Nokia IPSO 4.0 manual Configuring ACL Rules, 452

10

4.To remove an ACL from an interface:

a.Select Delete for the appropriate interface in the Selected Interfaces table

b.Click Apply.

The interface disappears from the Selected Interfaces section.

5.To make your changes permanent, click Save.

Configuring ACL Rules

An Access Control List (ACL) is a container for a set of rules, and traffic is separated into packet streams by the ACL. The content and ordering of the rules is critical. As packets are passed to an ACL, the packet headers are compared against data in the rule in a top-down fashion. When a match is found, the action associated with that rule is taken, with no further scanning done for that packet.

The following actions can be associated with a rule that is configured to perform packet filtering:

„Accept

„Drop

„Reject

The following additional actions can also be associated with a rule:

„Skip—skip this rule and proceed to the next rule

„Prioritize—give this traffic stream preferential scheduling on output

„Shape—coerce this traffic’s throughput according to the set of parameters given by an aggregation class

You can configure an access list to control the traffic from one or more interfaces and each access list can be associated with incoming or outgoing traffic from each interface. However, the prioritize action is only executed on outgoing traffic.

Rules can be set up to match any of these properties:

„IP source address

„IP destination address

„IP protocol

„UDP/TCP source port

„UDP/TCP destination port

„TCP establishment flags—When selected, traffic matches this rule when it is part of the initial TCP handshake.

„Type of Service (TOS) for IPv4; Traffic Class for IPv6

The following values can be used to mark traffic:

„DiffServ codepoint (DSfield)

„Queue Specifier (QueueSpec)