beautypg.com

ADTRAN 5000 Series User Manual

Page 392

background image

Command Reference Guide

Global Configuration Mode Command Set

61200990L1-35E

Copyright © 2005 ADTRAN

392

Technology Review

Creating access policies and lists to regulate traffic through the routed network is a four-step process:

Step 1:

Enable the security features of the AOS using the ip firewall command.

Step 2:

Create an access list to permit or deny specified traffic. Standard access lists provide pattern matching for
source IP addresses only. (Use extended access lists for more flexible pattern matching.) IP addresses
can be expressed in one of three ways:

1. Using the keyword any to match any IP address. For example, entering deny any will effectively shut

down the interface that uses the access list because all traffic will match the any keyword.

2. Using the host to specify a single host address. For example, entering permit host

196.173.22.253 will allow all traffic from the host with an IP address of 196.173.22.253.

3. Using the format to match all IP addresses in a “range.” Wildcard masks work in

reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care.” For
example, entering permit 192.168.0.0 0.0.0.255 will permit all traffic from the 192.168.0.0/24 network.

Step 3:

Create an access policy that uses a configured access list. AOS access policies are used to allow, discard,
or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (access list)
and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are
applied to determine whether the data will be processed or discarded. Possible actions performed by the
access policy are as follows:

allow list

All packets passed by the access list(s) entered will be allowed to enter the router system.

discard list

All packets passed by the access list(s) entered will be dropped from the router system.

allow list policy

All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be permitted to enter the router system. This allows for configurations to permit packets to a
single interface and not the entire system.

discard list policy

All packets passed by the access list(s) entered and destined for the interface using the access policy
listed will be blocked from the router system. This allows for configurations to deny packets on a specified
interface.

nat source list address overload policy

All packets passed by the access list(s) and destined for the interface using the access policy listed will be
modified to replace the source IP address with the entered IP address. The overload keyword allows
multiple source IP addresses to be replaced with the single IP address entered. This hides private IP
addresses from outside the local network.

See also other documents in the category ADTRAN Hardware: