diff options
Diffstat (limited to 'docs/configuration/policy/access-list.rst')
| -rw-r--r-- | docs/configuration/policy/access-list.rst | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/docs/configuration/policy/access-list.rst b/docs/configuration/policy/access-list.rst new file mode 100644 index 00000000..41c35986 --- /dev/null +++ b/docs/configuration/policy/access-list.rst @@ -0,0 +1,77 @@ +################## +Access List Policy +################## + +Filtering is used for both input and output of the routing information. Once +filtering is defined, it can be applied in any direction. VyOS makes filtering +possible using acls and prefix lists. + +Basic filtering can be done using access-list and access-list6. + +************* +Configuration +************* + +Access Lists +============ + +.. cfgcmd:: set policy access-list <acl_number> + + This command creates the new access list policy, where <acl_number> must be + a number from 1 to 2699. + +.. cfgcmd:: set policy access-list <acl_number> description <text> + + Set description for the access list. + +.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> action + <permit|deny> + + This command creates a new rule in the access list and defines an action. + +.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> + <destination|source> <any|host|inverse-mask|network> + + This command defines matching parameters for access list rule. Matching + criteria could be applied to destinarion or source parameters: + + * any: any IP address to match. + * host: single host IP address to match. + * inverse-match: network/netmask to match (requires network be defined). + * network: network/netmask to match (requires inverse-match be defined). + +IPv6 Access List +================ + +Basic filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy access-list6 <text> + + This command creates the new IPv6 access list, identified by <text> + +.. cfgcmd:: set policy access-list6 <text> description <text> + + Set description for the IPv6 access list. + +.. cfgcmd:: set policy access-list6 <text> rule <1-65535> action <permit|deny> + + This command creates a new rule in the IPv6 access list and defines an + action. + +.. cfgcmd:: set policy access-list6 <text> rule <1-65535> source + <any|exact-match|network> + + This command defines matching parameters for IPv6 access list rule. Matching + criteria could be applied to source parameters: + + * any: any IPv6 address to match. + * exact-match: exact match of the network prefixes. + * network: network/netmask to match (requires inverse-match be defined) BUG, + NO invert-match option in access-list6 + + +******** +Examples +******** + +Examples would be uploaded soon.
\ No newline at end of file |