Cisco Cisco Packet Data Interworking Function (PDIF)
Access Control Lists
▀ Applying IP ACLs
▄ ASR 5500 System Administration Guide, StarOS Release 16
222
Applying the ACL to a Context
To apply the ACLs to a context, use the following configuration:
configure
context <acl_ctxt_name> [ -noconfirm ]
{ ip | ipv6 } access-group <acl_list_name> [ in | out ] [ <preference> ]
end
Notes:
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
The context-level ACL is applied to outgoing packets. This applies to incoming packets also if the flow match
criteria fails and forwarded again.
The
in
and
out
keywords are deprecated and are only present for backward compatibility.
Context ACL will be applied in the following cases:
Outgoing packets to an external source.
Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies
first and only if it passes are packets forwarded.
During forwarding, if an ACL rule is added with a destination address as a loopback address, the
context ACL is also applied. This is because StarOS handles packets destined to the kernel by going
through a forwarding lookup for them. To apply ACL rules to incoming packets, the interface ACL
must be used instead of the context ACL.
context ACL is also applied. This is because StarOS handles packets destined to the kernel by going
through a forwarding lookup for them. To apply ACL rules to incoming packets, the interface ACL
must be used instead of the context ACL.
The ACL to be applied must be configured in the context specified by this command.
Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does
not exceed the 128-rule limit for the interface.
Verifying the ACL Configuration in a Context
To verify the ACL configuration:
Step 1
Verify that your ACL lists were applied properly by entering the following command in Exec Mode:
show configuration context context_name
context_name is the name of the context to which the ACL(s) was/were applied.
The output of this command displays the configuration of the entire context. Examine the output for the commands
pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.
pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.
configure
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
exit
context context_name
ip access-list acl_name
deny host ip_address
deny ip any host ip_address
exit