certain Packets, Assign the ACLs to a port