| 22.2. IPACL management | ||
|---|---|---|
 | Chapter 22. IPACL - IP Access Control List |  |
| 22.2. IPACL management | ||
|---|---|---|
| | Chapter 22. IPACL - IP Access Control List | |
The IP Access Control List can store up to 256 filters definitions.
In this section will be described the commands for the IP Access Control List management.
These are the commands:
Every filter is identified by a priority index which is used to add, modify and delete IPACL entries.
Priority indexes, every time a filter is added or deleted, are automatically kept in sequential order.
Changes to IPACL are immediately active, so there's no need to restart Abilis CPX.
It shows the current content of the IP access list. By omitting the priority, the command will show all the filters currently in the table.
Type d ipacl ?, to display the syntax of the command.
[15:45:59] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:EXT ACLBYPASS:#
COS:ENABLED COSDFT:NORMAL
Tot-IPACL-Number:0
-------------------------------------------------------------------------------
PR: [DESCR:]
TYPE: SA: DA:
IPCOS: PROT: SPO:/PO: DPO:
TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY:
TI:
-------------------------------------------------------------------------------
*** NO IP ACCESS LISTS DEFINED ***Meaning of the parameters:
PRThe priority index sets the filter verifying order. The
verifying procedure is executed on each datagram. It starts from
the filter with priority 0 and continues until the suitable
datagram is found or the list ends. If the IP datagram doesn't
match any filter, it will be routed; if the IP services class
functionality is activated, the Router will assign to the datagram
the default priority set in the parameter
COSDFT of the port IPRTR.
TYPEThis command sets whether the datagram, matching the filter,
have to be routed (filter matched type PERMIT)
or discarded (filter matched type DENY).
IPCOSThis parameter is displayed and configurable only for
PERMIT filters type. It is considered only if
the IP classes service are activated
(COS:ENABLED)
[DFT (default); HIGH;
NORMAL; LOW].
SAIt sets the IP address which the datagrams source address has to match (or be contained in). It may be expressed as:
a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).
an interval, by separating the two IP addresses with
: (colon) character (E.g.:
192.168.0.0:192.168.0.100).
the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').
the * (asterisk) string, that stands
for “any IP address”.
DAIt sets the IP address (IP interval of addresses) which the datagrams destination address has to match (or be contained in). It may be expressed as:
a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).
an interval, by separating the two IP addresses with
: (colon) character (E.g.:
192.168.0.0:192.168.0.100).
the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').
the * (asterisk) string, that stands
for “any IP address”.
PROTIt sets the Internet protocol where the filter can be applied on. It may be expressed as:
mnemonic or numeric identifier [1 -
254] of an Internet Protocol (E.g.: tcp or
6).
the name of an Elements List of type IPT or RU or MR, written between primes (E.g.: 'My_List').
the tcpudp string, that stands for
“tcp and/or udp protocols”.
the * (asterisk) string, that stands
for “any Internet protocol”.
SPOThis parameter is used only for TCP and UDP protocols type. It sets the source port (interval of ports) that the datagrams source port has to match (or be contained in). It may be expressed as:
mnemonic or numeric identifier [1 -
65535] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with : (colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the * (asterisk) string, that stands
for “any TCP/UDP port”.
DPOThis parameter is used only for TCP and UDP protocols type. It sets the destination port (interval of ports) that the datagrams destination port has to match (or be contained in). It may be expressed as:
mnemonic or numeric identifier [1 -
65535] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with : (colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the * (asterisk) string, that stands
for “any TCP/UDP port”.
POThis parameter is used only for TCP and UDP protocols type,
in alternative to the parameters SPO and
DPO. It sets the port value (or an interval of
values) which the datagram source or destination port has to match
(or be contained in).
mnemonic or numeric identifier [1 -
65535] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with : (colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the * (asterisk) string, that stands
for “any TCP/UDP port”.
TOS-INInput Type of Service octet or Differentiated Services Field. It may be expressed as:
* or *-* means
“don't change”.
p-t, PRECEDENCE and TOS values, where
p can be [0..7,
*] and t can be
[combination of N: None;
D: Minimize Delay; T:
Maximize Throughput; R: Maximize
Reliability; C: Minimize Monetary Cost;
*].
bbbbbb, DS value bit by bit, where
b can be [0, 1, x] and x
means “don't care”.
TOS-OUTOutput Type of Service octet or Differentiated Services Field. It may be expressed as:
* or *-* means
“don't change”.
p-t, PRECEDENCE and TOS values, where
p can be [0..7,
*] and t can be
[combination of N: None;
D: Minimize Delay; T:
Maximize Throughput; R: Maximize
Reliability; C: Minimize Monetary Cost;
*].
bbbbbb, DS value bit by bit, where
b can be [0, 1, x] and x
means “don't care”.
SIPIt sets the IP port from where the datagrams have to come in
for matching the filter [* (any IP port): it
allows to accept any IP resource; INT (internal
IP resource): it allows to accept datagrams routed to any internal
IP resource].
DIPIt sets the IP port where the datagrams have to be routed to
for matching the filter [* (any IP port): it
allows to accept any IP resource; INT (internal
IP resource): it allows to accept datagrams routed to any internal
IP resource].
