SmartSwitch Router User Reference Manual 269Chapter 19: Access Control List Configuration Guide• Unlike with other kinds of ACLs, there is no implicit deny rule for Profile ACLs.• Only certain ACL rule parameters are relevant for each configuration command. Forexample, the configuration command to create NAT address pools for dynamicbindings (the nat create dynamic command) only looks at the source IP address in thespecified ACL rule. The destination IP address, ports, and TOS parameters, if specified,are ignored.Specific usage of Profile ACLs is described in more detail in the following sections.Using Profile ACLs with the IP Policy FacilityThe IP policy facility uses a Profile ACL to define criteria that determines which packetsshould be forwarded according to an IP policy. Packets that meet the criteria defined in theProfile ACL are forwarded according to the ip-policy command that references the ProfileACL.For example, you can define an IP policy that causes all telnet packets travelling fromsource network 9.1.1.0/24 to destination network 15.1.1.0/24 to be forwarded todestination address 10.10.10.10. You use a Profile ACL to define the selection criteria (inthis case, telnet packets travelling from source network 9.1.1.0/24 to destination network15.1.1.0/24). Then you use an ip-policy command to specify what happens to packets thatmatch the selection criteria (in this example, forward them to address 10.10.10.10). Thefollowing commands illustrate this example.This command creates a Profile ACL called prof1 that uses as its selection criteria all telnetpackets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24:This Profile ACL is then used in conjunction with the ip-policy command to cause packetsmatching prof1’s selection criteria (that is, telnet packets travelling from 9.1.1.0/24 to15.1.1.0/24) to be forwarded to 10.10.10.10:See “IP Policy-Based Forwarding Configuration Guide” on page 207 for more informationon using the ip-policy command.Using Profile ACLs with the Traffic Rate Limiting FacilityTraffic rate limiting is a mechanism that allows you to control bandwidth usage ofincoming traffic on a per-flow basis. A flow meeting certain criteria can have its packetsre-prioritized or dropped if its bandwidth usage exceeds a specified limit.For example, you can cause packets in flows from source address 1.2.2.2 to be dropped iftheir bandwidth usage exceeds 10 Mbps. You use a Profile ACL to define the selectionssr(config)# acl prof1 permit ip 9.1.1.0/24 15.1.1.0/24 any any telnet 0ssr(config)# ip-policy p5 permit profile prof1 next-hop-list 10.10.10.10