Assign the ACLs to a port | Juniper Networks EX2500 specification

EX2500 Ethernet Switch Configuration Guide

ACL Example 4—Blocking All Except Certain Packets

Use this configuration to block all traffic except traffic of certain types. HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is denied.

1.Configure one IP ACL for each type of traffic that you want to permit.

ex2500(config)# access-list ip 200 extended ex2500(config-ext-nacl)#permit tcp any any eq 80 ex2500(config-ext-nacl)#exit ex2500(config)# access-list ip 210 extended ex2500(config-ext-nacl)#permit tcp any any eq 443 ex2500(config-ext-nacl)#exit

ex2500(config)# access-list ip 220 extended ex2500(config-ext-nacl)#permit udp any any eq 67 ex2500(config-ext-nacl)#exit

ex2500(config)# access-list ip 230 extended ex2500(config-ext-nacl)#permit udp any any eq 68 ex2500(config-ext-nacl)#exit

2.Configure IP ACLs to deny all other traffic.

The ACLs that allow traffic must have a higher priority than the ACLs that deny all traffic.

ex2500(config)# access-list ip 240 extended ex2500(config-ext-nacl)#deny tcp any any ex2500(config-ext-nacl)#exit ex2500(config)# access-list ip 245 extended ex2500(config-ext-nacl)#deny udp any any ex2500(config-ext-nacl)#exit

3.Configure one MAC ACL for each type of traffic that you want to permit (ARP).

ex2500(config)# access-list mac extended 10 ex2500(config-ext-macl)#permit any any arp ex2500(config-ext-macl)#exit

4.Assign the ACLs to a port.

ex2500(config)# interface port 7 ex2500(config-if)#ip access-group 200 in ex2500(config-if)#ip access-group 210 in ex2500(config-if)#ip access-group 220 in ex2500(config-if)#ip access-group 230 in ex2500(config-if)#ip access-group 240 in ex2500(config-if)#ip access-group 245 in ex2500(config-if)#mac access-group 10 in

58 Using ACL Filters

Image 72

Juniper Networks EX2500 manual ACL Example 4-Blocking All Except Certain Packets, Assign the ACLs to a port

