A detailed description of each Object Type in the model is presented in this section.

AccessList

Description: Represents an Access Control List on the Device. AccessLists are represented in the model by two distinct flavors, each having a different type of rule. Cisco style access lists have rules of type AclExtendedRule (which allow only one source and destination address per rule); Juniper, PIX, Linux, and some other devices have access lists that use rules of type AclGroupedRule (which allow multiple source or destination addresses per rule).

Parent Object Type(s): Device

Child Object Type(s): AclExtendedRule, AclGroupedRule

Ordered By: AclName

Sample config text:

r2621(config)#access-list 100 ?

  deny     Specify packets to reject

  dynamic  Specify a DYNAMIC list of PERMITs or DENYs

  permit   Specify packets to forward

  remark   Access list entry comment

accesslist

AclDstNetworkGroup

Description: A NetworkGroup used for Access List destination addresses

Parent Object Type(s): AclGroupedRule

Child Object Type(s): NetworkGroupEntry

Ordered By: GroupName

See NetworkGroup for a list of attributes.

AclDstPortGroup

Description: A PortGroup used for Access List destination ports

Parent Object Type(s): AclGroupedRule

Child Object Type(s): PortGroupEntry

Ordered By: GroupName

See PortGroup for a list of attributes.

AclExtendedRule

Description: A Cisco type Access List rule within an AccessList. This can be a Standard or Extended rule. The extended rule is used to capture a full set of extended attributes and may be sparsely populated only as needed to collect the attributes of the rule.

Parent Object Type(s): AccessList

Child Object Type(s): none

Ordered By: RuleNumber

Sample configuration text:

r2621(config)#access-list 100 permit ip ?

  A.B.C.D  Source address

  any        Any source host

  host       A single source host

r2621(config)#access-list 100 permit ip

% Incomplete command.

r2621(config)#access-list 100 permit ip ?

  A.B.C.D  Source address

  any        Any source host

  host       A single source host

r2621(config)#access-list 100 permit ip host 1.1.1.0 ?

  A.B.C.D  Destination address

  any        Any destination host

  host       A single destination host

r2621(config)#access-list 100 permit ip host 1.1.1.0 any ?

  dscp           Match packets with given dscp value

  fragments   Check non-initial fragments

  log             Log matches against this entry

  log-input     Log matches against this entry, including input interface

  precedence Match packets with given precedence value

  time-range  Specify a time-range

  tos              Match packets with given TOS value

  <cr>

aclextend

aclextend1

AclGroupedRule

Description: A Juniper style Access List rule within an AccessList. The ACL Grouped rule extends the basic rule settings allowing lists of attribute values and groups of IP addresses, Subnets, and Ports.  The ACL Grouped Rule is only supported by certain classes of equipment allowing list and dynamically created attributes to be assigned to rules.  The rule will usually be associated with one or more Network Groups or Port Groups specifying the network IP addresses, Network Masks, and Ports.

Parent Object Type(s): AccessList

Child Object Type(s): AclOption, DstNetworkGroup, DstPortGroup, SrcNetworkGroup, SrcPortGroup

Ordered By: RuleNumber, SrcIpAddress, DstIpAddress, SrcPortList, DstPortList (in that order). (Note that if a Device does not supply rule numbers, the Device driver will generate them automatically so as to keep the rules in proper order).

Attributes supported in AclGroupedRule:

icmp1

icmp2

icmp3