Access Control Lists

This chapter describes system support for access control lists and explains how they are configured. The product administration guides provide examples and procedures for configuration of basic services on the system. You should select the configuration example that best meets your service model before using the procedures described below.


Important

You do not require a license to configure ACLs. However, the number of ACLs configured may impact performance significantly.



Important

Not all commands and keywords/variables may be available. Availability depends on the platform type.


This chapter contains the following sections:

Overview

IP access lists, commonly known as access control lists (ACLs), control the flow of packets into and out of the system. They are configured on a per-context basis and consist of "rules" (ACL rules) or filters that control the action taken on packets that match the filter criteria. Once configured, an ACL can be applied to any of the following:
  • An individual interface

  • All traffic facilitated by a context (known as a policy ACL)

  • An individual subscriber

  • All subscriber sessions facilitated by a specific context

Separate ACLs may be created for IPv4 and IPv6 access routes.

Understanding ACLs

This section discusses the two main aspects to ACLs on the system:

Important

Refer to ACL Configuration Mode Commands and the IPv6 ACL Configuration Mode Commands chapter in the Command Line Interface Reference for the full command syntax.


Rule(s)

A single ACL consists of one or more ACL rules. Each rule is a filter configured to take a specific action when packets matching specific criteria. Up to 256 rules can be configured per ACL.


Important

Configured ACLs consisting of no rules imply a "deny any" rule. The deny action and any criteria are discussed later in this section. This is the default behavior for an empty ACL.


Each rule specifies the action to take when a packet matches the specifies criteria. This section discusses the rule actions and criteria supported by the system.

Actions

ACLs specify that one of the following actions can be taken on a packet that matches the specified criteria:
  • Permit: The packet is accepted and processed.

  • Deny: The packet is rejected.

  • Redirect: The packet is forwarded to the specified next-hop address through a specific system interface or to the specified context for processing.


    Important

    Redirect rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context, or APN for UMTS subscribers.


Criteria

Each ACL consists of one or more rules specifying the criteria that packets will be compared against.

The following criteria are supported:
  • Any: Filters all packets

  • Host: Filters packets based on the source host IP address

  • ICMP: Filters Internet Control Message Protocol (ICMP) packets

  • IP: Filters Internet Protocol (IP) packets

  • Source IP Address: Filter packets based on one or more source IP addresses

  • TCP: Filters Transport Control Protocol (TCP) packets

  • UDP: Filters User Datagram Protocol (UDP) packets

Each of the above criteria are described in detail in the sections that follow.


Important

The following sections contain basic ACL rule syntax information. Refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference for the full command syntax.


  • Any: The rule applies to all packets.

  • Host: The rule applies to a specific host as determined by its IP address.

  • ICMP: The rule applies to specific Internet Control Message Protocol (ICMP) packets, Types, or Codes. ICMP type and code definitions can be found at www.iana.org (RFC 3232).

  • IP: The rule applies to specific Internet Protocol (IP) packets or fragments.

  • IP Packet Size Identification Algorithm: The rule applies to specific Internet Protocol (IP) packets identification for fragmentation during forwarding.

    This configuration is related to the "IP Identification field" assignment algorithm used by the system, when subscriber packets are being encapsulated (such as Mobile IP and other tunneling encapsulation). Within the system, subscriber packet encapsulation is done in a distributed way and a 16-bit IP identification space is divided and distributed to each entity which does the encapsulation, so that unique IP identification value can be assigned for IP headers during encapsulation.

    Since this distributed IP Identification space is small, a non-zero unique identification will be assigned only for those packets which may potentially be fragmented during forwarding (since the IP identification field is only used for reassembly of the fragmented packet). The total size of the IP packet is used to determine the possibility of that packet getting fragmented.

  • Source IP Address: The rule applies to specific packets originating from a specific source address or a group of source addresses.

  • TCP: The rule applies to any Transport Control Protocol (TCP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. TCP port numbers definitions can be found at www.iana.org

  • UDP: The rule applies to any User Datagram Protocol (UDP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. UDP port numbers definitions can be found at www.iana.org.

