- About this Guide
- Introduction to VPC-DI
- VPC-DI Installation Notes
- System Operation and Configuration
- Getting Started
- System Settings
- Config Mode Lock Mechanisms
- Management Settings
- Verifying and Saving Your Configuration
- System Interfaces and Ports
- System Security
- Secure System Configuration File
- Software Management Operations
- Smart Licensing
- Monitoring the System
- Bulk Statistics
- System Logs
- Troubleshooting
- Packet Capture (PCAP) Trace
- System Recovery
- Access Control Lists
- Congestion Control
- Routing
- VLANs
- BGP MPLS VPNs
- Content Service Steering
- Session Recovery
- Interchassis Session Recovery
- Support Data Collector
- Engineering Rules
- StarOS Tasks
- NETCONF and ConfD
- ICSR Checkpointing
- VPC-DI SDR CLI Command Strings
- VPC Commands
- Overview
- Understanding ACLs
- Configuring ACLs on the System
- Applying IP ACLs
Access Control Lists
This chapter describes system support for access control lists and explains how they are configured. The product administration guides provide examples and procedures for configuration of basic services on the system. You should select the configuration example that best meets your service model before using the procedures described below.
You do not require a license to configure ACLs. However, the number of ACLs configured may impact performance significantly.
Not all commands and keywords/variables may be available. Availability depends on the platform type.
This chapter contains the following sections:
Overview
An individual interface
All traffic facilitated by a context (known as a policy ACL)
An individual subscriber
All subscriber sessions facilitated by a specific context
Separate ACLs may be created for IPv4 and IPv6 access routes.
Understanding ACLs
Refer to ACL Configuration Mode Commands and the IPv6 ACL Configuration Mode Commands chapter in the Command Line Interface Reference for the full command syntax.
Rule(s)
A single ACL consists of one or more ACL rules. Each rule is a filter configured to take a specific action when packets matching specific criteria. Up to 256 rules can be configured per ACL.
Configured ACLs consisting of no rules imply a "deny any" rule. The deny action and any criteria are discussed later in this section. This is the default behavior for an empty ACL.
Each rule specifies the action to take when a packet matches the specifies criteria. This section discusses the rule actions and criteria supported by the system.
Actions
Permit: The packet is accepted and processed.
Deny: The packet is rejected.
Redirect: The packet is forwarded to the specified next-hop address through a specific system interface or to the specified context for processing.
Important: Redirect rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context, or APN for UMTS subscribers.
Criteria
Each ACL consists of one or more rules specifying the criteria that packets will be compared against.
-
Any: Filters all packets
-
Host: Filters packets based on the source host IP address
-
ICMP: Filters Internet Control Message Protocol (ICMP) packets
-
IP: Filters Internet Protocol (IP) packets
-
Source IP Address: Filter packets based on one or more source IP addresses
-
TCP: Filters Transport Control Protocol (TCP) packets
-
UDP: Filters User Datagram Protocol (UDP) packets
Each of the above criteria are described in detail in the sections that follow.
The following sections contain basic ACL rule syntax information. Refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference for the full command syntax.
-
Any: The rule applies to all packets.
-
Host: The rule applies to a specific host as determined by its IP address.
-
ICMP: The rule applies to specific Internet Control Message Protocol (ICMP) packets, Types, or Codes. ICMP type and code definitions can be found at www.iana.org (RFC 3232).
-
IP: The rule applies to specific Internet Protocol (IP) packets or fragments.
-
IP Packet Size Identification Algorithm: The rule applies to specific Internet Protocol (IP) packets identification for fragmentation during forwarding.
This configuration is related to the "IP Identification field" assignment algorithm used by the system, when subscriber packets are being encapsulated (such as Mobile IP and other tunneling encapsulation). Within the system, subscriber packet encapsulation is done in a distributed way and a 16-bit IP identification space is divided and distributed to each entity which does the encapsulation, so that unique IP identification value can be assigned for IP headers during encapsulation.
Since this distributed IP Identification space is small, a non-zero unique identification will be assigned only for those packets which may potentially be fragmented during forwarding (since the IP identification field is only used for reassembly of the fragmented packet). The total size of the IP packet is used to determine the possibility of that packet getting fragmented.
