28. ACL and network security setting
28.3. use ACL at second layer physical interface or on the VLAN
VLAN
The configuration steps for using ACL at second layer interface or VLAN as following: A. Define ACL
Refer to previous part B. Set the fileter
User are needed to set filter when the setting for ACL has been done. When the filter is effected, whether the configuration is effective or not will up to the on-off of global status. There is a special command to effective ACL, or delete the filter that has been effectived. Use no filter command to delete corresponding rules. If the filter rule has been written into the hardware, delete the filter rule from the hardware and delete it from the configuration. The filter rules on a physical port or VLAN are made up of several “permit|deny” commands. The ranges of designated data packet are different. There are problems in the matching sequence when match a data packet and access control rule. The matching sequences of ACL are based on the sequence of filter rule: the later it is in the sequence, the higher priority it has.
There are four types of configuration methods, one is based on the switch, one is based on the port, one is based on the traffic from ingress port and egress port, and another one is based on VLAN.
1 based on the switch
Command Description
config Enter global configuration mode
[no] filter (ip-access-list |
mac-access-list | access-list-map) {acllist | all}
Based on the filtering of the switch
ip-access-list: the filter use IP ACL mac-access-list: the filter use MAC ACL
access-list-map: filter is using user-defined ACL acllist | all: the range of filter used ACL, all means
that all the configured ACLs.
exit Withdraw global configuration mode and enter privilege configuration mode.
show filter Show all the filtering status 2 based on the port
Command Description
config Enter global configuration mode
[no] filter (ip-access-list |
mac-access-list | access-list-map) {acllist | all}
{ingress | egress } port-list {portlist }
The filtering based on the port
ip-access-list: filter uses IP ACL. mac-access-list filter uses MAC ACL.
access-list-map: filter is using user-defined ACL. acllist | all : the range of serial number list, all
means that all the configured ACL.
ingress | egress filter at the ingress direction and
egress direction.
port-list: is used to filter at physical port. portlist: range of physical port list
exit Withdraw global configuration mode and enter privilege user mode.
show filter Show all the setted filtering status. 3 Based on traffic from ingress port to egress port
Command Description
config Enter global configuration mode
[no] filter (ip-access-list |
mac-access-list | access-list-map) {all|
acllist} from ingress-port to egress-port
Set the traffic filtering from ingress port to egress port.
ip-access-list the filter uses IP ACL. mac-access-list filter uses MAC ACL.
access-list-map: filter uses user-defined ACL.
acllist | all: the range of serial number list that is used by the filter, all the ACL that have been configured.
from to direction ingress-port egress-port
exit Withdraw global configuration mode and enter privilege user mode.
show filter Show the filter status for all the settings 4 based on VLAN
Command Description
config Enter global configuration mode
[no] filter (ip-access-list |
mac-access-list | access-list-map) {all|
acllist} vlan vlanid
Set the filter that is based on VLAN.
ip-access-list the filter uses IP ACL. mac-access-list: filter uses mac ACL.
access-list-map filter uses user-defined ACL.
acllist | all: the range of serial number list that is used by the filter, all the ACL that have been configured.
Vlan filter is based on VLAN. vlanid VLAN.
exit Withdraw global configuration mode and enter privilege user mode.
show filter Show all the configured filter status. C. Enable the filter
This command is used to enable or disable the corresponding ACL, and default status is disabled. If the configuration is enabled, user is needed to enable privously defined filter rule immediately, but also should enable all the filter rules immediately that are configured after the configuration.
Command Description
config Enter global configuration mode
filter (enable | disable) enable the filter function is just enabled. disable the filter function is going to be disabled. exit Withdraw global configuration mode and enter
privilege user mode.
Example:
1 the switch deny the TCP packet passthrough at port 80. raisecom#config
raisecom(config)# ip-access-list 0 deny tcp any any 80 raisecom(config)# filter ip-access-list 0
raisecom(config)#filter enable raisecom(config)#exit
2 the switch deny any ARP packet that is sent from port 2-8 to destination with mac address 000e.3842.34ea
raisecom#config
raisecom(config)# mac-access-list 2 deny arp any 000e.3842.34ea raisecom(config)# filter mac-access-list 2 ingress portlist 2-8
raisecom(config)#filter enable raisecom(config)#exit
3 the switch only allow the IP packet passthourgh for the source IP address at 10. 0.0.0/8 network section.
raisecom#config
raisecom(config)# ip-access-list 2 deny ip any any
raisecom(config)# ip-access-list 3 permit ip 10.0.0.0 255.0.0.0 any raisecom(config)# filter ip-access-list 2,3 vlan 3
raisecom(config)#filter enable raisecom(config)#exit