Policies and Filters
December 2000 C - 9
IP Access Policies
IP access policies are rules that determine whether the device forwards or drops IP packets. You create an IP
access policy by defining an IP filter, then applying it to an interface. The filter consists of source and destination
IP information and the action to take when a packet matches the values in the filter. You can configure an IP filter
to permit (forward) or deny (drop) the packet.
You also can configure Layer 4 information in an IP filter. If you configure Layer 4 information, you are configuring
a Layer 4 policy. See “TCP/UDP Access Policies” on page C-20.
You can apply an IP filter to inbound or outbound packets. When you apply the filter to an interface, you specify
whether the filter applies to inbound packets or outbound packets. Thus, you can use the same filter on multiple
interfaces and specify the filter direction independently on each interface.
Figure C.1 shows an example of an inbound IP access policy group applied to port 1 on slot 1 of a BigIron Layer 3
Switch. In this example, packets enter the port from left to right. The first three packets have entered the port and
have been permitted or denied. The two packets on the left have not yet entered the port. When they do, they will
be permitted. Since the last policy in the group is a “permit any” policy, all packets that do not match another
policy are permitted. The “permit any” policy changes the default action to permit.
Figure C.1 IP access policies in inbound policy group for a port
Actions
IP access policies either forward or drop IP packets based on the IP source and IP destination addresses. You
also can configure the policy to forward or drop a packet based on TCP/UDP port information. In this case, you
are configuring a TCP/UDP access policy. See “TCP/UDP Access Policies” on page C-20.
Inbound IP Access Policy Group for Port 1/1
PolicyID Action Source Destination
--------------------------------------------------------------------------------
3 Deny 209.157.22.26/32 any
17 Deny 209.157.22.14/32 any
34 Deny 209.157.22.69/32 201.21.2.7/32
1024 Permit any any
Permitted
Source:
209.157.22.69/24
Dest:
211.44.29.67/24
Source:
209.157.22.26/24
Dest:
201.21.2.7/24
Source:
209.157.22.128/24
Dest:
209.184.66.128/24
Source:
209.157.22.69/24
Dest:
209.211.44.128/24
Source:
209.157.22.11/24
Dest:
209.241.12.66/24
Permitted
Bit
Bucket
Denied
To Next Page
Loading...
Need help?
General