-
Source IP Address: The rule applies to specific packets originating from a specific source address or a group of source addresses.
-
TCP: The rule applies to any Transport Control Protocol (TCP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. TCP port numbers definitions can be found at www.iana.org
-
UDP: The rule applies to any User Datagram Protocol (UDP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. UDP port numbers definitions can be found at www.iana.org.
Rule Order
A single ACL can consist of multiple rules. Each packet is compared against each of the ACL rules, in the order in which they were entered, until a match is found. Once a match is identified, all subsequent rules are ignored.
Before
After
[ before | after ] { existing_rule }
Configuring ACLs on the System
This section describes how to configure ACLs.
This section provides the minimum instruction set for configuring access control list on the system. For more information on commands that configure additional parameters and options, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference.
To configure the system to provide an access control list facility to subscribers:
Step 1 | Create the access control list by following the example configuration in Creating ACLs |
Step 2 | Specify the rules and criteria for action in the ACL list by following the example configuration in Configuring Action and Criteria for Subscriber Traffic |
Step 3 | Optional. The system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all". Modify the default configuration for "unidentified" ACLs for by following the example configuration in Configuring an Undefined ACL |
Step 4 | Verify your ACL configuration by following the steps in Verifying the ACL Configuration |
Step 5 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Creating ACLs
To create an ACL, enter the following command sequence from the Exec mode of the system CLI:
configure context acl_ctxt_name [ -noconfirm ] { ip | ipv6 } access-list acl_list_name end
The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task. Typically, the maximum is less than 200.
Configuring Action and Criteria for Subscriber Traffic
To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following command sequence from the Exec mode of the system CLI:
configure context acl_ctxt_name [ -noconfirm ] { ip | ipv6 } access-list acl_list_name deny { ip_address | any | host | icmp | ip | log | tcp | udp } permit { ip_address | any | host | icmp | ip | log | tcp | udp } after { deny | permit | readdress | redirect } before { deny | permit | readdress | redirect } end
Notes:
Caution | The system does not apply a "deny any" rule, unless it is specified in the ACL. This behavior can be changed by adding a "deny any" rule at the end of the ACL. |
The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. For more information, refer to the Engineering Rules chapter.
Use the information provided in the Actions and Criteria to configure the rules that comprise the ACL. For more information, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference.
Configuring an Undefined ACL
As discussed previously the system uses an "undefined" ACL mechanism for filtering the packet(s) in the event that an ACL that has been applied is not present. This scenario is likely the result of a mis-configuration such as the ACL name being mis-typed during the configuration process.
For these scenarios, the system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all".
To modify the default behavior for unidentified ACLs, use the following configuration:
configure context acl_ctxt_name [-noconfirm] access-list undefined { deny-all | permit-all } end
Verifying the ACL Configuration
To verify the ACL configuration, enter the Exec mode show { ip | ipv6 } access-list command.
The following is a sample output of this command. In this example, an ACL named acl_1 was configured.
ip access list acl_1 deny host 10.2.3.4 deny ip any host 10.2.3.4 permit any 10.2.4.4 1 ip access-lists are configured.
Applying IP ACLs
Once an ACL is configured, it must be applied to take effect.
All ACLs should be configured and verified according to the instructions in the Configuring ACLs on the System prior to beginning these procedures. The procedures described below also assume that the subscribers have been previously configured.
As discussed earlier, you can apply an ACL to any of the following:
- Applying an ACL to an Individual Interface
- Applying an ACL to All Traffic Within a Context (known as a policy ACL)
- Applying an ACL to an Individual Subscriber
- Applying a Single ACL to Multiple Subscribers
- Applying a Single ACL to Multiple Subscribers (for 3GPP subscribers only)
ACLs must be configured in the same context in which the subscribers and/or interfaces to which they are to be applied. Similarly, ACLs to be applied to a context must be configured in that context.
