[rbak-nsp] Policy access-list

Анатолий Соломатин solomatin.av at gmail.com
Fri Jul 12 04:59:45 EDT 2019 

Redbuk traffic is controlled by the ACL or/and QoS policy.
Example
1) ACL
 ip access-list CONTROL_DNS_NTP_USER
  seq 1000 deny udp any neq domain any eq domain
  seq 1001 deny udp any neq ntp any eq ntp
  seq 1100 permit ip any any
!
 subscriber default
   ip access-group  CONTROL_DNS_NTP_USER   out
!
2) QoS Policy (policing or metering)
context USER
 policy access-list REDBACK_IN
  seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
  seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
  seq 98 permit tcp any any eq 88 class Deny
 exit
exit
!
(config)#qos policy  REDBACK_IN  policing
 ip access-group REDBACK_IN USER
  class Permit
  class Deny
   drop
  exit
!
context USER
subscriber default
 qos policy policing REDBACK_IN

пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <bmtych at gmail.com>:

> I've used your acl but without effect, still can access port 88 from other
> IP's than x and y. Those three statements are my first three in ACL.
>
> On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <solomatin.av at gmail.com>
> wrote:
>
>> HI,
>> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>> seq 98 permit tcp any any eq 88 class Deny
>>
>> "
>> 1.1.2   IP ACL Statements (Rules)
>> <http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP>
>> In IP ACLs, each rule defines the action, either permit or deny, to be
>> taken for a packet if the packet satisfies the rule. A *permit*
>> statement causes any packet matching the criteria to be accepted. A
>> *deny* statement causes any packet matching the criteria to be dropped.
>> A packet that does not match the criteria of the first statement is
>> subjected to the criteria of the second statement, and so on, until the end
>> of the IP ACL is reached; at which point, the packet is dropped due to
>> an implicit *deny any any* statement at the end of every IP ACL."
>>
>> пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <bmtych at gmail.com>:
>>
>>> Hi,
>>> I'm having problem with policy access-list. I want to block all incoming
>>> connections to port 88 and allow two IP addresses to access that port.
>>> I've tried:
>>> seq 98 permit tcp any any eq 88 class Deny
>>> seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>> seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>> _______________________________________________
>>> redback-nsp mailing list
>>> redback-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20190712/13a52c2c/attachment.htm>

More information about the redback-nsp mailing list