Filter
Top Products
SmartSwitch Router User Reference Manual 267
Chapter 19: Access Control List Configuration Guide
application). Note that for an external agent to modify or remove an applied ACL from an
interface, the acl-policy enable external command must be in the configuration.
In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the SSR will have to process the packet,
determine where the packet should go only to find out that the packet should be dropped
at the outbound interface. In some cases, however, it may not be simple or possible for the
administrator to know ahead of time that a packet should be dropped at the inbound
interface. Nonetheless, for performance reasons, whenever possible, you should create
and apply an ACL to the inbound interface.
To apply an ACL to an interface, enter the following command in Configure mode:
Applying ACLs to Services
ACLs can also be created to permit or deny access to system services provided by the SSR;
for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. By
definition, a Service ACL is for controlling inbound packets to a service on the router. For
example, you can grant Telnet server access from a few specific hosts or deny Web server
access from a particular subnet. It is true that you can do the same thing with ordinary
ACLs and apply them to all interfaces. However, the Service ACL is created specifically to
control access to some of the services on the SSR. As a result, only inbound traffic to the
SSR is checked. Destination address and port information is ignored; therefore if you are
defining a Service ACL, you do not need to specify destination information.
Note:
If a service does not have an ACL applied, that service is accessible to everyone.
To control access to a service, an ACL must be used.
To apply an ACL to a service, enter the following command in Configure mode:
Applying ACLs to Layer-4 Bridging Ports
ACLs can also be created to permit or deny access to one or more ports operating in Layer-
4 bridging mode. Traffic that is switched at Layer 2 through the SSR can have ACLs
applied on the Layer 3/4 information contained in the packet. The ACLs that are applied
to Layer-4 Bridging ports are only used with bridged traffic. The ACLs that are applied to
the interface are still used for routed traffic.
Apply ACL to an interface.
acl <name> apply interface <interface name>
input|output [logging on|off|deny-
only|permit-only][policy local|external]
Apply ACL to a service. acl <name> apply service <service name>
[logging [on|off]]