<div dir="ltr">Redbuk traffic is controlled by the ACL or/and QoS policy.<br><div>Example</div><div>1) ACL</div><div> ip access-list CONTROL_DNS_NTP_USER<br> seq 1000 deny udp any neq domain any eq domain<br> seq 1001 deny udp any neq ntp any eq ntp<br> seq 1100 permit ip any any<br>!<br></div><div> subscriber default<br> ip access-group
CONTROL_DNS_NTP_USER out<br></div><div>!</div><div>2) QoS Policy (policing or metering)</div><div>context USER</div><div> policy access-list REDBACK_IN<br></div><div><span style="font-family:sans-serif;font-size:12.8px"> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px"> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span> <span class="gmail-im" style=""><br><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px"> seq 98 permit tcp any any eq 88 class Deny</span></div><div style="color:rgb(80,0,80)"><font face="sans-serif"><span style="font-size:12.8px"> exit</span></font></div><div style="color:rgb(80,0,80)"><font face="sans-serif"><span style="font-size:12.8px">exit</span></font></div><div style="color:rgb(80,0,80)">!</div><div style="color:rgb(80,0,80)">(config)#qos policy
<span style="color:rgb(34,34,34)">REDBACK_IN</span> policing <font face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div style="color:rgb(80,0,80)"> ip access-group <span style="color:rgb(34,34,34)">REDBACK_IN USER</span></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"> </span><span style="color:rgb(34,34,34)">class </span><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)">Permit</span></div><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"> class Deny</span></div><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"> drop</span></div><div style=""><font face="sans-serif"><span style="font-size:12.8px"> exit</span></font></div><div style=""><font face="sans-serif"><span style="font-size:12.8px">!</span></font></div><div style=""><font face="sans-serif"><span style="font-size:12.8px">context USER</span></font></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">subscriber default</span> </div><div style="color:rgb(80,0,80)"> qos policy policing <span style="color:rgb(34,34,34)">REDBACK_IN</span><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"><br></span></div></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <<a href="mailto:bmtych@gmail.com">bmtych@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I've used your acl but without effect, still can access port 88 from other IP's than x and y. Those three statements are my first three in ACL. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <<a href="mailto:solomatin.av@gmail.com" target="_blank">solomatin.av@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">HI,<div><span style="font-family:sans-serif;font-size:12.8px">seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span> <br><div><span style="font-family:sans-serif;font-size:12.8px">seq 98 permit tcp any any eq 88 class Deny</span><br style="font-family:sans-serif;font-size:12.8px"><br></div><div>"</div><div class="gmail-m_-1111375434278736934m_1102287158426943113gmail-body-content" id="gmail-m_-1111375434278736934m_1102287158426943113gmail-content"><h3><a name="m_-1111375434278736934_m_1102287158426943113_i1138843" rel="noreferrer"></a><a name="m_-1111375434278736934_m_1102287158426943113__C4" rel="noreferrer"></a><span class="gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPNUMBER">1.1.2 </span><span class="gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPTITLE"><a name="m_-1111375434278736934_m_1102287158426943113_id_eovj" rel="noreferrer"></a><a name="m_-1111375434278736934_m_1102287158426943113_CHAPTER1.1.2" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPLINK" href="http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP" rel="noreferrer" target="_blank">IP ACL Statements (Rules)</a></span></h3></div><div>In <a title="Internet Protocol" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">IP</a> <a title="Access Control List" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">ACLs</a>, each rule defines the action, either permit or deny, to be taken for a packet if the packet satisfies the rule. A <tt class="gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>permit</b></tt> statement causes any packet matching the criteria to be accepted. A <tt class="gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>deny</b></tt> statement causes any packet matching the criteria to be dropped. A packet that does not match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until the end of the <a title="Internet Protocol" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">IP</a> <a title="Access Control List" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">ACL</a> is reached; at which point, the packet is dropped due to an implicit <tt class="gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>deny any any</b></tt> statement at the end of every <a title="Internet Protocol" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">IP</a> <a title="Access Control List" class="gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer">ACL</a>."</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <<a href="mailto:bmtych@gmail.com" rel="noreferrer" target="_blank">bmtych@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi,<div dir="auto">I'm having problem with policy access-list. I want to block all incoming connections to port 88 and allow two IP addresses to access that port. </div><div dir="auto">I've tried:</div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">seq 98 permit tcp any any eq 88 class Deny</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span><br></div></div>
_______________________________________________<br>
redback-nsp mailing list<br>
<a href="mailto:redback-nsp@puck.nether.net" rel="noreferrer" target="_blank">redback-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/redback-nsp" rel="noreferrer noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/redback-nsp</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>