Vibicom VB-101 Installation And Operation Manual page 81

Installation and Operation Manual
IP: 192.168.1.250
PC #1
PC 1 sends UDP packets to the eth1 interface. ACGs receive and verify the
incoming packets in the following sequence:
•
ACG with priority 10 verifies the packet with the ACL 1050 rules:


•
The packet is verified with ACL 1010, Rule 2 (priority 30). Since the rule is
addressed to ICMP, it does not take effect.
•
The packet is verified with the next Rule 1 (priority 80). This rule enables UDP
packets forwarding, and the packet is permitted.
The examples below show different ACL configuration methods.
Example 1
VB-101# ip access-list extended create acl-num 1010
VB-101# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip
any dst-ip any
VB-101# ip access-group apply acl-num 1010 interface eth1 direction in
priority 10
Example 2
VB-101# ip access-list extended create acl-num 1010
VB-101# ip access-list extended permit icmp acl-num 1010 priority 10 src-ip
192.168.1.250 dst-ip 192.168.1.101
VB-1011# ip access-list extended deny icmp acl-num 1010 priority 20 src-ip
192.168.1.250 dst-ip 192.168.2.101
VB-101# ip access-list extended permit tcp acl-num 1010 priority 40 src-ip any
dst-ip 192.168.2.101
VB-101# ip access-list extended deny tcp acl-num 1010 priority 30 src-ip any
dst-ip 192.168.1.101
VB-101# ip access-group apply acl-num 1010 interface eth1 direction in
priority 1
VB-101
ACG s
ACG 1050 priority 10
ACG 1010 priority 20
VB-101
UDP
ETH1
IP: 192.168.1.101
Figure 6-1. VB-101 ACL Functionality
Rule 2 with priority 50 verifies the packet first. Since the rule is addressed
to the TCP packets, it does not take effect.
The packet is verified with Rule 1 addressed to ICMP and irrelevant to UDP
packet.
Chapter 6 Management and Security
ACLs
ACL 1050
Rule 1: permit icmp priority 80
Rule 2: deny tcp priority 50
ACL 1010 priority 20
Rule 1: permit udp priority 80
Rule 2: deny icmp priority 30
Access Control List (ACL) 6-5