Contents

Configuration Guide North Mathilda Avenue Sunnyvale, CA Ii „ Table of Contents Chapter VLANs Chapter Ports and Trunking Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Port Mirroring Overview Configuring Port Mirroring AppendixesIndexes Default Vlan Settings Port-Based Vlan AssignmentPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables About This Guide ObjectivesAudience Supported Platforms Documentation Conventions Icon Meaning Description List of Technical Publications Documentation FeedbackRequesting Technical Support Self-Help Online Tools and Resources Opening a Case with Jtac EX2500 Ethernet Switch Applications Page Accessing the Switch Configuring the Management Interface Dynamic Host Configuration Protocol Configure the default gateway. Enable the gateway Using Telnet Using the EX2500 Web Device Manager Configuring EX2500 Web Device Manager Access via Http Configuring EX2500 Web Device Manager Access via Https Using Snmp SNMPv1, SNMPv2 Default Configuration User ConfigurationSNMPv3 Configuring Snmp Trap Hosts SNMPv1 Trap Host ConfigurationSNMPv2 Trap Host Configuration Configure an entry in the notify table Securing Access to the Switch SNMPv3 Trap Host Configuration Radius Authentication and Authorization How Radius Authentication WorksConfiguring Radius on the Switch Configure the Radius secret Radius Authentication Features in the EX2500 Switch Switch User Accounts Radius Attributes for EX2500 User Privileges TACACS+ Authentication How TACACS+ Authentication WorksTACACS+ Authentication Features in the EX2500 Switch „ starttime „ stoptime „ elapsedtime „ disccause Command Authorization and Logging Configuring TACACS+ Authentication on the SwitchConfigure the TACACS+ secret and second secret Configuring SSH Features on the Switch Generating RSA Host and Server Keys for SSH AccessSecure Shell SSH Encryption of Management Messages End User Access Control SSH Integration with Radius and TACACS+ Authentication Considerations for Configuring End User Accounts User Access Control Listing Current Users Logging In to an End User Account VLANs Vlan Overview „ Port configuration VLANs and Port Vlan ID NumbersVlan Numbers Pvid Numbers Illustrates the default Vlan settings on the switch Vlan Tagging Default Vlan Settings Port-Based Vlan Assignment Vlan Configuration Rules Vlan Topologies and Design Considerations Multiple VLANs Configuration Example Multiple VLANs example in is described in Table Enable tagging on uplink ports that support multiple VLANs Private VLANs Private Vlan Ports Private Vlan Configuration Guidelines Private Vlan Configuration ExampleConfigure a secondary Vlan and map it to the primary Vlan Verify the configuration Spanning Tree Protocol Spanning Tree Overview Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Spanning Tree Group Configuration Guidelines Changing the Spanning Tree ModePort Priority Port Path Cost Creating a Vlan Rules for Vlan Tagged PortsAdding and Removing Ports from STGs Rapid Spanning Tree Protocol Port State Changes Rstp Configuration Guidelines Rstp Configuration ExamplePort Type and Link Type Edge Port Default Spanning Tree Configuration Why Do We Need Multiple Spanning Trees?Per Vlan Rapid Spanning Tree Pvrst Configuration Guidelines Configuring Pvrst Mstp Configuration Guidelines Multiple Spanning Tree ProtocolMstp Region Common Internal Spanning Tree Multiple Spanning Tree Groups Configuration Example Implementing Multiple Spanning Tree Groups Fast Uplink Convergence Vlan Configuration Guidelines Configuring Fast Uplink Convergence Ports and Trunking Trunking OverviewStatistical Load Distribution Built-In Fault Tolerance Before Configuring Static TrunksTrunk Group Configuration Rules Port Trunking Configuration Example Port Trunk Group Configuration Example Follow these steps on the EX2500 switch Define a trunk group Configurable Trunk Hash Algorithm Link Aggregation Control Protocol„ Destination MAC Dmac „ Destination IP DIP 48 „ Link Aggregation Control Protocol Lacp Configuration Guidelines Configuring LacpOptionally Reducing Lacp Timeout Set the Lacp mode Ex2500config-if# lacp timeout short ex2500config-if# exit Quality of Service QoS Overview Using ACL Filters COS MAC Extended ACLs IP Standard ACLsTo delete a MAC Extended ACL To delete an IP Standard ACL IP Extended ACLs To delete an IP Extended ACL Understanding ACL Priority TCP/UDP ACL Configuration Examples Assigning ACLs to a PortViewing ACL Statistics ACL Example 1-Blocking Traffic to a Host ACL Example 3-Blocking Http Traffic Add the ACL to a port ACL Example 4-Blocking All Except Certain Packets Assign the ACLs to a port Using Storm Control Filters Configuring Storm ControlBroadcast Storms Using Dscp Values to Provide QoS Differentiated Services Concepts Per Hop Behavior Assured Forwarding Drop Precedence Class Use the following command to perform Dscp mapping QoS LevelsDscp Mapping Using 802.1p Priority to Provide QoS Shows the priority bits in a VLAN-tagged packet Queuing and Scheduling Remote Monitoring Rmon Overview Configure the Rmon statistics on a port Rmon Group 1-Statistics Configuring Rmon History Configure the Rmon History parameters for a portThis configuration enables Rmon History collection on port Rmon Group 2-History Rmon Group 3-Alarms Alarm MIB ObjectsConfiguring Rmon Alarms Configure the Rmon Alarm parameters to track Icmp messages Ex2500config# rmon event 110 type log-only Rmon Group 9-EventsPage Igmp Igmp Snooping FastLeave Igmp Snooping Configuration Example IGMPv3 Snooping Static Multicast Router Ex2500# show ip igmp groups High Availability Through Uplink Failure Detection High Availability Overview Spanning Tree Protocol with UFD UFD Configuration Guidelines Failure Detection Pair UFD Configuration Example Monitoring UFDPage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes „ Port Mirroring Overview on „ Configuring Port Mirroring on Port Mirroring Overview Configuring Port Mirroring Indexes „ Index on EX2500 Ethernet Switch Configuration Guide 84 „ Indexes Index Numerics Management interface, configuring Multi-links between switches, port trunkingPhysical. See switch ports Internet Group Management Protocol. See Igmp Quality of Service. See QoS QoSSecurity Segmentation. See IP subnets Segments. See IP subnets Virtual Local Area Networks. See VLANs Example showing multiple VLANs