Configuring template acls, C h a p t e r – Cisco 10000 User Manual

Page 485

Advertising
background image

C H A P T E R

22-1

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

22

Configuring Template ACLs

When user profiles are configured using RADIUS Attribute 242, similar per-user access control lists
(ACLs) may be replaced by a single Template ACL. That is, one ACL represents many similar ACLs. In
Cisco IOS Release 12.2(28)SB, by using Template ACLs, you can increase the total number of ACLs
used in the Cisco 10000 series routers but minimize the memory and CPU consumption in processing
the ACLs.

The Template ACL feature is useful for customers in a broadband environment with tens of thousands
of subscribers. Network implementations that use a unique ACL for each subscriber can easily exceed
the maximum available resources on the Cisco 10000 series routers. In networks where each subscriber
has its own ACL, it is common for the ACL to be the same for each user except for the user’s IP address.
Template ACLs alleviate this problem by grouping ACLs with many common access control elements
(ACEs) into a single ACL that compiles faster and saves system resources. By using the Template ACL
feature, service providers can provision unique ACLs for up to 60,000 subscribers using RADIUS
Attribute 242. Configuration of ACLs remains the same as in previous Cisco IOS versions.

For example, the following example shows two ACLs that can be sent using Attribute 242, for two
separate users:

ip access-list extended Virtual-Access1.1#1

permit igmp any host 1.1.1.1

permit icmp host 1.1.1.1 any

deny ip host 44.33.66.36 host 1.1.1.1

deny tcp host 1.1.1.1 44.33.66.36

permit udp any host 1.1.1.1

permit udp host 1.1.1.1 any

permit udp any host 192.168.2.1

permit udp any host 192.170.2.1

permit icmp host 42.55.15.4 host 192.168.2.1

permit udp 11.22.11.0 0.0.0.255 host 192.177.2.1

permit tcp any host 192.170.2.1

permit ip host 42.55.15.4 host 192.168.2.1

permit tcp 11.22.11.0 0.0.0.255 host 192.177.2.1

ip access-list extended Virtual-Access1.1#2

permit igmp any host 13.1.1.2

permit icmp host 13.1.1.2 any

deny ip host 44.33.66.36 host 13.1.1.2

deny tcp host 13.1.1.2 44.33.66.36

permit udp any host 13.1.1.2

permit udp host 13.1.1.2 any

permit udp any host 192.168.2.1

permit udp any host 192.170.2.1

permit icmp host 42.55.15.4 host 192.168.2.1

permit udp 11.22.11.0 0.0.0.255 host 192.177.2.1

permit tcp any host 192.170.2.1

Advertising
Popular Brands
Popular manuals