Rule Order

A single ACL can consist of multiple rules. Each packet is compared against each of the ACL rules, in the order in which they were entered, until a match is found. Once a match is identified, all subsequent rules are ignored.

Additional rules can be added to an existing ACL and properly ordered using either of the following options:
  • Before

  • After

Using these placement options requires the specification of an existing rule in the ACL and the configuration of the new rule as demonstrated by the following flow:
[ before | after ] {  existing_rule }  

Configuring ACLs on the System

This section describes how to configure ACLs.


Important

This section provides the minimum instruction set for configuring access control list on the system. For more information on commands that configure additional parameters and options, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference.


To configure the system to provide an access control list facility to subscribers:

Procedure


Step 1

Create the access control list by following the example configuration in Creating ACLs

Step 2

Specify the rules and criteria for action in the ACL list by following the example configuration in Configuring Action and Criteria for Subscriber Traffic

Step 3

Optional. The system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all". Modify the default configuration for "unidentified" ACLs for by following the example configuration in Configuring an Undefined ACL

Step 4

Verify your ACL configuration by following the steps in Verifying the ACL Configuration

Step 5

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Creating ACLs

To create an ACL, enter the following command sequence from the Exec mode of the system CLI:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      { ip | ipv6 } access-list  acl_list_name 
      end  
Notes:
  • The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task. Typically, the maximum is less than 200.

Configuring Action and Criteria for Subscriber Traffic

To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following command sequence from the Exec mode of the system CLI:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      { ip | ipv6 } access-list  acl_list_name 
         deny {  ip_address | any | host | icmp | ip | log | tcp | udp }  
         permit {  ip_address | any | host | icmp | ip | log | tcp | udp }  
         after { deny | permit | readdress | redirect }  
         before { deny | permit | readdress | redirect }  
         end  

Notes:


Caution

The system does not apply a "deny any" rule, unless it is specified in the ACL. This behavior can be changed by adding a "deny any" rule at the end of the ACL.


  • The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. For more information, refer to the Engineering Rules chapter.

  • Use the information provided in the Actions and Criteria to configure the rules that comprise the ACL. For more information, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference.

Configuring an Undefined ACL

As discussed previously the system uses an "undefined" ACL mechanism for filtering the packet(s) in the event that an ACL that has been applied is not present. This scenario is likely the result of a mis-configuration such as the ACL name being mis-typed during the configuration process.

For these scenarios, the system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all".

To modify the default behavior for unidentified ACLs, use the following configuration:

configure  
   context  acl_ctxt_name [-noconfirm]  
      access-list undefined { deny-all | permit-all }  
      end  
Notes:
  • Context name is the name of the context containing the "undefined" ACL to be modified. For more information, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.

Verifying the ACL Configuration

To verify the ACL configuration, enter the Exec mode show { ip | ipv6 } access-list command.

The following is a sample output of this command. In this example, an ACL named acl_1 was configured.

ip access list acl_1 
   deny host 10.2.3.4 
   deny ip any host 10.2.3.4 
   permit any 10.2.4.4 
1 ip access-lists are configured. 

Applying IP ACLs

Once an ACL is configured, it must be applied to take effect.


Important

All ACLs should be configured and verified according to the instructions in the Configuring ACLs on the System prior to beginning these procedures. The procedures described below also assume that the subscribers have been previously configured.


As discussed earlier, you can apply an ACL to any of the following:


Important

ACLs must be configured in the same context in which the subscribers and/or interfaces to which they are to be applied. Similarly, ACLs to be applied to a context must be configured in that context.


If ACLs are applied at multiple levels within a single context (such as an ACL is applied to an interface within the context and another ACL is applied to the entire context), they will be processed as shown in the following figure and table.
Figure 1. ACL Processing Order


Table 1. ACL Processing Order Descriptions

Packet coming from the mobile node to the packet data network (left to right)

Order

Description

1

An inbound ACL configured for the receiving interface in the Source Context is applied to the tunneled data (such as the outer IP header). The packet is then forwarded to the Destination Context.

