You are here: Home > CLI Commands > Just_CLI_Topics > ip access-list route

ip access-list route

ip access-list route <accname>

<source> <dest> <service> <action> forward|route {ipsec-map <ipsec-map-name>}|{next-hop-list <next-hop-list-name>}|{tunnel <tunnel-id>}|{tunnel-group <tunnelgroupname>} [position <position>]

Description

This command configures an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator..

Syntax

Parameter

Description

rout <accname>

Define a route access list, where <accname> is an access list name

<source>

The traffic source, which can be one of the following:

alias<name>: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases)

any: match any traffic

host <ip-addr>: specify a single host IP address

localip: specify the local IP address to match traffic

network <ip-addr> <netmask>: specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.

no: negate a command

user: represents the IP address of the user

<dest>

The traffic destination, which can be one of the following:

alias<name>: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases)

any: match any traffic

host <ip-addr>: specify a single host IP address

localip: specify the local IP address to match traffic

network <ip-addr> <netmask>: specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.

user: represents the IP address of the user

<service>

Network service to which the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied. The service can be one of the following:

any: match any traffic

app<string>: application name. (For a complete list of supported applications, issue the command show dpi application all.)

appcategory <string>: application category name. (For a complete list of supported applications, issue the command show dpi application all.)

icmp: Internet Control Message Protocol

tcp <0-65535>: specify the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. destination port number (0-65535)

tcp source<0-65535>: TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. source port number

udp <0-65535>: UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. destination port number (0-65535)

udp source<0-65535>: UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. source port number

<0-255>: IP protocol number (0-255)

<string>: name of a network service (use the show netservice command to see configured services)

<action>

Action if rule is applied, which can be one of the following:

forward: Explicitly define an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. with a forward action to skip PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. for traffic which would otherwise match another PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. rule.

route ipsec-map <ipsec-map-name>: Redirected over a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel by specifying the ipsec-map name. For more information on IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. maps, see crypto-local ipsec-map.

route next-hop-list <next-hop-list-name>: Packets can be routed to a nexthop router on a nexthop list by specifying the nexthop list name. For more information on nexthop lists, see ip nexthop-list.

route tunnel <tunnel-id>: Packets can be redirected over an L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

route tunnel-group <tunnelgroupname>: Packets can be redirected over an L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel group. For more information on tunnel groups, see tunnel-group.

[position <position>]: (Optional) Specify the position of the forwarding or routing rule. (1 is first, default is last)

Usage Guidelines

PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. is an optional feature that allows packets to be routed based on ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. configured by the administrator. By default, when a managed device receives a packet for routing, it looks up the destination IP in the routing table and forwards the packet to the nexthop router. If PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. is configured, the nexthop device can be chosen based on a defined ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

In a typical deployment scenario with multiple uplinks, the default route only uses one of the uplink next-hops for forwarding packets. If a nexthop becomes unreachable, the packets will not reach their destination. If your deployment uses PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. based on a nexthop list, any of the uplink nexthops could be used for forwarding traffic. This requires a valid ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. entry (Route-cache) in the system for all the PBRPolicy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. nexthops.

Example

The following command configures a routing access list using an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.

(host) [mynode] (config) #ip access-list route pbr1

(host) [mynode] (config-submode) #any any udp 100 route ipsec-map VPN1

Related Commands

Command

Description

interface vlan

This command associates a routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. with a specific VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

ip nexthop-list

Use this command to define a next-hop list for a routing policy

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/