DIGITAL GIGAswitch/Router User Reference Manual
243
Using ACLs
restriction does not prevent you from specifying many rules in an ACL. You just have to
put all of these rules into one ACL and apply it to an interface.
When a packet comes into the GSR at an interface where an inbound ACL is applied, the
GSR compares the packet to the rules specified by that ACL. If it is permitted, the packet is
allowed into the GSR. If not, the packet is dropped. If that packet is to be forwarded to go
out of another interface (that is, the packet is to be routed) then a second ACL check is
possible. At the output interface, if an outbound ACL is applied, the packet will be
compared to the rules specified in this outbound ACL. Consequently, it is possible for a
packet to go through two separate checks, once at the inbound interface and once more at
the outbound interface.
When you apply an ACL to an interface, you can also specify whether the ACL can be
modified or removed from the interface by an external agent (such as the Policy Manager
application). Note that for an external agent to modify or remove an applied ACL from an
interface, the
acl-policy enable external
command must be in the configuration.
In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the GSR will have to process the packet,
determine where the packet should go only to find out that the packet should be dropped
at the outbound interface. In some cases, however, it may not be simple or possible for the
administrator to know ahead of time that a packet should be dropped at the inbound
interface. Nonetheless, for performance reasons, whenever possible, you should create
and apply an ACL to the inbound interface.
To apply an ACL to an interface, enter the following command in Configure mode:
Applying ACLs to Services
ACLs can also be created to permit or deny access to system services provided by the
GSR; for example, HTTP or Telnet servers. This type of ACL is known as a
Service
ACL. By
definition, a Service ACL is for controlling inbound packets to a service on the router. For
example, you can grant Telnet server access from a few specific hosts or deny Web server
access from a particular subnet. It is true that you can do the same thing with ordinary
ACLs and apply them to all interfaces. However, the Service ACL is created specifically to
control access to some of the services on the GSR. As a result, only inbound traffic to the
GSR is checked. Destination address and port information is ignored; therefore if you are
defining a Service ACL, you do not need to specify destination information.
Note:
If a service does not have an ACL applied, that service is accessible to everyone.
To control access to a service, an ACL must be used.
Apply ACL to an interface.
acl
<name>
apply interface
<interface name>
input|output [logging on|off|deny-
only|permit-only][policy local|external]
Содержание GIGAswitch GSR-16
Страница 8: ......
Страница 82: ......
Страница 126: ......
Страница 200: ......
Страница 210: ......
Страница 224: ......
Страница 234: ......
Страница 248: ......
Страница 258: ......
Страница 286: ......
Страница 298: ......
Страница 302: ......
Страница 344: ......
Страница 345: ......
Страница 346: ...9032684 03 Printed in U S A...