Chapter 10: Security Configuration Guide170 SmartSwitch Router User Reference ManualDestination secure port: To block access to all file servers on all ports from port et.1.1 usethe following command:To allow all engineers access to the engineering servers, you must "punch" a hole throughthe secure-port wall. A "dest static-entry" overrides a "dest secure port".Layer-3 Access Control Lists (ACLs)Layer-3 & Layer-4 Traffic Filters (Access Control List)Access Control Lists (ACLs) allow you to restrict Layer-3/4 traffic going through therouter. Each ACL or each list consists of one or more rules describing a particular type ofIP or IPX traffic. An ACL can be simple, consisting of only one rule, or complicated withmany rules. Each rule tells the router to either permit or deny the packet that matches therule's packet description.Anatomy of an ACL RuleEach ACL is identified by a name. The name can be a meaningful string, such as denyftp ornoweb or it can be a number such as 100 or 101.Each rule has an action, that is, to permit or to deny the packet if a packet satisfies thecriterion defined by the rule.A criterion describes one or more characteristics about a packet. In an ACL rule, thesecharacteristics are described as fields of a rule. Not all characteristics (fields) of a packet(rule) need to be specified. If a particular field is not specified, it is treated as a wildcard or"don't care" condition. However, if a field is specified, that particular field will be matchedagainst the packet. Each protocol can have a number of different fields to match. Forexample, TCP can use socket port numbers while IPX can use a network node address todefine a rule. For IP, TCP and UDP ACLs, the following fields can be specified:• Source IP address• Destination IP address• Source port number• Destination port numberfilters add secure-port name engineers direction dest vlan 1in-port-list et.1.1filters add static-entry name eng-server dest-mac 080060:abcdef vlan 1in-port-list et.1.1 out-port-list et.1.2 restriction allow