Cisco Cisco ASR 5000
ACS Rulebase Configuration Mode Commands
▀ firewall no-ruledef-matches
▄ Command Line Interface Reference, StarOS Release 18
718
Optionally specify:
bypass-nat
: Specifies to bypass Network Address Translation (NAT).
nat-realm nat_realm_name
: Specifies a NAT realm to be used for performing NAT on subscriber
packets.
nat_realm_name
must be the name of a NAT realm, and must be an alphanumeric string of 1
through 31 characters.
Important:
If neither
bypass-nat
or
nat-realm
are configured, NAT is performed if the
nat policy nat-
required
CLI command is configured with the
default-nat-realm
option.
deny [ charging-action charging_action_name ]
: Denies specified packets.
Optionally, a charging action can be specified.
charging_action_name
must be the name of a charging action, and must be an alphanumeric string of 1
through 63 characters.
Usage
Use this command to configure the default action to be taken on packets with no Stateful Firewall ruledef
matches.
If, for deny action, the optional charging action is configured, the action taken depends on what is configured
in the charging action. For the Stateful Firewall rule, the “flow action”, “billing action”, and “content ID” of
the charging action will be used to take action. If flow exists, flow statistics are updated.
Allowing/dropping of packets is determined in the following sequence:
matches.
If, for deny action, the optional charging action is configured, the action taken depends on what is configured
in the charging action. For the Stateful Firewall rule, the “flow action”, “billing action”, and “content ID” of
the charging action will be used to take action. If flow exists, flow statistics are updated.
Allowing/dropping of packets is determined in the following sequence:
Check is done to see if the packet matches any pinholes. If yes, no rule matching is done and the packet
is allowed.
Stateful Firewall ruledef matching is done. If a rule matches, the packet is allowed or dropped as per the
firewall priority
configuration.
If no Stateful Firewall ruledef matches, the packet is allowed or dropped as per the
no-ruledef-
matches
configuration.
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging
action applied is the one configured in the
action applied is the one configured in the
firewall priority
or the
firewall no-ruledef-matches
command respectively.
In StarOS 8.1, in the case of Policy-based Stateful Firewall, the charging action applied is the one configured
in the
In StarOS 8.1, in the case of Policy-based Stateful Firewall, the charging action applied is the one configured
in the
access-rule priority
or the
access-rule no-ruledef-matches
command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action
must be configured in the
must be configured in the
flow any-error charging-action
command.
Example
The following command configures Stateful Firewall to permit downlink packets with no ruledef matches:
firewall no-ruledef-matches downlink action permit