ADTRAN 1000R Series Case 1: Packets from interfaces with a configured policy class to any other interface, Case 2: Packets that travel in and out a single interface with a configured policy class, Case 3: Packets from interfaces without a configured policy class to interfaces with one

Command Reference Guide Global Configuration Mode Command Set

Technology Review

Concepts:

Access control using the AOS

firewall has two fundamen tal p art s: Access Control Lists (ACLs) and Access

Policy Classes (ACPs). ACLs are used as packet selectors by other AOS

systems; by themselves they do

nothing. ACPs consist of a selector (ACL) and an action (allow, discard, NAT). ACPs integrate both allow

and discard policies with NAT. ACPs have no effect until they are assigned to a network interface.

Both ACLs and ACPs are order dependent. When a packet is evaluated, the matching engine begins with

the first entry in the list and progresses through the entries un til it finds a match. The first entry that

matches is executed.

Packet Flow:

Case 1: Packets from interfaces with a configured policy class to any other interface

ACPs are applied when packets are received on an interface. If an interface has not been assigned a policy

class, by default it will allow all received traffic to pass through. If an interface has been assigned a policy class

but the firewall has not been enabled with the

ip firewall

command, traffic will flow normally from this interface

with no firewall processing.

These packets are processe d thr oug h th e ACPs as if they are destined fo r an oth e r inte r fac e (id en tic al to

Case 1).

These packet s are routed nor mally and are not processed by the firewall. Th e ip firewall command has no

effect on this traffic.

Interface Association List Access Control Polices

(permit, deny, NAT) Route Lookup Packet OutPacket In

If session hit,

or no ACP configured