354Configuring and Managing Security ACLs

Setting a Source IP ACL

You can create an ACE that filters packets based on the source IP address and optionally applies CoS packet handling. (For CoS details, see “Class of Service” on page 355.) You can also determine where the ACE is placed in the security ACL by using the before editbuffer-indexor modify editbuffer-indexvariables with an index number. You can use the hits counter to track how many packets the ACL filters.

The simplest security ACL permits or denies packets from a source IP address:

set security acl ip acl-name{permit [cos cos] deny} source-ip-addr mask [before editbuffer-indexmodify editbuffer-index]

For example, to create ACL acl-1that permits all packets from IP address 192.168.1.4, type the following command:

23x0# set security acl ip acl-1 permit 192.168.1.4 0.0.0.0

With the following basic security ACL command, you can specify any of the protocols supported by WSS Software:

set security acl ip acl-name {permit [cos cos] deny} {protocol} {source-ip-addr mask destination-ip-addr mask} [precedence precedence] [tos tos] [before editbuffer-index

modify editbuffer-index]

The following sample security ACL permits all Generic Routing Encapsulation (GRE) packets from source IP address 192.168.1.11 to destination IP address 192.168.1.15, with a precedence level of 0 (routine), and a type-of-service (TOS) level of 0 (normal). (For more information about type-of-service and precedence levels, see the Nortel Mobility System Software Command Reference.) GRE is protocol number 47.

23x0# set security acl ip acl-2 permit cos 2 47 192.168.1.11 0.0.0.0 192.168.1.15 0.0.0.0 precedence 0 tos 0 hits

The security ACL acl-2described above also applies the CoS level 2 (medium priority) to the permitted packets. (For CoS details, see “Class of Service” on page 355.) The keyword hits counts the number of times this ACL affects packet traffic.

Table 22 lists common IP protocol numbers. (For a complete list of IP protocol names and numbers, see http://www.iana.org/assignments/protocol-numbers.) For commands that set security ACLs for specific protocols, see the following information:

“Setting an ICMP ACL” on page 357

“Setting a TCP ACL” on page 359

“Setting a UDP ACL” on page 359

Table 22: Common IP Protocol Numbers

Number

IP Protocol

1Internet Message Control Protocol (ICMP)

2Internet Group Management Protocol (IGMP)

6Transmission Control Protocol (TCP)

9Any private interior gateway (used by Cisco for Internet Gateway Routing Protocol)

320657-A

Page 353 Page 355
Page 354
Image 354
Nortel Networks 2300 manual Setting a Source IP ACL, Common IP Protocol Numbers
Page 353 Page 355
Top Page Image Contents