Table of Contents
Advertisement
Command Reference Guide
Global Configuration Mode Command Set
Technology Review
Concepts:
Access control using the AOS firewall has two fundamental parts: Access Control Lists (ACLs) and Access
Policy Classes (ACPs). ACLs are used as packet selectors by other AOS systems; by themselves they do
nothing. ACPs consist of a selector (ACL) and an action (allow, discard, NAT). ACPs integrate both allow
and discard policies with NAT. ACPs have no effect until they are assigned to a network interface.
Both ACLs and ACPs are order dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed.
Packet Flow:
Access Control Polices
Packet In
Interface
Association List
Route Lookup
Packet Out
(permit, deny, NAT)
If session hit,
or no ACP configured
Case 1: Packets from interfaces with a configured policy class to any other interface
ACPs are applied when packets are received on an interface. If an interface has not been assigned a policy
class, by default it will allow all received traffic to pass through. If an interface has been assigned a policy class
but the firewall has not been enabled with the ip firewall command, traffic will flow normally from this interface
with no firewall processing.
Case 2: Packets that travel in and out a single interface with a configured policy class
These packets are processed through the ACPs as if they are destined for another interface (identical to
Case 1).
Case 3: Packets from interfaces without a configured policy class to interfaces with one
These packets are routed normally and are not processed by the firewall. The ip firewall command has no
effect on this traffic.
61200990L1-35E
Copyright © 2005 ADTRAN
367
- Quick Links:
- Basic Mode Command Set
- Common Commands
Hide quick links:
Advertisement
Table of Contents
