beautypg.com

Using profile acls with the ip policy facility – Cabletron Systems SMARTSWITCH ROUTER 9032578-05 User Manual

Page 295

background image

SmartSwitch Router User Reference Manual

269

Chapter 19: Access Control List Configuration Guide

Unlike with other kinds of ACLs, there is no implicit deny rule for Profile ACLs.

Only certain ACL rule parameters are relevant for each configuration command. For
example, the configuration command to create NAT address pools for dynamic
bindings (the nat create dynamic command) only looks at the source IP address in the
specified ACL rule. The destination IP address, ports, and TOS parameters, if specified,
are ignored.

Specific usage of Profile ACLs is described in more detail in the following sections.

Using Profile ACLs with the IP Policy Facility

The IP policy facility uses a Profile ACL to define criteria that determines which packets
should be forwarded according to an IP policy. Packets that meet the criteria defined in the
Profile ACL are forwarded according to the ip-policy command that references the Profile
ACL.

For example, you can define an IP policy that causes all telnet packets travelling from
source network 9.1.1.0/24 to destination network 15.1.1.0/24 to be forwarded to
destination address 10.10.10.10. You use a Profile ACL to define the selection criteria (in
this case, telnet packets travelling from source network 9.1.1.0/24 to destination network
15.1.1.0/24). Then you use an ip-policy command to specify what happens to packets that
match the selection criteria (in this example, forward them to address 10.10.10.10). The
following commands illustrate this example.

This command creates a Profile ACL called prof1 that uses as its selection criteria all telnet
packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24:

This Profile ACL is then used in conjunction with the ip-policy command to cause packets
matching prof1’s selection criteria (that is, telnet packets travelling from 9.1.1.0/24 to
15.1.1.0/24) to be forwarded to 10.10.10.10:

See

“IP Policy-Based Forwarding Configuration Guide” on page 207

for more information

on using the ip-policy command.

Using Profile ACLs with the Traffic Rate Limiting Facility

Traffic rate limiting is a mechanism that allows you to control bandwidth usage of
incoming traffic on a per-flow basis. A flow meeting certain criteria can have its packets
re-prioritized or dropped if its bandwidth usage exceeds a specified limit.

For example, you can cause packets in flows from source address 1.2.2.2 to be dropped if
their bandwidth usage exceeds 10 Mbps. You use a Profile ACL to define the selection

ssr(config)# acl prof1 permit ip 9.1.1.0/24 15.1.1.0/24 any any telnet 0

ssr(config)# ip-policy p5 permit profile prof1 next-hop-list 10.10.10.10

See also other documents in the category Cabletron Systems Hardware: