Chapter 5 Configuring Access Lists and Filtering GSS Traffic
Filtering GSS Traffic Using Access Lists
5-2
Cisco Global Site Selector Administration Guide
OL-10410-01
Access List Overview
The packet filtering tools on the GSS instruct each device to permit or refuse
specific packets based on a combination of criteria that includes the following:
•
Destination port of the packets
•
Requesting host
•
Protocol used (TCP, UDP, or ICMP)
You create packet-filtering tools, called access lists, from the GSS CLI. Access
lists are collections of filtering rules that you create using the
access-list
CLI
command. Each access list is a sequential collection of permit and deny
conditions that apply to a source network IP address to control whether the GSS
forwards or blocks routed packets. The GSS examines each packet to determine
whether to forward or drop the packet based on the criteria specified within the
access lists.
You can create any number of access lists on each GSS device. After creating an
access list, you can append or remove rules from the list at any time. Apply access
lists to one or both of the GSS Ethernet interfaces using the
access-group
command.
The GSS appends each additional criteria statement to the
end
of the access list
statements. Be aware that you cannot delete individual statements after creating
them. You can only delete an entire access list.
The order of access list statements is very important. When the GSS decides
whether to forward or block a packet, it tests the packet against each criteria
statement in the order that the statements were created. After a match is found, the
GSS does not check any additional criteria statements.
If you create a criteria statement that explicitly permits all traffic, the GSS does
not check any additional statements added after the explicit permit statement and
permits all traffic. If you need additional statements, delete the access list and
retype it with the new entries.
To ensure your GSS functions properly with access lists, identify the ports and
protocols normally used by each GSS device.
Table 5-1
lists the types of expected
inbound traffic received by the GSS.
Note
Outbound traffic is not affected by access lists. However, the return inbound
traffic must be explicitly permitted because GSS access lists are not stateful.