Open as PDF
410 CHAPTER 19: CONFIGURING AND MANAGING SECURITY ACLS
3 Configure an ACE that denies all IP traffic from any IP address in the
10.10.11.0/24 subnet to any address in the same subnet.
WX1200# set security acl ip c2c deny ip 10.10.11.0 0.0.0.255
4 Configure an ACE that permits all traffic that does not match the ACEs
WX1200# set security acl ip c2c permit 0.0.0.0
5 Commit the ACL to the configuration:
WX1200# commit security acl c2c
6 Map the ACL to the outbound and inbound traffic directions of VLAN vlan-1:
WX1200# set security acl map c2c vlan vlan-1 out
WX1200# set security acl map c2c vlan vlan-1 in
The commands in steps 1 and 2 permit traffic to and from the router
(gateway). If the subnet has more than one gateway, add a similar pair of
ACEs for each default router. Add the default router ACEs before the
ACEs that block all traffic to and from addresses within the subnet.
The following scenario illustrates how to create a security ACL named
acl-99 that consists of one ACE to permit incoming packets from one IP
address, and how to map the ACL to a port and a user:
1 Type the following command to create and name a security ACL and add
an ACE to it.
WX1200# set security acl ip acl-99 permit 192.168.1.1 0.0.0.0
2 To view the ACE you have entered, type the following command:
WX1200# display security acl editbuffer
ACL Type Status
---------------------------------- ---- -------------
acl-99 IP Not committed
3 To save acl-99 and its associated ACE to the configuration, type the
WX1200# commit security acl acl-99
success: change accepted.