Examples, Denying a specific subnet, Deny a specific subnet on an interface – Patton electronic ONSITE 2800 User Manual
Page 92
Examples
92
OnSite 2800 Series User Manual
7 • Access control list configuration
Examples
Denying a specific subnet
Figure 16
shows an example in which a server attached to network 172.16.1.0 shall not be accessible from outside
networks connected to IP interface lan of the OnSite device. To prevent access, an incoming filter rule named
Jamming is defined, which blocks any IP traffic from network 172.16.2.0 and has to be bound to IP interface lan.
Figure 16. Deny a specific subnet on an interface
The commands that have to be entered are listed below. The commands access the OnSite device via a Telnet
session running on a host with IP address 172.16.2.13, which accesses the OnSite via IP interface lan.
172.16.2.1>enable
172.16.2.1#configure
172.16.2.1(cfg)#profile acl Jamming
172.16.2.1(pf-acl)[Jamming]#deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
172.16.2.1(pf-acl)[Jamming]#permit ip any any
172.16.2.1(pf-acl)[Jamming]#exit
172.16.2.1(cfg)#context ip router
172.16.2.1(cfg-ip)[router]#interface lan
172.16.2.1(if-ip)[lan]#use profile acl Jamming in
172.16.2.1(if-ip)[lan]#exit
172.16.2.1(cfg-ip)#copy running-config startup-config
Host
Server
Node
Node
172.16.2.1/24
172.16.1.1/24
secure
lan
172.16.1.0
172.16.2.0
172.16.2.13/24