SmartSwitch Router User Reference Manual 285Chapter 20: Security Configuration GuideNote: If the consultant’s MAC is detected on a different port, all of its traffic will beblocked.Example 2 : Secure PortsSource secure port: To block all engineers on port 1 from accessing all other ports, enterthe following command:To allow ONLY the engineering manager access to the engineering servers, you must"punch" a hole through the secure-port wall. A "source static-entry" overrides a "sourcesecure port".Destination secure port: To block access to all file servers on all ports from port et.1.1 usethe following command:To allow all engineers access to the engineering servers, you must "punch" a hole throughthe secure-port wall. A "dest static-entry" overrides a "dest secure port".Layer-3 Access Control Lists (ACLs)Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through the SSR.Each ACL consists of one or more rules describing a particular type of IP or IPX traffic. AnACL can be simple, consisting of only one rule, or complicated with many rules. Each ruletells the router to either permit or deny the packet that matches the rule's packetdescription.For information about defining and using ACLs on the SSR, see “Access Control ListConfiguration Guide” on page 259.filters add secure-port name engineers direction source vlan 1in-port-list et.1.1filters add static-entry name eng-mgr source-mac 080060:123456 vlan 1in-port-list et.1.1 out-port-list et.1.2 restriction allowfilters add secure-port name engineers direction dest vlan 1in-port-list et.1.1filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1in-port-list et.1.1 out-port-list et.1.2 restriction allow