ADTRAN AOS Version R10.1.0 Command Reference Manual page 3145

Command Reference Guide
When packets are received on an interface with an IPv4 ACP applied, the IPv4 ACP is used to determine
whether the data is processed or discarded. Both IPv4 ACLs and IPv4 ACPs are order dependent. When a
packet is evaluated, the matching engine begins with the first entry in the list and progresses through the
entries until it finds a match. The first entry that matches is executed. The IPv4 ACP has an implicit
discard at the end of the list. Typically, the most specific entries should be at the top and the most general
at the bottom.
IPv4 Access Control Lists (ACLs)
IPv4 ACLs are used as packet selectors by IPv4 ACPs. They must be assigned to an IPv4 ACP in order to
be active.
IPv4 ACP must use an IPv4 ACL. You cannot apply an IPv4 ACL to an IPv6 ACP, or
vice-versa. In addition, all IPv4 ACLs and IPv4 ACPs must have a different name than any
configured IPv6 ACLs or IPv6 ACPs.
IPv4 ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or
deny) and a packet pattern. A permit action is used to allow packets (meeting the specified pattern) to
enter the router system. A deny action is used to disregard packets (that do not match the pattern) and
proceed to the next entry on the IPv4 ACP. The IPv4 ACL has an implicit deny at the end of the list.
The AOS provides two types of IPv4 ACLs: standard and extended. A standard IPv4 ACL allows source
IPv4 address packet patterns only. An extended IPv4 ACL may specify patterns using most fields in the
IPv4 header and the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header.
Creating and Assigning IPv4 ACLs and IPv4 ACPs
Creating IPv4 ACPs and IPv4 ACLs to regulate traffic through the routed network is a four-step process:
Step 1:
Enable the security features of AOS using the ip firewall command. Refer to the command
page 999 for more information.
Step 2:
Create an IPv4 ACP that uses a configured IPv4 ACL by issuing the ip policy-class command. AOS IPv4
ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each IPv4
ACP consists of an action (allow, discard, nat) and a selector (IPv4 ACL). When packets are received on
an interface, the configured IPv4 ACPs are applied to determine whether the data will be processed or
discarded.
Step 3:
Create an IPv4 ACL to permit or deny specified traffic by using either the ip access-list extended or ip
access-list standard command. Standard IPv4 ACLs match based on the source IPv4 address of the
packet. Extended IPv4 ACLs match based on the source and destination of the packet. Refer to the
command ip access-list extended <ipv4 acl name> on page 982
<ipv4 acl name> on page 984
1. Using the keyword any to match any IPv4 address.
60000CRG0-35E
for more information. Sources can be expressed in one of four ways:
Copyright © 2012 ADTRAN, Inc.
IPv4 Access Control Policy Command Set
or the command ip access-list standard
ip firewall on
3145