Packet coming from the mobile node to the packet data network (left to right) |
|
Order |
Description |
1 |
An inbound ACL configured for the receiving interface in the Source Context is applied to the tunneled data (such as the outer IP header). The packet is then forwarded to the Destination Context. |
2 |
An inbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied. |
3 |
A context ACL (policy ACL) configured in the Destination Context is applied prior to forwarding. |
4 |
An outbound ACL configured on the interface in the Destination Context through which the packet is being forwarded, is applied. |
Packet coming from the packet data network to the mobile node (right to left) |
|
Order |
Description |
1 |
An inbound ACL configured for the receiving interface configured in the Destination Context is applied. |
2 |
An outbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied. The packet is then forwarded to the Source Context. |
3 |
A context ACL (policy ACL) configured in the Source Context is applied prior to forwarding. |
4 |
An outbound ACL configured on the interface in the Source Context through which the packet is being forwarded, is applied to the tunneled data (such as the outer IP header). |
In the event that an IP ACL is applied that has not been configured (for example, the name of the applied ACL was configured incorrectly), the system uses an "undefined" ACL mechanism for filtering the packet(s).
This section provides information and instructions for applying ACLs and for configuring an "undefined" ACL.
- Applying the ACL to an Interface
- Applying the ACL to a Context
- Applying an ACL to a RADIUS-based Subscriber
- Applying an ACL to an Individual Subscriber
- Applying an ACL to the Subscriber Named default
- Applying an ACL to Service-specified Default Subscriber
- Applying a Single ACL to Multiple Subscribers
Applying the ACL to an Interface
To apply the ACL to an interface, use the following configuration:
configure context acl_ctxt_name [ -noconfirm ] interface interface_name { ip | ipv6 } access-group acl_list_name { in | out } [ preference ] end
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
The ACL to be applied must be configured in the context specified by this command.
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
Applying an ACL to an Individual Interface
This section provides information and instructions for applying one or more ACLs to an individual interface configured on the system.
This section provides the minimum instruction set for applying the ACL list to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Ethernet Interface Configuration Mode Commands chapter in the Command Line Interface Reference.
To configure the system to provide ACL facility to subscribers:
Step 1 | Apply the configured access control list by following the example configuration in Applying the ACL to an Interface |
Step 2 | Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration on an Interface |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Verifying the ACL Configuration on an Interface
This section describes how to verify the ACL configuration.
Applying the ACL to a Context
To apply the ACLs to a context, use the following configuration:
configure context acl_ctxt_name [ -noconfirm ] { ip | ipv6 } access-group acl_list_name [ in | out ] [ preference ] end
Notes:
-
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
-
The context-level ACL is applied to outgoing packets. This applies to incoming packets also if the flow match criteria fails and forwarded again.
The in and out keywords are deprecated and are only present for backward compatibility.
Context ACL will be applied in the following cases:
-
Outgoing packets to an external source.
-
Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies first and only if it passes are packets forwarded.
During forwarding, if an ACL rule is added with a destination address as a loopback address, the context ACL is also applied. This is because StarOS handles packets destined to the kernel by going through a forwarding lookup for them. To apply ACL rules to incoming packets, the interface ACL must be used instead of the context ACL.
-
-
The ACL to be applied must be configured in the context specified by this command.
-
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.
Applying an ACL to All Traffic Within a Context
This section provides information and instructions for applying one or more ACLs to a context configured within a specific context on the system. The applied ACLs, known as policy ACLs, contain rules that apply to all traffic facilitated by the context.
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1 | Apply the configured ACL as described in Applying the ACL to a Context |
Step 2 | Verify that ACL is applied properly on interface as described in Verifying the ACL Configuration in a Context |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Verifying the ACL Configuration in a Context
To verify the ACL configuration:
Applying an ACL to a RADIUS-based Subscriber
IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.
To apply an ACL to a RADIUS-based subscriber, use the Filter-Id attribute.
For more details on this attribute, if you are using StarOS 12.3 or an earlier release, refer to the AAA and GTPP Interface Administration and Reference. If you are using StarOS 14.0 or a later release, refer to the AAA Interface Administration and Reference.
This section provides information and instructions for applying an ACL to an individual subscriber whose profile is configured locally on the system.
