beautypg.com

32 configuring acl, 1 acl, 2 configuration – CANOGA PERKINS CanogaOS Configuration Guide User Manual

Page 289

background image

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 289 of 350

32 Configuring ACL

32.1 ACL

Access control lists (ACLs) classify traffic with the same characteristics. The ACL can have
multiple access control entries (ACEs), which are commands that match fields against the
contents of the packet. ACLs can filter packets received on interface by many fields such as ip
address, mac address and deny or permit the packets.

32.1.1 Terminology
Following is a brief description of terms and concepts used to describe the PIM-SM protocol:

Access control entry (ACE)

Each ACE includes an action element (permit or deny) and a filter element based on criteria such
as source address, destination address, protocol, and protocol-specific parameters.

MAC ACL

MAC ACL can filter packet by mac-sa and mac-da, and the mac-address can be masked, or
configured as host id, or configured as any to filter all MAC addresses. MAC ACL can also filter
other L2 fields such as COS, VLAN-ID, L2 type, L3 type.

IPv4 ACL

IPv4 ACL can filter packet by ip-sa and ip-da, and ip-address can be masked, or configured as
host id, or configured as any to filter all IPv4 address. IPv4 ACL can also filter other L3 fields
such as DSCP , L4 protocol and L4 fields such as TCP port, UDP port, and so on.

IPv6 ACL

IPv6 ACL can filter packet by ipv6-sa and ipv6-da, and ipv6 address can be masked, or
configured as host id, or configured as any to filter all IPv6 address. IPv6 ACL can also filter
other L3 fields such as DSCP , L4 protocol and L4 fields such as TCP port, UDP port, and so on.

Time Range

Time range can define a period of time only between which the ACE can be valid if the ACE is
associated to the time range.

32.2 Configuration

In this example, use MAC ACL on interface eth-0-1, to permit packets with source mac
1111.1111.1111 and deny any other packets. Use IPv4 ACL on interface eth-0-2, to permit
packets with source ip 1.1.1.1/24 and deny any other packets. Use IPv6 ACL on interface
eth-0-3, to permit UPD packets and deny any other packets.

See also other documents in the category CANOGA PERKINS Computer hardware: