Cisco Cisco Packet Data Interworking Function (PDIF)
Access Control Lists
▀ Configuring ACLs on the System
▄ ASR 5000 System Administration Guide, StarOS Release 18
252
Configuring Action and Criteria for Subscriber Traffic
To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following
command sequence from the Exec mode of the system CLI:
command sequence from the Exec mode of the system CLI:
configure
context acl_ctxt_name [ -noconfirm ]
{ ip | ipv6 } access-list acl_list_name
deny { ip_address | any | host | icmp | ip | log | tcp | udp }
permit { ip_address | any | host | icmp | ip | log | tcp | udp }
after { deny | permit | readdress | redirect }
before { deny | permit | readdress | redirect }
end
Notes:
Caution:
The system does not apply a “deny any” rule, unless it is specified in the ACL. This behavior can be
changed by adding a “deny any” rule at the end of the ACL.
The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used.
For more information, refer to the Engineering Rules chapter.
Use the information provided in the
more information, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode
Commands chapters in the Command Line Interface Reference.
Commands chapters in the Command Line Interface Reference.
Configuring an Undefined ACL
As discussed previously the system uses an “undefined” ACL mechanism for filtering the packet(s) in the event that an
ACL that has been applied is not present. This scenario is likely the result of a mis-configuration such as the ACL name
being mis-typed during the configuration process.
ACL that has been applied is not present. This scenario is likely the result of a mis-configuration such as the ACL name
being mis-typed during the configuration process.
For these scenarios, the system provides an “undefined” ACL that acts as a default filter for all packets into the context.
The default action is to “permit all”.
The default action is to “permit all”.
To modify the default behavior for unidentified ACLs, use the following configuration:
configure
context acl_ctxt_name [-noconfirm]
access-list undefined { deny-all | permit-all }
end