CRDIRIt specifies whether the datagrams, matching the filter,
have to be routed transparently (value NONE) or
they have to be encrypted (value ENCRYPT) or
decrypted (value DECRYPT).
CRKEYIt defines the cryptographic key to be used for datagrams matching the filter.
TITime interval; this parameters allows to specify a time band for which the IPACL can be used. The time band must be indicated in the following form:
ggg-hh1:mm1-hh2:mm2
where
ggg: is the indication of the day/s
of the week in which the routing can be utilized and can
assume the following values:
single day: [MO, TU, WE, TH, FR, SA, SU].
a set of days: (es.: MO+TH or TU+TH+SU etc.).
an interval: (es.: MO-WE or TH-SU etc. or ALL).
hh1:mm1: is the indication of the
beginning of the hourly interval of the validity of the
routing.
hh2:mm2: is the indication of the end
of the hourly interval of the validity of the routing.
Use * to make the time interval to be
ignored.
It adds a new filter to the IP access list, with priority “PR:xxx” and it sets the requested parameters to the specified values.
The syntax of the command is:
a ipacl pr:xxx TYPE:val SA:val DA:val PROT:val [SPO:val DPO:val] [par:val]
[11:56:37] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 2 5 NONE ------------------------------------------------------------------------------- [11:56:38] ABILIS_CPX:a ipacl pr:1 type:permit sa:192.168.0.50:192.168.0.60 da:* prot:tcp spo:* dpo:80 sip:2 dip:5COMMAND EXECUTED [11:58:02] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:3 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 PERMIT 192.168.000.050:192.168.000.060 * DFT tcp * http(80) * * 2 5 NONE ------------------------------------------------------------------------------- 2 DENY * * * * * * 2 5 NONE -------------------------------------------------------------------------------
It deletes the specified definition, if present in the IP access list. The priority of those filters, whose “PR:xxx” is higher that the deleted one, is decremented by one, because of table contiguity.
The syntax of the command is:
c ipacl pr:xx
[11:58:02] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:3 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 PERMIT 192.168.000.050:192.168.000.060 * DFT tcp * http(80) * * 2 5 NONE ------------------------------------------------------------------------------- 2 DENY * * * * * * 2 5 NONE ------------------------------------------------------------------------------- [11:58:04] ABILIS_CPX:c ipacl pr:1COMMAND EXECUTED [11:58:57] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 2 5 NONE -------------------------------------------------------------------------------
It sets the values of the specified filter. The syntax of the command is:
s ipacl pr:xxx par:val [par:val]
[11:58:57] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 2 5 NONE ------------------------------------------------------------------------------- [11:58:58] ABILIS_CPX:s ipacl pr:0 prot:tcpCOMMAND EXECUTED [12:00:46] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT tcp * * * 2 5 NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 2 5 NONE -------------------------------------------------------------------------------
It changes the filter priority value from “PR:xxx” to “PR:yyy”.
The syntax of the command is:
m ipacl pr:xxx pr:yyy
[12:01:38] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 DENY * * * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- [12:01:39] ABILIS_CPX:m ipacl pr:0 pr:1COMMAND EXECUTED [12:01:43] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.001:192.168.000.010 * DFT * * * * 2 5 NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 2 5 NONE -------------------------------------------------------------------------------
It verifies how the IP datagram, specified in the command, will be managed depending on the current content of the IP access list.
The command has two different ways of searching in the IP access list:
Standard searching mode: the search is made by verifying the source and destination IP address fields, the Type Of Service and source IP port value; optionally it can make a verification on the destination IP port;
Extended searching mode: the search is made by verifying the source and destination IP address, the Type Of Service, Internet protocol, source and destination ports (required only for TCP and UDP protocols); optionally it can make a verification on the destination IP port;
These are the syntax of the commands:
f ipacl [STD] SrcAddr DstAddr TOS SrcIp [DstIp] [Time]
f ipacl EXT SrcAddr DstAddr TOS Protocol SrcPort DstPort SrcIp [DstIp] [Time]
[12:43:54] ABILIS_CPX:d ipaclIPRTR resource parameters: ACL:EXT ACLBYPASS:# COS:ENABLED COSDFT:NORMAL Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: DA: IPCOS: PROT: SPO:/PO: DPO: TOS-IN: TOS-OUT: SIP: DIP: CRDIR: CRKEY: TI: ------------------------------------------------------------------------------- 0 PERMIT * * LOW * * * * INT * NONE ------------------------------------------------------------------------------- 1 DENY * * * * * * 1 * NONE ------------------------------------------------------------------------------- [12:44:08] ABILIS_CPX:f ipacl EXT 1.1.1.1 2.2.2.2 C tcp 1024 2000 1EXTENDED SEARCH RESULT: IP FORWARDING IS NOT PERMITTED [12:44:12] ABILIS_CPX:f ipacl EXT 1.1.1.1 2.2.2.2 C tcp 1024 2000 INTEXTENDED SEARCH RESULT: MATCH FOUND WITH IPACL PR:0 IP FORWARDING IS PERMITTED: - OUTPUT TOS/DS: 0-TR/000011 (00001100 [0C]) - IP CLASS OF SERVICE: LOW - ENCRYPTION/DECRYTPTION DIRECTION: NONE
| |  | |
| 22.1. IP Access Control List |  | 22.3. Examples of IPACL configuration |