No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

How Do I Use the AND Operator in Traffic Classifiers?

Publication Date:  2019-04-16 Views:  44 Downloads:  0
Issue Description

The requirements are as follows:

1.     AR1 functions as a gateway to implement Internet access.

2.     The specified source MAC address cannot access the specified destination IP address.

3.     Terminals communicate with other devices properly.

Handling Process

1. ACL for matching destination IP addresses that exist

acl number 3000

 rule 5 permit ip destination 1.1.1.1 0

 rule 10 permit ip destination 2.2.2.2 0

2. ACL for destination IP addresses that cannot be matched

acl number 3001

 rule 5 permit ip destination 10.10.10.10 0

3. Defining a traffic behavior

traffic behavior deny

 deny 

4. Configuring the AND operator for all traffic behavior rules

 Scenario 1:

Destination IP address: ACL 3000

Source MAC address: ACL 4000

1.1 Defining the ACL for the source MAC address

acl number 4000

 rule 5 permit source-mac 0819-a6b3-948f

1.2 Configuring the ACL in a traffic classifier

traffic classifier 2-acl operator and

 if-match acl 3000

 if-match acl 4000

1.3 Configuring and applying a traffic policy

traffic policy 2-acl

 classifier 2-acl behavior deny precedence 5

interface Ethernet0/0/1

 traffic-policy 2-acl inbound

1.4 Configuration result

1.5 Summary

In scenario 1, the specified source MAC address cannot access any IP address, including the gateway address. If any ACL rule is matched, the traffic classifier is matched. In this case, the corresponding traffic behavior in the traffic policy is executed. As a result, all requests from the source MAC address are rejected regardless of whether the destination IP address is the required one.

Scenario 2:

Destination IP address: ACL 3000

Source MAC address: matched in the traffic classifier

2.1 Configuring the ACL in a traffic classifier and matching the source MAC address

traffic classifier 1-acl:1-class operator and

 if-match acl 3000

 if-match source-mac 80fb-0638-ea75

2.2 Configuring and applying a traffic policy

traffic policy 1-acl:1-class

classifier 1-acl:1-class behavior deny precedence 5

interface Ethernet0/0/1

 traffic-policy 1-acl:1-class inbound

2.3 Configuration result

2.4 Summary

The difference between scenario 1 and scenario 2 is the implementation for the source MAC address. In scenario 1, ACLs are used for matching. In scenario 2, the source MAC address is matched in the traffic classifier. In scenario 2, the specified source MAC address cannot be used to access the specified IP address. That is, a traffic behavior is matched only when both the ACL and source MAC address of the traffic behavior are matched.

Scenario 3:

Destination IP address: ACL 3000

Source MAC address: matched in the traffic classifier

ACL 3001: not configured

3.1 Configuring the ACL in a traffic classifier and matching the source MAC address

traffic classifier 2-acl:1-class operator and

 if-match acl 3000

 if-match acl 3001

 if-match source-mac 749d-8f8f-d540

3.2 Configuring and applying a traffic policy

traffic policy 2-acl:1-class

 classifier 2-acl:1-class behavior deny precedence 5

interface Ethernet0/0/2

 traffic-policy 2-acl:1-class inbound

3.3 Configuration result

3.4 Summary

The difference between scenario 2 and scenario 3 is that an ACL that cannot be matched is added to the traffic classifier. The result is the same as that in scenario 2. This indicates that a traffic classifier can be matched if an ACL rule and a non-ACL rule are matched.

Scenario 4:

Source MAC address: matched in the traffic classifier

ACL 3001: not configured

4.1 Configuring the ACL in a traffic classifier and matching the source MAC address

traffic classifier 1-acl(none):1-class operator and

 if-match acl 3001

 if-match source-mac 0819-a6b3-94a6

4.2 Configuring and applying a traffic policy

traffic policy 1-acl(none):1-class

 classifier 1-acl(none):1-class behavior deny precedence 5

interface Ethernet0/0/2

 traffic-policy 1-acl(none):1-class inbound

4.3 Configuration result

4.4 Summary

The difference between scenario 2 and scenario 4 is whether the ACL can be matched. The difference is that the specified source MAC address can access the specified destination IP address and other IP addresses. This indicates that a traffic classifier is not matched if the source MAC address of the traffic classifier is matched but the ACL cannot be matched.

Summary

 

0819-a6b3-948f

80fb-0638-ea75

749d-8f8f-d540

0819-a6b3-94a6

1.1.1.1

ACL 3000 (The ping fails.)

ACL 3000 (The ping fails.)

ACL 3000 (The ping fails.)

No matching (The ping is successful.)

192.168.10.1

ACL 4000 (The ping fails.)

No matching (The ping is successful.)

No matching (The ping is successful.)

No matching (The ping is successful.)

3.3.3.3

ACL 4000 (The ping fails.)

No matching (The ping is successful.)

No matching (The ping is successful.)

No matching (The ping is successful.)

If the AND relationship is configured for a traffic classifier, a traffic classifier is matched when one or more ACL rules are configured and only one ACL rule and all the non-ACL rules are matched. If no ACL rule is matched, the traffic classifier is not matched, even if all the non-ACL rules are matched.

END