ADTRAN AOS Version R10.1.0 Command Reference Manual page 3141

Command Reference Guide
permit <source>
Use the permit command to configure the standard Internet Protocol version 4 (IPv4) access control list
(ACL) to permit specified packets entry into the routing system. Use the no form of this command to
remove the permit permission from the IPv4 ACL. Variations of this command include:
permit <source>
permit <source> log
permit <source> track <name>
Syntax Description
<source> Specifies the source used for IPv4 packet matching. Sources can be expressed in one
of four ways:
1. Using the keyword any to match any IPv4 address.
2. Using host <ip address> to specify a single host address. IPv4 addresses should
3. Using the <ip address> <wildcard mask> format to match all IPv4 addresses in a
4. Using the keyword hostname <hostname> to match based on a DNS name. The
log Optional. Enables logging of any packets that match the IPv4 ACL entry.
track <name> Optional. Makes the IPv4 ACL entry dependent upon a track.
Default Values
By default, all AOS security features are disabled, and there are no configured IPv4 ACLs.
Command History
Release 2.1 Command was introduced.
Release 16.1 Command was expanded to include the log, track, and vrf parameters.
Functional Notes
IPv4 Access control lists (ACLs) are used as packet selectors by different AOS features (firewall, virtual
private network (VPN), quality of service (QoS)); by themselves they do nothing. IPv4 ACLs are composed
of an ordered list of entries with an implicit deny all at the end of each list. An IPv4 ACL entry contains two
parts: an action (permit or deny) and a packet pattern. A permit IPv4 ACL is used to match packets
(meeting the specified pattern) to enter the router system. A deny IPv4 ACL advances AOS to the next
access policy entry. AOS provides two types of IPv4 ACLs: standard and extended. Standard IPv4 ACLs
match based on the source of the packet. Extended IPv4 ACLs match based on the source and destination
of the packet.
60000CRG0-35E
be expressed in dotted decimal notation (for example, 10.10.10.1).
range. The wildcard mask corresponds to a range of IPv4 addresses (network) or
a specific host. Wildcard masks are expressed in dotted decimal notation (for
example, 0.0.0.255).
unit must be configured with DNS servers for this function to work. Using vrf
<name> in conjunction with the hostname parameter associates a nondefault
VRF with the DNS host name for the source. The VRF is required if the router's
DNS server is on a nondefault VRF. This parameter can only be used with the
hostname source.
Copyright © 2012 ADTRAN, Inc.
IPv4 Access Control List Command Set
3141