ADTRAN AOS Version R10.1.0 Command Reference Manual page 1059

Command Reference Guide
Usage Examples
The following example creates an IPv4 ACP named PRIVATEv4:
(config)#ip policy-class PRIVATEv4
(config-policy-class)#
Technology Review
IPv4 ACPs and ACLs regulate traffic through the routed network. Creating IPv4 ACPs and ACLs to
regulate traffic through the routed network is a four-step process:
Step 1:
Enable the IPv4 security features of AOS using the ip firewall command. Refer to the command
on page 999 for more information.
Step 2:
Create an IPv4 ACP that uses a configured ACL by issuing the ip policy-class command. AOS IPv4
ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP
consists of an action (allow, discard, nat) and a selector (ACL). When packets are received on an
interface, the configured ACPs are applied to determine whether the data will be processed or discarded.
Step 3:
Create an IPv4 ACL to permit or deny specified traffic by using either the ip access-list extended or ip
access-list standard command. Standard IPv4 ACLs match based on the source IP address of the
packet. Extended IPv4 ACLs match based on the source and destination of the packet. Refer to the
command ip access-list extended <ipv4 acl name> on page 982
<ipv4 acl name> on page 984
1. Using the keyword any to match any IP address.
2. Using host <ip address> to specify a single host address.
3. Using the <ip address> <wildcard> format to match all IPv4 addresses in a range. Wildcard masks
work in reverse logic from subnet masks. When broken out into binary form, a 0 indicates which bits of
the IPv4 address to consider, a 1 indicates which bits are disregarded. For example, specifying 255 in
any octet of the wildcard mask equates to a "don't care" for that octet in the IP address. Additionally, a
30-bit mask would be represented with the wildcard string 0.0.0.3, a 28-bit mask with 0.0.0.15, a 24-bit
mask with 0.0.0.255, and so forth.
4. Using the keyword hostname to match based on a domain naming system (DNS) name. DNS servers
must be configured or host names must be locally defined for this function to work.
Step 4:
Apply the created IPv4 ACP to an interface. To assign an IPv4 ACP to an interface, enter the interface
configuration mode for the desired interface and enter ip access-policy <acpv4 name>. The following
example assigns ACP UNTRUSTED to the Ethernet 0/1 interface:
(config)#interface ethernet 0/1
(config-eth 0/1)#ip access-policy UNTRUSTED
60000CRG0-35E
for more information. Sources can be expressed in one of four ways:
Copyright © 2012 ADTRAN, Inc.
Global Configuration Mode Command Set
or the command ip access-list standard
ip firewall
1059