Support User Manuals

Cabletron Systems 9032578-05 Network Router User Manual

Open as PDF

of 398

SmartSwitch Router User Reference Manual 263

Chapter 19: Access Control List Configuration Guide

With the implicit deny rule, this ACL actually has three rules:

If a packet comes in and doesn't match the first two rules, the packet is dropped. This is

because the third rule (the implicit deny rule) matches all packets.

Although the implicit deny rule may seem obvious in the above example, this is not

always the case. For example, consider the following ACL rule:

If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet

to go through because it doesn’t match the first rule. However, that is not the case because

of the implicit deny rule. With the implicit deny rule attached, the rule looks like this:

A packet coming from 10.1.20.0/24 would not match the first rule, but would match the

implicit deny rule. As a result, no packets would be allowed to go through. The first rule is

simply a subset of the second rule. To allow packets from subnets other than 10.1.20.0/24

to go through, you would have to explicitly define a rule to permit other packets to go

through.

To correct the above example and let packets from other subnets enter the SSR, you must

add a new rule to permit packets to go through:

The second rule forwards all packets that are not denied by the first rule.

Because of the implicit deny rule, an ACL works similarly to a firewall that is elected to

deny all traffic. You create ACL rules that punch “holes” into the firewall to permit

specific types of traffic; for example, traffic from a specific subnet or traffic from a specific

application.

Allowing External Responses to Established TCP Connections

Typically organizations that are connected to the outside world implement ACLs to deny

access to the internal network. If an internal user wishes to connect to the outside world,

the request is sent; however any incoming replies may be denied because ACLs prevent

them from going through. To allow external responses to internally generated requests,

acl 101 permit ip 1.2.3.4/24 any any any

acl 101 permit ip 4.3.2.1/24 any nntp any

acl 101 deny any any any any any

acl 102 deny ip 10.1.20.0/24 any any any

acl 102 deny ip 10.1.20.0/24 any any any

acl 102 deny any any any any any

acl 101 deny ip 10.1.20.0/24 any any any

acl 101 permit ip

acl 101 deny any any any any any

previous next