Cabletron Systems SmartSwitch Network Router User Manual


  Open as PDF
of 338
 
SmartSwitch Router User Reference Manual 259
Chapter 17: Access Control List Configuration Guide
Although the implicit deny rule may seem obvious in the above example, this is not
always the case. For example, consider the following ACL rule:
If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet
to go through because it doesn’t match the first rule. However, that is not the case because
of the implicit deny rule. With the implicit deny rule attached, the rule looks like this:
A packet coming from 10.1.20.0/24 would not match the first rule, but would match the
implicit deny rule. As a result, no packets would be allowed to go through. The first rule is
simply a subset of the second rule. To allow packets from subnets other than 10.1.20.0/24
to go through, you would have to explicitly define a rule to permit other packets to go
through.
To correct the above example and let packets from other subnets enter the SSR, you must
add a new rule to permit packets to go through:
The second rule forwards all packets that are not denied by the first rule.
Because of the implicit deny rule, an ACL works similarly to a firewall that is elected to
deny all traffic. You create ACL rules that punch “holes” into the firewall to permit
specific types of traffic; for example, traffic from a specific subnet or traffic from a specific
application.
Allowing External Responses to Established TCP Connections
Typically organizations that are connected to the outside world implement ACLs to deny
access to the internal network. If an internal user wishes to connect to the outside world,
the request is sent; however any incoming replies may be denied because ACLs prevent
them from going through. To allow external responses to internally generated requests,
you would have to create an ACL to allow responses from each specific outside host. If the
number of outside hosts that internal users need to access is large or changes frequently,
this can be difficult to maintain.
To address this problem, the SSR can be configured to accept outside TCP responses into
the internal network, provided that the TCP connection was initiated internally.
acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny any any any any any
acl 101 deny ip 10.1.20.0/24 any any any
acl 101 permit ip
acl 101 deny any any any any any
 previous next