[rbak-nsp] Policy access-list

Bartek Mickiewicz bmtych at gmail.com
Mon Jul 15 02:21:59 EDT 2019


Maybe my question was not clear enough.
My client use pppoe for Internet access, radius assigns forward policy
which uses ip access-group.

forward policy FP-DEFAULT
 ip access-group ACL-DEFAULT r01
  class Permit
  class Deny
   drop


 policy access-list ACL-DEFAULT
  seq 96 permit tcp host xxx.xxx.xxx.xxx any eq 8080 class Permit
  seq 97 permit tcp host yyy.yyy.yyy.yyy any eq 8080 class Permit
  seq 98 permit tcp any any eq 8080 class Deny

On Fri, 12 Jul 2019, 10:59 Анатолий Соломатин, <solomatin.av at gmail.com>
wrote:

> Redbuk traffic is controlled by the ACL or/and QoS policy.
> Example
> 1) ACL
>  ip access-list CONTROL_DNS_NTP_USER
>   seq 1000 deny udp any neq domain any eq domain
>   seq 1001 deny udp any neq ntp any eq ntp
>   seq 1100 permit ip any any
> !
>  subscriber default
>    ip access-group  CONTROL_DNS_NTP_USER   out
> !
> 2) QoS Policy (policing or metering)
> context USER
>  policy access-list REDBACK_IN
>   seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>   seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>   seq 98 permit tcp any any eq 88 class Deny
>  exit
> exit
> !
> (config)#qos policy  REDBACK_IN  policing
>  ip access-group REDBACK_IN USER
>   class Permit
>   class Deny
>    drop
>   exit
> !
> context USER
> subscriber default
>  qos policy policing REDBACK_IN
>
> пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <bmtych at gmail.com>:
>
>> I've used your acl but without effect, still can access port 88 from
>> other IP's than x and y. Those three statements are my first three in ACL.
>>
>> On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <solomatin.av at gmail.com>
>> wrote:
>>
>>> HI,
>>> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>> seq 98 permit tcp any any eq 88 class Deny
>>>
>>> "
>>> 1.1.2   IP ACL Statements (Rules)
>>> <http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP>
>>> In IP ACLs, each rule defines the action, either permit or deny, to be
>>> taken for a packet if the packet satisfies the rule. A *permit*
>>> statement causes any packet matching the criteria to be accepted. A
>>> *deny* statement causes any packet matching the criteria to be dropped.
>>> A packet that does not match the criteria of the first statement is
>>> subjected to the criteria of the second statement, and so on, until the end
>>> of the IP ACL is reached; at which point, the packet is dropped due to
>>> an implicit *deny any any* statement at the end of every IP ACL."
>>>
>>> пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <bmtych at gmail.com>:
>>>
>>>> Hi,
>>>> I'm having problem with policy access-list. I want to block all
>>>> incoming connections to port 88 and allow two IP addresses to access that
>>>> port.
>>>> I've tried:
>>>> seq 98 permit tcp any any eq 88 class Deny
>>>> seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>> seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>> _______________________________________________
>>>> redback-nsp mailing list
>>>> redback-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20190715/2101800f/attachment.htm>


More information about the redback-nsp mailing list