Enhancements
Release M.10.02 Enhancements
For example, suppose you want to configure a
1.Permit inbound client traffic with a DA of 11.11.11.42.
2.Permit inbound Telnet traffic for DA 11.11.11.101.
3.Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0 network.
4.Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network.
5.Deny all other inbound traffic.
The following ACL model, when invoked by a client authenticating with the credentials configured in the RADIUS server for this ACL, supports the above case:
1Permit in ip from any to 11.11.11.42
2Permit in tcp from any to 11.11.11.101 23
3Deny in tcp from any to 11.11.11.0/24 23
4Permit in tcp from any to 11.11.11.1/24 80
5(implicit deny in ip any to any)
1.Permits inbound IP traffic from the authenticated client to the destination address 11.11.11.42. Packets matching this criterion are forwarded and are not compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list.
2.Permits inbound Telnet traffic from the authenticated client to the destination address 11.11.11.101. Packets matching this criterion are forwarded and are not compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list.
3.Denies inbound Telnet traffic from the authenticated client to any IP address in the 11.11.11.0 network. Since packets matching entry “2” will never reach this ACE, the Telnet traffic permitted by entry “2” will not be affected. Packets matching this criterion will be denied and will not be compared to any later criteria in the list. Packets not matching this criterion will be compared to the next entry in the list.
4.Permits inbound HTTP traffic from the authenticated client to any address in the 11.11.11.1 network. Packets matching this criterion are permitted and are not compared to any later criteria in the list. Packets not matching this criterion are compared to the next entry in the list.
5.This entry does not appear in an actual ACL, but is implicit as the last entry in every ACL. Any inbound traffic from the authenticated client that does not match any of the criteria in the ACL’s preceding ACE entries will be denied (dropped).
Figure 5. Example of How a
Overriding the Implicit “deny IP any any”.
53