Riverstone Networks WICT1-12 User Manual

Page 535

Advertising
background image

Riverstone Networks RS Switch Router User Guide Release 8.0 24-5

Access Control List Configuration

ACL Basics

If a packet comes in from a network other than 10.1.20.0/24, you might expect the packet to go through because it
doesn’t match the first rule. However, that is not the case because of the implicit deny rule. With the implicit deny rule
attached, the rule looks like this:

A packet coming from 10.1.20.0/24 would not match the first rule, but would match the implicit deny rule. As a result,
no packets would be allowed to go through. The first rule is simply a subset of the second rule. To allow packets from
subnets other than 10.1.20.0/24 to go through, you would have to explicitly define a rule to permit other packets to go
through.

To correct the above example and let packets from other subnets enter the RS, you must add a new rule to permit
packets to go through:

The second rule forwards all packets that are not denied by the first rule.

Because of the implicit deny rule, an ACL works similarly to a firewall that is elected to deny all traffic. You create
ACL rules that punch “holes” into the firewall to permit specific types of traffic; for example, traffic from a specific
subnet or traffic from a specific application.

24.1.4

Allowing External Responses to Established TCP Connections

Typically organizations that are connected to the outside world implement ACLs to deny access to the internal
network. If an internal user wishes to connect to the outside world, the request is sent; however any incoming replies
may be denied because ACLs prevent them from going through. To allow external responses to internally generated
requests, you would have to create an ACL to allow responses from each specific outside host. If the number of outside
hosts that internal users need to access is large or changes frequently, this can be difficult to maintain.

To address this problem, the RS can be configured to accept outside TCP responses into the internal network, provided
that the TCP connection was initiated internally. Otherwise, it will be rejected. To do this, enter the following command
in Configure Mode:

acl 102 deny ip 10.1.20.0/24 any any any

acl 102 deny any any any any any

acl 101 deny ip 10.1.20.0/24 any any any

acl 101 permit ip

acl 101 deny any any any any any

Allow TCP responses from external hosts, provided the connection
was established internally.

acl

<name>

permit tcp established

Advertising
Popular Brands
Popular manuals