Filter
Top Products
Chapter 17: Access Control List Configuration Guide
262 SmartSwitch Router User Reference Manual
Using ACLs
It is important to understand that an ACL is simply a definition of packet characteristics
specified in a set of rules. An ACL must be enabled in one of the following ways:
• Applying an ACL to an interface, which permits or denies traffic to or from the SSR.
ACLs used in this way are known as Interface ACLs.
• Applying an ACL to a service, which permits or denies access to system services
provided by the SSR. ACLs used in this way are known as Service ACLs.
• Associating an ACL with ip-policy, nat, port mirroring, rate-limit, or web-cache
commands, which specifies the criteria that packets, addresses, or flows must meet in
order to be relevant to these SSR features. ACLs used in this way are known as Profile
ACLs.
These uses of ACLs are described in the following sections.
Applying ACLs to Interfaces
An ACL can be applied to an interface to examine either inbound or outbound traffic.
Inbound traffic is traffic coming into the SSR. Outbound traffic is traffic going out of the
SSR. For each interface, only one ACL can be applied for the same protocol in the same
direction. For example, you cannot apply two or more IP ACLs to the same interface in the
inbound direction. You can apply two ACLs to the same interface if one is for inbound
traffic and one is for outbound trafic, but not in the same direction. However, this
restriction does not prevent you from specifying many rules in an ACL. You just have to
put all of these rules into one ACL and apply it to an interface.
When a packet comes into the SSR at an interface where an inbound ACL is applied, the
SSR compares the packet to the rules specified by that ACL. If it is permitted, the packet is
allowed into the SSR. If not, the packet is dropped. If that packet is to be forwarded to go
out of another interface (that is, the packet is to be routed) then a second ACL check is
possible. At the output interface, if an outbound ACL is applied, the packet will be
compared to the rules specified in this outbound ACL. Consequently, it is possible for a
packet to go through two separate checks, once at the inbound interface and once more at
the outbound interface.
When you apply an ACL to an interface, you can also specify whether the ACL can be
modified or removed from the interface by an external agent (such as the Policy Manager
application). Note that for an external agent to modify or remove an applied ACL from an
interface, the acl-policy enable external command must be in the configuration.
In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the SSR will have to process the packet,
determine where the packet should go only to find out that the packet should be dropped
at the outbound interface. In some cases, however, it may not be simple or possible for the
administrator to know ahead of time that a packet should be dropped at the inbound