Filter
Top Products
Using Access Control Lists
Summit 300-48 Switch Software User Guide 117
Step 1 – Deny IP Traffic.
First, create an access-mask that examines the IP protocol field for each packet. Then create two
access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP,
it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.
The following commands creates the access mask and access lists:
create access-mask ipproto_mask ipprotocol ports precedence 25000
create access-list denytcp ipproto_mask ipprotocol tcp ports 1:2,1:10 deny
create access-list denyudp ipproto_mask ipprotocol udp ports 1:2,1:10 deny
Figure 8 illustrates the outcome of the access control list.
Figure 8: Access control list denies all TCP and UDP traffic
Step 2 – Allow TCP traffic.
The next set of access list commands permits TCP-based traffic to flow. Because each session is
bi-directional, an access list must be defined for each direction of the traffic flow. UDP traffic is still
blocked.
The following commands create the access control list:
create access-mask ip_addr_mask ipprotocol dest-ip/32 source-ip/32 ports precedence
20000
create access-list tcp1_2 ip_addr_mask ipprotocol tcp dest-ip 10.10.20.100/32
source-ip 10.10.10.100/32 ports 1:2 permit qp1
create access-list tcp2_1 ip_addr_mask ipprotocol tcp dest-ip 10.10.10.100/32
source-ip 10.10.20.100/32 ports 1:10 permit qp1
Figure 9 illustrates the outcome of this access list.
LB48010
10.10.10.1
10.10.10.100 10.10.20.100
10.10.20.1
NET20 VLANNET10 VLAN
TCP
UDP
ICMP