Access lists configured through localized data policy are called explicit ACLs. Explicit ACLs can be applied to any interface in any VPN on the device. It can be used to filter, classify, mark traffic.
Diagram Classes definitions (sdwan.localized_policies) Name Type Constraint Mandatory Default Value ipv4_access_control_lists List [ipv4_access_control_lists]
No
ipv4_access_control_lists (sdwan.localized_policies.definitions) Name Type Constraint Mandatory Default Value name String Regex: ^[A-Za-z0-9-_]{1,128}$
Yes description String Yes default_action Choice accept
, drop
Yes sequences List [sequences]
No
sequences (sdwan.localized_policies.definitions.ipv4_access_control_lists) Name Type Constraint Mandatory Default Value id Integer min: 1
, max: 65534
Yes name String No base_action Choice accept
, drop
Yes match_criterias Class [match_criterias]
No actions Class [actions]
No
match_criterias (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences) Name Type Constraint Mandatory Default Value class String Regex: ^[A-Za-z0-9-_]{1,128}$
No destination_data_prefix_list String Regex: ^[A-Za-z0-9-_]{1,128}$
No destination_ip_prefix IP No destination_ports List Integer[min: 0
, max: 65535
] No destination_port_ranges List [destination_port_ranges]
No dscp Integer min: 0
, max: 63
No packet_length Integer min: 0
, max: 65535
No priority Choice high
, low
No protocols List Integer[min: 0
, max: 255
] No source_data_prefix_list String Regex: ^[A-Za-z0-9-_]{1,128}$
No source_ip_prefix IP No source_ports List Integer[min: 0
, max: 65535
] No source_port_ranges List [source_port_ranges]
No tcp Choice syn
No
actions (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences) Name Type Constraint Mandatory Default Value counter_name String min: 1
, max: 20
No class String Regex: ^[A-Za-z0-9-_]{1,128}$
No dscp Integer min: 0
, max: 63
No log Boolean true
, false
No mirror_list String Regex: ^[A-Za-z0-9-_]{1,128}$
No next_hop IP No policer String Regex: ^[A-Za-z0-9-_]{1,128}$
No
destination_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0
, max: 65535
Yes to Integer min: 0
, max: 65535
Yes
source_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0
, max: 65535
Yes to Integer min: 0
, max: 65535
Yes
Examples Example-1: This example show how to classify traffic based on DSCP marking.
ipv4_access_control_lists :
description : " Set traffic class based on DSCP "
counter_name : 10-CLASS-REALTIME
counter_name : 20-CLASS-VIDEO
name : Transactional traffic
class : CLASS-TRANSACTIONAL
counter_name : 30-CLASS-TRANSACTIONAL
counter_name : 40-CLASS-BULK
Example-2: This example shows how to secure interface where traffic from Guest users is received.
ipv4_access_control_lists :
description : " Secure interface towards Guest users "
destination_data_prefix_list : DPL-ISE-GUEST
counter_name : 20-GUEST-PORTAL
name : To Enterprise Traffic
destination_data_prefix_list : DPL-RFC1918
counter_name : 40-ENTERPRISE