Riverstone Networks WICT1-12 User Manual

Page 542

Advertising
background image

24-12 Riverstone Networks RS Switch Router User Guide Release 8.0

Using ACLs

Access Control List Configuration

The following command creates a rate limit definition that causes flows matching Profile ACL prof2’s selection
criteria (that is, traffic from 1.2.2.2) to be restricted to 10 Mbps for each flow. If this rate limit is exceeded, the packets
are dropped.

When the rate limit definition is applied to an interface (with the

rate-limit apply interface

command),

packets in flows originating from source address 1.2.2.2 are dropped if their bandwidth usage exceeds 10 Mbps.

Using Profile ACLs with Dynamic NAT

Network Address Translation (NAT) allows you to map an IP address used within one network to a different IP address
used within another network. NAT is often used to map addresses used in a private, local intranet to one or more
addresses used in the public, global Internet.

The RS supports two kinds of NAT: static NAT and dynamic NAT. With dynamic NAT, an IP address within a range
of local IP addresses is mapped to an IP address within a range of global IP addresses. For example, you can configure
IP addresses on network 10.1.1.0/24 to use an IP address in the range of IP addresses in network 192.50.20.0/24. You
can use a Profile ACL to define the ranges of local IP addresses.

The following command creates a Profile ACL called local. The local profile specifies as its selection criteria the range
of IP addresses in network 10.1.1.0/24..

Note

When a Profile ACL is defined for dynamic NAT, only the source IP address field
in the

acl

statement is evaluated. All other fields in the

acl

statement are ignored.

Once you have defined a Profile ACL, you can then use the

nat create dynamic

command to bind the range of IP

addresses defined in the local profile to a range in network 192.50.20.0/24.

See

Chapter 21, "Network Address Translation Configuration"

for more information on using dynamic NAT.

rs(config)#

rate-limit client1 input acl prof2 rate-limit 10000000 exceed-action

drop-packets

rs(config)#

acl local permit ip 10.1.1.0/24

rs(config)#

nat create dynamic local-acl-pool local global-pool 192.50.20.10/24

Advertising
Popular Brands
Popular manuals