Chapter 19: Access Control List Configuration Guide

criteria (in this case, flows from source address 1.2.2.2). Then you use a rate-limitcommand to specify what happens to packets that match the selection criteria (in this example, drop them if their bandwidth usage exceeds 10 Mbps). The following commands illustrate this example.

This command creates a Profile ACL called prof2 that uses as its selection criteria all packets originating from source address 1.2.2.2:

ssr(config)# acl prof2 permit ip 1.2.2.2

The following command creates a rate limit definition that causes flows matching Profile ACL prof2’s selection criteria (that is, traffic from 1.2.2.2) to be restricted to 10 Mbps for each flow. If this rate limit is exceeded, the packets are dropped.

ssr(config)# rate-limit client1 input acl prof2 rate-limit 10000000 exceed-action drop-packets

When the rate limit definition is applied to an interface (with the rate-limit apply interface command), packets in flows originating from source address 1.2.2.2 are dropped if their bandwidth usage exceeds 10 Mbps.

See “Limiting Traffic Rate” on page 303 for more information on using the rate-limitcommand.

Using Profile ACLs with Dynamic NAT

Network Address Translation (NAT) allows you to map an IP address used within one network to a different IP address used within another network. NAT is often used to map addresses used in a private, local intranet to one or more addresses used in the public, global Internet.

The SSR supports two kinds of NAT: static NAT and dynamic NAT. With dynamic NAT, an IP address within a range of local IP addresses is mapped to an IP address within a range of global IP addresses. For example, you can configure IP addresses on network 10.1.1.0/24 to use an IP address in the range of IP addresses in network 192.50.20.0/24. You can use a Profile ACL to define the ranges of local IP addresses.

The following command creates a Profile ACL called local. The local profile specifies as its selection criteria the range of IP addresses in network 10.1.1.0/24..

ssr(config)# acl local permit ip 10.1.1.0/24

Note: When a Profile ACL is defined for dynamic NAT, only the source IP address field in the acl statement is evaluated. All other fields in the acl statement are ignored.

270

SmartSwitch Router User Reference Manual

Page 296
Image 296
Cabletron Systems 9032578-05 manual Using Profile ACLs with Dynamic NAT