Filter
Top Products
24-10 Riverstone Networks RS Switch Router User Guide Release 8.0
Using ACLs Access Control List Configuration
24.3.4 Using ACLs as Profiles
You can use the
acl
command to define a profile. A profile specifies the criteria that addresses, flows, hosts, or packets
must meet to be relevant to certain RS features. Once you have defined an ACL profile, you can use the profile with
the configuration command for that feature. For example, the Network Address Translation (NAT) feature on the RS
allows you to create address pools for dynamic bindings. You use ACL profiles to represent the appropriate pools of
IP addresses.
The following RS features use ACL profiles:
Note the following about using profile ACLs:
•
Only IP ACLs can be used as Profile ACLs. ACLs for non-IP protocols cannot be used as Profile
ACLs.
•
The
permit/deny
keywords, while required in the ACL rule definition, are disregarded in the
configuration commands for the above-mentioned features. In other words, the configuration
commands will act upon a specified Profile ACL whether or not the Profile ACL rule contains the
permit
or
deny
keyword.
•
Only certain ACL rule parameters are relevant for each configuration command. For example, the
configuration command to create NAT address pools for dynamic bindings (the
nat create
dynamic
command) only looks at the source IP address in the specified ACL rule. The destination
IP address, ports, and TOS parameters, if specified, are ignored.
Specific usage of Profile ACLs is described in more detail in the following sections.
Using Profile ACLs with the IP Policy Facility
The IP policy facility uses a Profile ACL to define criteria that determines which packets should be forwarded
according to an IP policy. Packets that meet the criteria defined in the Profile ACL are forwarded according to the
ip-policy
command that references the Profile ACL.
Table 24-1 Features that use ACl profile
RS Feature ACL Profile Usage
IP policy Specifies the packets that are subject to the IP routing policy.
Dynamic NAT Defines local address pools for dynamic bindings.
Port mirroring Defines traffic to be mirrored.
Rate limiting Specifies the incoming traffic flow to which rate limiting is applied.
Web caching Specifies which HTTP traffic should always (or never) be redirected to the cache servers.
Specifies characteristics of Web objects that should not be cached.