Table of Contents
Advertisement
Chapter 4. Access Control List configuration mode
This chapter provides an alphabetic listing of commands that are available in
Access Control List (ACL) configuration mode.
To enter this configuration mode, use the Global acl command. While in this mode,
create an ACL. An ACL consists of a sequence of allow and deny clauses. Each
clause identifies an IP address or range of addresses that allow or that deny access
to a service.
An ACL is associated with a specific DataPower service. An ACL grants access to
the service to only addresses that are defined by the allow command. All other
addresses are denied access.
Candidate addresses are evaluated sequentially against each allow and deny clause
in the ACL. A candidate address is denied or granted access in accordance with the
first clause that matches. Consequently, the order of allow and deny clauses in the
ACL is vital.
For example, the following ACL fails its intended purpose. The address range that
is specified by the deny clause (192.168.14.224 through 192.168.14.255) is granted
access before the allow clause.
allow 192.168.14.0/24
deny 192.168.14.0/27
However, as shown in the following example, reversing the sequence of the clauses
achieves the desired effect.
deny 192.168.14.0/27
allow 192.168.14.0/24
An ACL that contains only deny clauses effectively disables a service by denying
access to all addresses. To complete an ACL, include the allow any clause. This
clause ensures that addresses that are not explicitly denied access are granted
access.
The following example denies access to two ranges of addresses and allows access
to all other addresses.
deny 10.10.10.0/24
deny 172.16.0.0/16
allow any
All of the commands that are listed in "Common commands" on page 2 and most,
but not all, of the commands that are listed in Chapter 114, "Monitoring
commands," on page 949 are also available in ACL configuration mode.
allow
Identifies IP addresses to grant access.
© Copyright IBM Corp. 1999, 2008
169
Advertisement
Table of Contents
