Chapter 9: Security Configuration GuideSSR User Reference Manual9 - 9filters add secure-port name engineers direction dest vlan 1 in-port-list et.1.1To allow all engineers access to the engineering servers, you must "punch" a holethrough the secure-port wall. A "dest static-entry" overrides a "dest secure port".filters add static-entry name eng-server dest-mac 080060:abcdefvlan 1 in-port-list et.1.1 out-port-list et.1.2 restriction allowL3 Access Control Lists (ACLs)Traffic Filters at Layer-3 and 4 (Access Control List)Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through therouter. Each ACL or each list consists of one or more rules describing a particular typeof IP or IPX traffic. An ACL can be simple, consisting of only one rule, or complicatedwith many rules. Each rule tells the router to either permit or deny the packet thatmatches the rule's packet description.The Anatomy of an ACL ruleEach ACL is identified by a name. The name can be a meaningful string, such asdenyftp or noweb or it can be a number such as 100 or 101.Each rule has an action, that is, to permit or to deny the packet if a packet satisfies thecriterion defined by the rule.A criterion describes one or more characteristics about a packet. In an ACL rule, thesecharacteristics are described as fields of a rule. Not all characteristics (fields) of apacket (rule) need to be specified. If a particular field is not specified, it is treated as awildcard or "don't care" condition. However, if a field is specified, that particular fieldwill be matched against the packet. Each protocol can have a number of different fieldsto match. For example, TCP can use socket port numbers while IPX can use a networknode address to define a rule. For IP, TCP and UDP ACLs, the following fields can bespecified:• Source IP address• Destination IP address• Source port number• Destination port number• Type of Service (TOS)