IPv4 ACL Configuration

OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : IPv4 ACL Configuration

#configure terminal	Enter configure mode.
(config)#ip access-list T1	Create an IP access list named T1.
(config-ip-acl)#deny any host 1.1.1.1 any	Create an access rule to deny IP packets with source address 1.1.1.1.
(config-ip-acl)#permit any host 1.1.1.2 any	Create an access rule to permit IP packets with source address 1.1.1.2.
(config-ip-acl)#exit	Exit access list mode.
(config)#hardware-profile filter ingress-ipv4 enable	Enable hardware profile for the ACL.
(config)#commit	Commit the candidate configuration to the running configuration
(config)#interface xe10	Enter interface mode.
(config-if)#no switchport	Configure the interface as Layer 3.
(config-if)#ip address 1.1.1.3/24	Assign an IP address.
(config-if)#ip access-group T1 in	Apply access group T1 for inbound traffic to the interface.
(config-if)#commit	Commit the candidate configuration to the running configuration
(config-if)#end	Exit interface and configure mode.

Validation

Use the commands below to verify the match count. When inbound IP packets reach interface xe10 with source address 1.1.1.1, then the match count for access rule 10 increases equal to the number of packets sent.

#show ip access-lists T1

IP access list T1

10 deny any host 1.1.1.1 any [match=200]

20 permit any 1.1.1.2 any

default deny-all

When inbound IP packets reach interface xe10 with a source address 1.1.1.2, then the match count for access rule 20 increases equal to the number of packets sent.

#show ip access-lists T1

IP access list T1

10 deny any host 1.1.1.1 any

20 permit any 1.1.1.2 any [match=2000]

default deny-all

Note: Use the command clear ip access-list counters to clear the statistics of all ACLs or clear ip access-list <access-list name> counters to clear statistics of a particular ACL.

Last modified date: 10/19/2023