Table of Contents
Advertisement
Chapter 13: Access Control List Configuration Guide
ACL Basics
An ACL consists of one or more rules describing a particular type of IP traffic. ACLs can
be simple, consisting of only one rule, or complicated with many rules. Each rule tells the
IA to either permit or deny packets that match selection criteria specified in the rule.
Each ACL is identified by a name. The name can be a meaningful string, such as
"denyftp" or "noweb," or it can be a number such as 100 or 101.
For example, the following ACL has a rule that permits all IP packets from subnet
10.2.0.0/16 to go through the IA:
acl 101 permit ip 10.2.0.0/16
Defining Selection Criteria in ACL Rules
Selection criteria in the rule describe characteristics about a packet. In the example above,
the selection criteria are IP packets from 10.2.0.0/16.
The selection criteria you can specify in an ACL rule depends on the type of ACL you are
creating. For IP, TCP, and UDP ACLs, the following selection criteria can be specified:
•
Source IP address
•
Destination IP address
•
Source port number
•
Destination port number
•
Type of Service (TOS)
These selection criteria are specified as fields of an ACL rule. The following syntax
description shows the fields of an IP ACL rule:
<name>
acl
permit|deny ip
Note:
The acl permit|deny ip command restricts traffic for all IP-based protocols, such
as TCP, UDP, and ICMP. Variants of the acl permit|deny ip command exist that
allow you to restrict traffic for a specific IP-based protocol; for example, the acl
permit|deny tcp command lets you restrict only TCP traffic. These variants have
the same syntax and fields as the acl permit|deny ip command.
Each field in an ACL rule is position sensitive. For example, for a rule for TCP traffic, the
source address must be followed by the destination address, followed by the source socket
and the destination socket, and so on.
212
<SrcAddr/Mask> <DstAddr/Mask> <SrcPort> <DstPort> <tos>
Internet Appliance User Reference Manual
Advertisement
Table of Contents
