Filtering GSS Traffic Using Access Lists
Displaying Access Lists
Cisco Global Site Selector Administration Guide
5-10
For example, remote management services such as Telnet, SSH, and FTP listen on
all active interfaces. To force these remote management services to listen on only
the second GSS Ethernet interface, enter:
gss1.example.com# config
gss1.example.com(config)#
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port ftp
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port ssh
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port telnet
gss1.example.com(config)# access-group alist1 interface eth1
The commands listed above limit the second Ethernet interface (eth1) to the
specified traffic. All other traffic is refused to that interface.
To deny the same traffic on the first Ethernet interface (eth0), enter:
gss1.example.com(config)#
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port ftp
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port ssh
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port telnet
gss1.example.com(config)# access-group alist1 eth0
You can use the show access-list command to display all configured access lists.
gss1.example.com(config)#show access-list
access-list: alist1
access-list alist1 permit tcp any destination-port range 20 23
access-list alist1 permit tcp any eq 20
access-list alist1 permit tcp any eq 21
access-list alist1 permit tcp any eq 23
access-list alist1 permit tcp any eq 49
access-list alist1 permit tcp any destination-port eq 53
access-list alist1 permit udp any destination-port eq 53
access-list alist1 permit udp any eq 53
access-list alist1 permit udp any eq 123 destination-port eq 123
access-list alist1 permit udp any destination-port eq 161
access-list alist1 permit tcp any destination-port eq 443
Chapter 5
Configuring Access Lists and Filtering GSS Traffic
OL-10410-01