Table of Contents
Advertisement
Command Reference Guide
IPv4 Access Control Policies (ACPs)
IPv4 ACPs are used to allow, discard, or manipulate (using network address translation (NAT)) data for
each physical interface. Each IPv4 ACP consists of an action (allow, discard, nat) and a selector (IPv4
ACL). In a sense, the IPv4 ACPs answer the question, "What should I do?" while the IPv4 ACLs answer
the question, "On which packets?"
When packets are received on an interface with an IPv4 ACP applied, the ACP is used to determine
whether the data is processed or discarded. Both IPv4 ACLs and IPv4 ACPs are order dependent. When a
packet is evaluated, the matching engine begins with the first entry in the list and progresses through the
entries until it finds a match. The first entry that matches is executed. The IPv4 ACP has an implicit
discard at the end of the list. Typically, the most specific entries should be at the top and the most general
at the bottom.
IPv4 Access Control Lists (ACLs)
IPv4 ACLs are used as packet selectors by IPv4 ACPs. They must be assigned to an IPv4 ACP in order to
be active.
IPv4 ACP must use an IPv4 ACL. You cannot apply an IPv4 ACL to an IPv6 ACP, or
vice-versa. In addition, all IPv4 ACLs and IPv4 ACPs must have a different name than any
configured IPv6 ACLs or IPv6 ACPs.
IPv4 ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or
deny) and a packet pattern. A permit action is used to allow packets (meeting the specified pattern) to
enter the router system. A deny action is used to disregard packets (that do not match the pattern) and
proceed to the next entry on the IPv4 ACP. The IPv4 ACL has an implicit deny at the end of the list.
The AOS provides two types of IPv4 ACLs: standard and extended. A standard IPv4 ACL allows source
IPv4 address packet patterns only. An extended IPv4 ACL may specify patterns using most fields in the
IPv4 header and the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header.
Creating and Assigning IPv4 ACLs and IPv4 ACPs
Creating IPv4 ACPs and IPv4 ACLs to regulate traffic through the routed network is a four-step process:
Step 1:
Enable the security features of AOS using the ip firewall command. Refer to the command
page 999
for more information.
Step 2:
Create an IPv4 ACP that uses a configured IPv4 ACL by issuing the ip policy-class command. AOS IPv4
ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each IPv4
ACP consists of an action (allow, discard, nat) and a selector (IPv4 ACL). When packets are received on
an interface, the configured IPv4 ACPs are applied to determine whether the data will be processed or
discarded.
60000CRG0-35E
Copyright © 2012 ADTRAN, Inc.
IPv4 Access Control List Command Set
ip firewall on
3127
Advertisement
Table of Contents