2

An inbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied.

3

A context ACL (policy ACL) configured in the Destination Context is applied prior to forwarding.

4

An outbound ACL configured on the interface in the Destination Context through which the packet is being forwarded, is applied.

Packet coming from the packet data network to the mobile node (right to left)

Order

Description

1

An inbound ACL configured for the receiving interface configured in the Destination Context is applied.

2

An outbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied. The packet is then forwarded to the Source Context.

3

A context ACL (policy ACL) configured in the Source Context is applied prior to forwarding.

4

An outbound ACL configured on the interface in the Source Context through which the packet is being forwarded, is applied to the tunneled data (such as the outer IP header).

In the event that an IP ACL is applied that has not been configured (for example, the name of the applied ACL was configured incorrectly), the system uses an "undefined" ACL mechanism for filtering the packet(s).

This section provides information and instructions for applying ACLs and for configuring an "undefined" ACL.

Applying the ACL to an Interface

To apply the ACL to an interface, use the following configuration:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      interface  interface_name 
         { ip | ipv6 } access-group  acl_list_name { in | out } [  preference ]  
         end  
Notes:
  • The context name is the name of the ACL context containing the interface to which the ACL is to be applied.

  • The ACL to be applied must be configured in the context specified by this command.

  • Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.

Applying an ACL to an Individual Interface

This section provides information and instructions for applying one or more ACLs to an individual interface configured on the system.


Important

This section provides the minimum instruction set for applying the ACL list to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Ethernet Interface Configuration Mode Commands chapter in the Command Line Interface Reference.


To configure the system to provide ACL facility to subscribers:

Procedure

Step 1

Apply the configured access control list by following the example configuration in Applying the ACL to an Interface

Step 2

Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration on an Interface

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Verifying the ACL Configuration on an Interface

This section describes how to verify the ACL configuration.

Procedure

In the Exec Mode, enter the following command:

[local]host_name# show configuration context  context_name 

context_name is the name of the context containing the interface to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      service-redundancy-protocol 
      exit 
      interface interface_name 
         ip address ip_address/mask 
         exit 
      subscriber default 
      exit 
      aaa group default 
      exit 
      gtpp group default 
      end  

Applying the ACL to a Context

To apply the ACLs to a context, use the following configuration:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      { ip | ipv6 } access-group  acl_list_name [ in | out ] [  preference ]  
      end  

Notes:

  • The context name is the name of the ACL context containing the interface to which the ACL is to be applied.

  • The context-level ACL is applied to outgoing packets. This applies to incoming packets also if the flow match criteria fails and forwarded again.

    The in and out keywords are deprecated and are only present for backward compatibility.

    Context ACL will be applied in the following cases:

    • Outgoing packets to an external source.

    • Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies first and only if it passes are packets forwarded.

      During forwarding, if an ACL rule is added with a destination address as a loopback address, the context ACL is also applied. This is because StarOS handles packets destined to the kernel by going through a forwarding lookup for them. To apply ACL rules to incoming packets, the interface ACL must be used instead of the context ACL.

  • The ACL to be applied must be configured in the context specified by this command.

  • Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.

Applying an ACL to All Traffic Within a Context

This section provides information and instructions for applying one or more ACLs to a context configured within a specific context on the system. The applied ACLs, known as policy ACLs, contain rules that apply to all traffic facilitated by the context.


Important

This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.


To configure the system to provide access control list facility to subscribers:

Procedure

Step 1

Apply the configured ACL as described in Applying the ACL to a Context

Step 2

Verify that ACL is applied properly on interface as described in Verifying the ACL Configuration in a Context

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Verifying the ACL Configuration in a Context

To verify the ACL configuration:

Procedure

Verify that your ACL lists were applied properly by entering the following command in Exec Mode:

[local]host_name# show configuration context  context_name 

context_name is the name of the context to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      service-redundancy-protocol 
      exit 
      interface interface_name 
         ip address ip_address/mask 
         exit 
      subscriber default 
      exit 
      aaa group default 
      exit 
      gtpp group default 
               end 

Applying an ACL to a RADIUS-based Subscriber

IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.

