PREV NEXT INDEX

Avici Systems Inc.


ip default-access-group


Applies a default access list filter to packets on any interface not explicitly configured.

Syntax: [no] ip default-access-group access-list-name {control-in | control-out | in | out | mpls-in}

access-list-name

Name of an access-list.

control-in

Filters inbound packets destined for the server.

control-out

Filters outbound packets sourced by the server.

in

Filters inbound packets forwarded across the fabric.

out

Filters outbound packets forwarded across the fabric

mpls-in

Filters inbound IP encapsulated MPLS packets.

Description: There are many instances when you need to control the sending and receiving of route updates and/or specific types of packets. Access lists are filters that enable you to control which packets are permitted or denied.

Access lists select packets for filtering based on a eight tuple criteria. Access-groups apply access lists to the interface in order to control the type of packet permitted or denied on that interface.

Use the ip default-access-group command in configuration mode to apply the specified access list to traffic on any interface that is not explicitly configured using the ip access-group for the specified keyword control-in, control-out, in, out, or mpls-in.

Use the control-in keyword to filter inbound packets destined for the server.

Use the control-out keyword to filter outbound packets sourced by the server. If no keyword is used, outbound packets are filtered.

Use the in keyword to filter inbound packets forwarded across the fabric. Filtering is configured and applied at the ingress interface.

Use the out keyword to filter outbound packets forwarded across the fabric. Filtering is configured and applied at the egress interface.

Use the mpls-in keyword to filter inbound IP encapsulated MPLS packets. Filtering is configured and applied at the tunnel ingress interface.

NOTE When configuring access lists, all access lists have an implicit deny-all as a last rule. With the exception of egress filtering, if an uncreated or empty access list is applied to an interface, it will drop traffic until rules are applied to the list. To insure that the list operates as desired, first create the access list and add the appropriate rules before applying the access list to the interface. In the case of egress filtering (out), IPriori behaves as though no filter was applied, if the access-list is uncreated or empty; it forwards all traffic.

Any changes to the specified access list are immediately applied to the access group. Build your access list first and then use the ip access-group command to apply the access list to the interface.

Factory Default: No default access group defined. The default direction for filtering packets is outbound.

Command Mode: Configuration.

Example 1: In the following example:

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#interface pos 1/14/1

router(config-if)#mirror pos 1/13/1

router(config-if)#exit

router(config)#sample src-100-d 100

router(config)#sample src-100-p 100

router(config)#ip access-list extended src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter in

router(config-if)#exit

router(config)#ip access-group extended forme

router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet

router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255

router(config-ext-nacl)#exit

router(config)#ip default-access-group forme control-in

router(config)#end

router#

Example 2: In the following example, an access list named SRV4access is created to prevent all telnet and FTP access to the server via the ethernet port, except from one specified source.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq telnet

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp

router(config)#access-list SRV4access permit tcp host 145.10.10.0 any eq ftp-data

router(config)#access-list SRV4access deny tcp any any eq telnet

router(config)#access-list SRV4access deny tcp any any eq ftp

router(config)#access-list SRV4access deny tcp any any eq ftp-data

router(config)#interface ethernet 0

router(config-if)#ip access-group SRV4access control-in

router(config-if)#exit

Example 3: In the following example:

router(config)#access-list noSNMP deny udp any any eq snmp

router(config)#access-list noSNMP permit ip any any

router(config)#access-list SNMP permit udp any any eq snmp

router(config)#ip default-access-group noSNMP control-in

router(config)#ip default-access-group noSNMP control-out

router(config-if)#exit

router(config)#interface pos 1/1/1

router(config-if)#ip access-group SNMP control-in

router(config-if)#exit

Related Commands: interface
access-list
deny
ip access-group
ip access-list
permit
show access-lists
show ip access-lists


PREV NEXT INDEX

Copyright © 2004 Avici Systems Inc.
Avici® and TSR® is a registered trademark of Avici Systems Inc.
IPriori™, Composite Links™, SSR™, QSR, and NSR® are trademarks of Avici Systems Inc.

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol11.html
    Last Updated: 05/10/04 at 16:38:37

Please email suggestions and comments to: doc@avici.com