33 configuring acl – CANOGA PERKINS 9175 Configuration Guide User Manual

Page 230

Advertising
background image

CanogaOS Configuration Guide

33-1

33 Configuring ACL

33.1 Overview

Access control lists (ACLs) classify traffic with the same characteristics. The ACL can
have multiple access control entries (ACEs), which are commands that match fields
against the contents of the packet. ACLs can filter packets received on interface by many
fields such as ip address, mac address and deny or permit the packets.

33.2 Terminology

Following is a brief description of terms and concepts used to describe the PIM-SM
protocol:

Access control entry (ACE)
Each ACE includes an action element (permit or deny) and a filter element based on
criteria such as source address, destination address, protocol, and protocol-specific
parameters.
MAC ACL
MAC ACL can filter packet by mac-sa and mac-da, and the mac-address can be masked,
or configured as host id, or configured as any to filter all MAC addresses. MAC ACL can
also filter other L2 fields such as COS, VLAN-ID, L2 type, L3 type.
IPv4 ACL
IPv4 ACL can filter packet by ip-sa and ip-da, and ip-address can be masked, or
configured as host id, or configured as any to filter all IPv4 address. IPv4 ACL can also
filter other L3 fields such as DSCP , L4 protocol and L4 fields such as TCP port, UDP
port, and so on.
IPv6 ACL
IPv6 ACL can filter packet by ipv6-sa and ipv6-da, and ipv6 address can be masked, or
configured as host id, or configured as any to filter all IPv6 address. IPv6 ACL can also
filter other L3 fields such as DSCP , L4 protocol and L4 fields such as TCP port, UDP
port, and so on.
Time Range
Time range can define a period of time only between which the ACE can be valid if the
ACE is associated to the time range.

33.3 Configuration

In this example, use MAC ACL on interface eth-0-1, to permit packets with source mac
1111.1111.1111 and deny any other packets. Use IPv4 ACL on interface eth-0-2, to
permit packets with source ip 1.1.1.1/24 and deny any other packets. Use IPv6 ACL on
interface eth-0-3, to permit UPD packets and deny any other packets.

Advertising
Popular Brands
Popular manuals