To apply an ACL to a RADIUS-based subscriber, use the Filter-Id attribute.

For more details on this attribute, if you are using StarOS 12.3 or an earlier release, refer to the AAA and GTPP Interface Administration and Reference. If you are using StarOS 14.0 or a later release, refer to the AAA Interface Administration and Reference.

This section provides information and instructions for applying an ACL to an individual subscriber whose profile is configured locally on the system.


Important

This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.


To configure the system to provide access control list facility to subscribers:

Procedure


Step 1

Apply the configured access control list by following the example configuration in Applying an ACL to an Individual Subscriber

Step 2

Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to an Individual Subscriber

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Applying an ACL to an Individual Subscriber

To apply the ACL to an individual subscriber, use the following configuration:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      subscriber name  subs_name 
         { ip | ipv6 } access-group  acl_list_name [ in | out ]  
         end 
Notes:
  • The context name is the name of the ACL context containing the interface to which the ACL is to be applied.

  • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.

  • The ACL to be applied must be configured in the context specified by this command.

  • Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.

Verifying the ACL Configuration to an Individual Subscriber

These instructions are used to verify the ACL configuration.

Procedure

Verify that your ACL lists were applied properly by entering the following command in Exec Mode:

[local]host_name# show configuration context  context_name 

context_name is the name of the context containing the subscriber subs1 to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      service-redundancy-protocol 
      exit 
      interface interface 
         ip address ip_address/mask 
         exit 
      subscriber default 
      exit 
      subscriber name subscriber_name 
         ip access-group access_group_name in 
         ip access-group access_group_name out 
         exit 
      aaa group default 
      exit 
      gtpp group default 
      exit 
      content-filtering server-group cfsg_name 
         response-timeout response_timeout 
         connection retry-timeout retry_timeout 
               end 

Applying an ACL to the Subscriber Named default

This section provides information and instructions for applying an ACL to the subscriber named default.


Important

This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to Subscriber Configuration Mode Commands in the Command Line Interface Reference.


To configure the system to provide access control list facility to subscribers:

Procedure


Step 1

Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default

Step 2

Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to the Subscriber Named default

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Applying an ACL to the Subscriber Named default

To apply the ACL to the subscriber named default, use the following configuration:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      subscriber name  subs_name 
         { ip | ipv6 } access-group  acl_list_name [ in | out ]  
         end  

Notes:

  • The context name is the name of the ACL context containing the interface to which the ACL is to be applied.

  • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.

  • The ACL to be applied must be configured in the context specified by this command.

  • Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.

Verifying the ACL Configuration to the Subscriber Named default

These instructions are used to verify the ACL configuration.

Procedure

Verify that your ACL lists were applied properly by entering the following command in Exec Mode:

[local]host_name# show configuration context  context_name 

context_name is the name of the context containing the subscriber default to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      service-redundancy-protocol 
      exit 
      interface interface 
         ip address ip_address/mask 
         exit 
      subscriber name default 
         ip access-group access_group_name in 
         ip access-group access_group_name out 
         exit 
      aaa group default 
      exit 
      gtpp group default 
      exit 
      content-filtering server-group cfsg_name 
         response-timeout response_timeout 
         connection retry-timeout retry_timeout 
               end 

Applying an ACL to Service-specified Default Subscriber

This section provides information and instructions for applying an ACL to the subscriber to be used as the "default" profile by various system services.


Important

This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.


To configure the system to provide access control list facility to subscribers:

Procedure


Step 1

Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default.

Step 2

Verify that the ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to Service-specified Default Subscriber.

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Applying an ACL to Service-specified Default Subscriber

To apply the ACL to a service-specified Default subscriber, use the following configuration:

configure  
   context  acl_ctxt_name [ -noconfirm ]  
      { pdsn-service | fa-service | ha-service }  service_name 
         default subscriber  svc_default_subs_name 
         exit  
      subscriber name  svc_default_subs_name 
         { ip | ipv6 } access-group  acl_list_name [ in | out ]  
         end  
Notes:
  • The context name is the name of the ACL context containing the interface to which the ACL is to be applied.

  • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.

  • The ACL to be applied must be configured in the context specified by this command.

  • Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.

Verifying the ACL Configuration to Service-specified Default Subscriber

To verify the ACL configuration.

Procedure

Verify that your ACL lists were applied properly by entering the following command in Exec Mode:

[local]host_name# show configuration context  context_name 

context_name is the name of the context containing the service with the default subscriber to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      interface interface 
         ip address ip_address/mask 
         exit 
      subscriber default 
      exit 
      subscriber name subscriber_name 
         ip access-group access_group_name in 
         ip access-group access_group_name out 
         exit 
      pdsn-service service_name 
         default subscriber subscriber_name 
               end 

Applying a Single ACL to Multiple Subscribers

As mentioned in the previous section, IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.

The system provides for the configuration of subscriber functions that serve as default values when specific attributes are not contained in the individual subscriber's profile. The following table describes these functions.
Table 2. Functions Used to Provide "Default" Subscriber Attributes
Function Description

Subscriber named default

Within each context, the system creates a subscriber called default. The profile for the subscriber named default provides a configuration template of attribute values for subscribers authenticated in that context.

Any subscriber attributes that are not included in a RADIUS-based subscriber profile is configured according to the values for those attributes as defined for the subscriber named default.

NOTE: The profile for the subscriber named default is not used to provide missing information for subscribers configured locally.

default subscriber

This command allows multiple services to draw "default" subscriber information from multiple profiles.

When configured properly, the functions described in the table above could be used to apply an ACL to:
  • All subscribers facilitated within a specific context by applying the ACL to the profile of the subscriber named default.

  • All subscribers facilitated by specific services by applying the ACL to a subscriber profile and then using the default subscriber command to configure the service to use that subscriber as the "default" profile.

Applying an ACL to Multiple Subscriber via APNs

To apply the ACL to multiple subscribers via APN, use the following configuration:

configure  
   context  dest_context_name [-noconfirm]  
      apn  apn_name 
         { ip | ipv6 } access-group  acl_list_name [ in | out ]  
         end  

Notes:

  • The ACL to be applied must be in the destination context of the APN (which can be different from the context where the APN is configured).

  • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.

  • This command supports only one ACL. However, the ACL can have up to 256 rules.

  • Four access-groups can be applied for each APN, for example:

    ip access-group acl_list_name_1 in

    ip access-group acl_list_name_2 out

    ipv6 access-group acl_list_name_3 in

    ipv6 access-group acl_list_name_4 out

Applying an ACL to Multiple Subscriber via APNs

If IP ACLs are applied to subscribers via attributes in their profile, the subscriber profile could be configured locally on the system or remotely on a RADIUS server.

To reduce configuration time, ACLs can alternatively be applied to APN templates for GGSN subscribers. When configured, any subscriber packets facilitated by the APN template would then have the associated ACL applied.

This section provides information and instructions for applying an ACL to an APN template.


Important

This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.


To configure the system to provide access control list facility to subscribers:

Procedure

Step 1

Apply the configured access control list by following the example configuration in Applying an ACL to Multiple Subscriber via APNs.

Step 2

Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to APNs.

Step 3

Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter.


Verifying the ACL Configuration to APNs

To verify the ACL configuration:

Procedure

Verify that your ACL lists were applied properly by entering the following command in Exec Mode:

show configuration context  context_name 

context_name is the name of the context containing the APN apn1 having default subscriber to which the ACL(s) was/were applied.

The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure.

configure 
   context context_name 
      ip access-list acl_name 
         deny host ip_address 
         deny ip any host ip_address 
         exit 
      ip access-group access_group_name 
      interface interface 
         ip address ip_address/mask 
         exit 
      subscriber default 
      exit 
      apn apn_name 
         ip access-group access_group_name in 
         ip access-group access_group_name out 
               end