3 using acls, 1 applying acls to interfaces, Using acls -8 – Riverstone Networks WICT1-12 User Manual

24-8 Riverstone Networks RS Switch Router User Guide Release 8.0

Using ACLs

Access Control List Configuration

24.3 USING ACLS

It is important to understand that an ACL is simply a definition of packet characteristics specified in a set of rules. An
ACL must be enabled in one of the following ways:

•

Applying an ACL to an interface, which permits or denies traffic to or from the RS. ACLs used in
this way are known as interface ACLs.

•

Applying an ACL to a service, which permits or denies access to system services provided by the
RS. ACLs used in this way are known as service ACLs.

•

Applying an ACL to ports operating in Layer-4 bridging mode, which permits or denies bridged
traffic. ACLs used in this way are known as layer-4 Bridging ACLs.

•

Associating an ACL with

ip-policy

,

nat

,

port mirroring

,

rate-limit

, or

web-cache

commands, which specifies the criteria that packets, addresses, or flows must meet in order to be
relevant to these RS features. ACLs used in this way are known as profile ACLs.

These uses of ACLs are described in the following sections.

24.3.1

Applying ACLs to Interfaces

An ACL can be applied to an interface to examine either inbound or outbound traffic. Inbound traffic is traffic coming
into the RS. Outbound traffic is traffic going out of the RS. For each interface, only one ACL can be applied for the
same protocol in the same direction. For example, you cannot apply two or more IP ACLs to the same interface in the
inbound direction. You can apply two ACLs to the same interface if one is for inbound traffic and one is for outbound
traffic, but not in the same direction. However, this restriction does not prevent you from specifying many rules in an
ACL. You just have to put all of these rules into one ACL and apply it to an interface.

When a packet comes into the RS at an interface where an inbound ACL is applied, the RS compares the packet to the
rules specified by that ACL. If it is permitted, the packet is allowed into the RS. If not, the packet is dropped. If that
packet is to be forwarded to go out of another interface (that is, the packet is to be routed) then a second ACL check
is possible. At the output interface, if an outbound ACL is applied, the packet will be compared to the rules specified
in this outbound ACL. Consequently, it is possible for a packet to go through two separate checks, once at the inbound
interface and once more at the outbound interface.

When you apply an ACL to an interface, you can also specify whether the ACL can be modified or removed from the
interface by an external agent (such as the Policy Manager application). Note that for an external agent to modify or
remove an applied ACL from an interface, the

acl-policy enable external

command must be in the

configuration.

In general, you should try to apply ACLs at the inbound interfaces instead of the outbound interfaces. If a packet is to
be denied, you want to drop the packet as early as possible, at the inbound interface. Otherwise, the RS will have to
process the packet, determine where the packet should go only to find out that the packet should be dropped at the
outbound interface. In some cases, however, it may not be simple or possible for the administrator to know ahead of
time that a packet should be dropped at the inbound interface. Nonetheless, for performance reasons, whenever
possible, you should create and apply an ACL to the inbound interface.

To apply an ACL to an interface, enter the following command in Configure mode:

Apply ACL to an interface.

acl

<name>

apply interface

<interface name>

input|output

[logging on|off|deny-only|permit-only][policy

local|external]