Deny Specific Host
This ACL will deny a specific host access to the network. It should be noted that Deny ACLs require that you use Extended ACLs. This also requires that the VLAN to be an Extended Permit or Deny VLAN.
EMS Deny Specific Host Procedure
- Open a Panorama PON (EMS) session, click on the Profile icon button and the ACL tab.
- Select the EMS ACL Create a new profile icon and name the ACL profile to Deny Specific Host.
- Click on the Create Rule button and perform the following steps:
Step 1: Enter "Deny-Specific-Host" in Filter Name: entry box:
Step 2: Select "Extended ACL" from the ACL Type: Dropdown
Step 3: Select "Deny" from the Action: Dropdown
Step 4: Select "Ipv4" from the Filter Type: Radio Selections
Step 5: Select "Any Mac(s)" from the SourceMAC(s): dropdown
Step 6: Click on the Add button to add the MAC address and bit count to the Source Mac(s) window
Step 7: Select the MAC address entry in the Source Mac(s) window
Step 8: Enter "1" in the Max MAC(s) entry box
Step 9: Enter "1" in the Max IP Per MAC entry box
Step 10: Enter "192.168.122.55" in the Bound Src IP(s) entry Box.
Step 11: Add Bit count: 32" in the Bound SRC IP(s): entry box
Step 12: Click on the Add button to add the Bound SRC IP(s) and bit count to the Bound SRC IP(s): window
Step 13: Click on the Save button to save the rule profile
- Click on the Apply button to add the ACL profile to the Profile Name window list.
- After the Profile has been generated, the ACL status is displayed. Click on the Close button to complete the ACL profile.
CLI ACL Deny Specific Host Procedure
- Open a CLI session and create a Deny Specific Host ACL profile.
ESUx> profile acl create name=DenySpecificHost <enter>
success
ESUx> _
|
- From the ESUx> command line, input profile acl edit name=DenySpecificHost rule number=1 extended action=deny l2 et=ipv4 sa=any max-macs=1 l3 source-IP=192.168.122.55/32, and press Enter. Output similar to the following is displayed:
ESUx> profile acl edit edit name= DenySpecificHost rule number=1 extended action=deny l2 et=ipv4 sa=any max-macs=1 l3 source-IP=192.168.122.55 <enter> success ESUx> _
Verify the CLI entry
- From the ESUx> command line, input profile acl show name=DenySpecificHost, and press Enter. Output similar to the following is displayed:
ESUx> profile acl show name=DenySpecificHost | Access Control List Profile | |============================================================================| | Profile Name : DenySpecificHost | | | | Rule #1 | | Rule Identifier : Rule-1 | | Type : extended | | Action : deny | | | | Layer 2 | | Ethertype : IPv4 (0x0800) | | 802.1p Priority : n/a | | | | Source MAC(s) | | MAX Source MACs : 1 | | SA #1 : any | | | | Destination MAC(s) | | | | L2 Flags | | DLF : n/a | | | | Layer 3 | | IP TTL : n/a | | IP DSCP : n/a | | IP TOS : n/a | | IP Protocol : n/a | | | | Source IP/Subnet(s) | | | | Bound to SA #1 | | MAX Source IPs : 1 | | SIP #1 : 192.168.122.55 | | | | Destination IP/Subnet(s) | | | | L3 Flags | | DF : n/a | | MF : n/a | | | | Layer 4 | | | | Source | | Type : n/a | | Port : n/a | | Port End : n/a | | | | Destination | | Type : n/a | | Port : n/a | | Port End : n/a | | | | L4 Flags | | URG : n/a | | ACK : n/a | | PSH : n/a | | RST : n/a | | SYN : n/a | | FIN : n/a | | | | Meters | | | |============================================================================| ESUx>_
Previous | Next