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1 | Apply the configured access control list by following the example configuration in Applying an ACL to an Individual Subscriber |
Step 2 | Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to an Individual Subscriber |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Applying an ACL to an Individual Subscriber
To apply the ACL to an individual subscriber, use the following configuration:
configure context acl_ctxt_name [ -noconfirm ] subscriber name subs_name { ip | ipv6 } access-group acl_list_name [ in | out ] end
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
The ACL to be applied must be configured in the context specified by this command.
Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
Verifying the ACL Configuration to an Individual Subscriber
These instructions are used to verify the ACL configuration.
Applying an ACL to the Subscriber Named default
This section provides information and instructions for applying an ACL to the subscriber named default.
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to Subscriber Configuration Mode Commands in the Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1 | Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default |
Step 2 | Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to the Subscriber Named default |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Applying an ACL to the Subscriber Named default
To apply the ACL to the subscriber named default, use the following configuration:
configure context acl_ctxt_name [ -noconfirm ] subscriber name subs_name { ip | ipv6 } access-group acl_list_name [ in | out ] end
Notes:
-
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
-
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
-
The ACL to be applied must be configured in the context specified by this command.
-
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.
Verifying the ACL Configuration to the Subscriber Named default
These instructions are used to verify the ACL configuration.
Applying an ACL to Service-specified Default Subscriber
This section provides information and instructions for applying an ACL to the subscriber to be used as the "default" profile by various system services.
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1 | Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default. |
Step 2 | Verify that the ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to Service-specified Default Subscriber. |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Applying an ACL to Service-specified Default Subscriber
To apply the ACL to a service-specified Default subscriber, use the following configuration:
configure context acl_ctxt_name [ -noconfirm ] { pdsn-service | fa-service | ha-service } service_name default subscriber svc_default_subs_name exit subscriber name svc_default_subs_name { ip | ipv6 } access-group acl_list_name [ in | out ] end
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
The ACL to be applied must be configured in the context specified by this command.
Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
Verifying the ACL Configuration to Service-specified Default Subscriber
To verify the ACL configuration.
Applying a Single ACL to Multiple Subscribers
As mentioned in the previous section, IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.
Function | Description |
---|---|
Subscriber named default |
Within each context, the system creates a subscriber called default. The profile for the subscriber named default provides a configuration template of attribute values for subscribers authenticated in that context. Any subscriber attributes that are not included in a RADIUS-based subscriber profile is configured according to the values for those attributes as defined for the subscriber named default. NOTE: The profile for the subscriber named default is not used to provide missing information for subscribers configured locally. |
default subscriber |
This command allows multiple services to draw "default" subscriber information from multiple profiles. |
All subscribers facilitated within a specific context by applying the ACL to the profile of the subscriber named default.
All subscribers facilitated by specific services by applying the ACL to a subscriber profile and then using the default subscriber command to configure the service to use that subscriber as the "default" profile.
Applying an ACL to Multiple Subscriber via APNs
To apply the ACL to multiple subscribers via APN, use the following configuration:
configure context dest_context_name [-noconfirm] apn apn_name { ip | ipv6 } access-group acl_list_name [ in | out ] end
Notes:
-
The ACL to be applied must be in the destination context of the APN (which can be different from the context where the APN is configured).
-
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
-
This command supports only one ACL. However, the ACL can have up to 256 rules.
-
Four access-groups can be applied for each APN, for example:
ip access-group acl_list_name_1 in
ip access-group acl_list_name_2 out
ipv6 access-group acl_list_name_3 in
ipv6 access-group acl_list_name_4 out
Applying an ACL to Multiple Subscriber via APNs
If IP ACLs are applied to subscribers via attributes in their profile, the subscriber profile could be configured locally on the system or remotely on a RADIUS server.
To reduce configuration time, ACLs can alternatively be applied to APN templates for GGSN subscribers. When configured, any subscriber packets facilitated by the APN template would then have the associated ACL applied.
This section provides information and instructions for applying an ACL to an APN template.
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1 | Apply the configured access control list by following the example configuration in Applying an ACL to Multiple Subscriber via APNs. |
Step 2 | Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to APNs. |
Step 3 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
Verifying the ACL Configuration to APNs
To verify the ACL configuration: