Hello all! First post... Let's see how this goes. Anyway, I am trying to implement an ACL filter to ensure that my VLAN that is supposed to only be printer traffic is restricted from accessing the internet and only allowed to talk to local devices using specific protocols. I'm rather new to the 8600s, so bear with me. Here's what I got so far:
1. Create the ACT:
config filter act 80 create name DSTIP_PROTOCOL
config filter act 80 protocol tcpSrcPort,udpSrcPort,tcpDstPort,udpDstPort
config filter act 80 ip dstIp
config filter act 80 apply
2: Create the ACL:
filter acl 80 create inVlan act 80 pktType ipv4 name "INGRESS_VLAN_80"
filter acl 80 vlan add 80
3. Create the ACE:
filter acl 80 ace 1 create name "DENY_EXT_ACCESS"
filter acl 80 ace 1 deny stop-onmatch true
filter acl 80 ace 1 ip dst-ip ne XXX.XXX.0.0-XXX.XXX.255.255
filter acl 80 ace 1 enable
filter acl 80 ace 2 create name "ALLOW_PRINTER_PROTOCOLS"
filter acl 80 ace 2 action permit stop-onmatch true
filter acl 80 ace 2 protocol tcp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol tcp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 enable
Am I on the right track? Is there a deny by default at the end of permit ACEs? Also, is there a way to throw a syslog trap when this ACL is violated? I'm not too worried about the protocols, I have the client systems guys tracking down and port that they need allowed.
Any help would be greatly appreciated.
Edit: I guess I should mention that I am running 7.1.3 and have the RS modules. I just noticed that the VLAN filtering is only compatible with the R/RS modules.
"The Ethernet Routing Switch 8800/8600 software provides some configuration guidelines. For example, when you add virtual local area networks (VLAN) to an ACL, a message indicates the filters apply only to the R, RS, or 8800 module port members of that VLAN."
1. Create the ACT:
config filter act 80 create name DSTIP_PROTOCOL
config filter act 80 protocol tcpSrcPort,udpSrcPort,tcpDstPort,udpDstPort
config filter act 80 ip dstIp
config filter act 80 apply
2: Create the ACL:
filter acl 80 create inVlan act 80 pktType ipv4 name "INGRESS_VLAN_80"
filter acl 80 vlan add 80
3. Create the ACE:
filter acl 80 ace 1 create name "DENY_EXT_ACCESS"
filter acl 80 ace 1 deny stop-onmatch true
filter acl 80 ace 1 ip dst-ip ne XXX.XXX.0.0-XXX.XXX.255.255
filter acl 80 ace 1 enable
filter acl 80 ace 2 create name "ALLOW_PRINTER_PROTOCOLS"
filter acl 80 ace 2 action permit stop-onmatch true
filter acl 80 ace 2 protocol tcp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol tcp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 enable
Am I on the right track? Is there a deny by default at the end of permit ACEs? Also, is there a way to throw a syslog trap when this ACL is violated? I'm not too worried about the protocols, I have the client systems guys tracking down and port that they need allowed.
Any help would be greatly appreciated.
Edit: I guess I should mention that I am running 7.1.3 and have the RS modules. I just noticed that the VLAN filtering is only compatible with the R/RS modules.
"The Ethernet Routing Switch 8800/8600 software provides some configuration guidelines. For example, when you add virtual local area networks (VLAN) to an ACL, a message indicates the filters apply only to the R, RS, or 8800 module port members of that VLAN."
