Network Router User Manual
Table Of Contents
- Notices
- Contents
- About This Manual
- Introduction
- Hot Swapping Line Cards and Control Modules
- Bridging Configuration Guide
- Bridging Overview
- VLAN Overview
- Configuring SSR Bridging Functions
- Monitoring Bridging
- Configuration Examples
- SmartTRUNK Configuration Guide
- ATM Configuration Guide
- Packet-over-SONET Configuration Guide
- DHCP Configuration Guide
- IP Routing Configuration Guide
- IP Routing Protocols
- Configuring IP Interfaces and Parameters
- Configuring IP Interfaces to Ports
- Configuring IP Interfaces for a VLAN
- Specifying Ethernet Encapsulation Method
- Configuring Jumbo Frames
- Configuring Address Resolution Protocol (ARP)
- Configuring Reverse Address Resolution Protocol (RARP)
- Configuring DNS Parameters
- Configuring IP Services (ICMP)
- Configuring IP Helper
- Configuring Direct Broadcast
- Configuring Denial of Service (DOS)
- Monitoring IP Parameters
- Configuring Router Discovery
- Configuration Examples
- VRRP Configuration Guide
- RIP Configuration Guide
- OSPF Configuration Guide
- BGP Configuration Guide
- Routing Policy Configuration Guide
- Route Import and Export Policy Overview
- Configuring Simple Routing Policies
- Configuring Advanced Routing Policies
- Multicast Routing Configuration Guide
- IP Policy-Based Forwarding Configuration Guide
- Network Address Translation Configuration Guide
- Web Hosting Configuration Guide
- Overview
- Load Balancing
- Web Caching
- IPX Routing Configuration Guide
- Access Control List Configuration Guide
- Security Configuration Guide
- QoS Configuration Guide
- Performance Monitoring Guide
- RMON Configuration Guide
- LFAP Configuration Guide
- WAN Configuration Guide
- WAN Overview
- Frame Relay Overview
- Configuring Frame Relay Interfaces for the SSR
- Monitoring Frame Relay WAN Ports
- Frame Relay Port Configuration
- Point-to-Point Protocol (PPP) Overview
- Configuring PPP Interfaces
- Monitoring PPP WAN Ports
- PPP Port Configuration
- WAN Configuration Examples
- New Features Supported on Line Cards
SmartSwitch Router User Reference Manual 267
Chapter 19: Access Control List Configuration Guide
application). Note that for an external agent to modify or remove an applied ACL from an
interface, the acl-policy enable external command must be in the configuration.
In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the SSR will have to process the packet,
determine where the packet should go only to find out that the packet should be dropped
at the outbound interface. In some cases, however, it may not be simple or possible for the
administrator to know ahead of time that a packet should be dropped at the inbound
interface. Nonetheless, for performance reasons, whenever possible, you should create
and apply an ACL to the inbound interface.
To apply an ACL to an interface, enter the following command in Configure mode:
Applying ACLs to Services
ACLs can also be created to permit or deny access to system services provided by the SSR;
for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. By
definition, a Service ACL is for controlling inbound packets to a service on the router. For
example, you can grant Telnet server access from a few specific hosts or deny Web server
access from a particular subnet. It is true that you can do the same thing with ordinary
ACLs and apply them to all interfaces. However, the Service ACL is created specifically to
control access to some of the services on the SSR. As a result, only inbound traffic to the
SSR is checked. Destination address and port information is ignored; therefore if you are
defining a Service ACL, you do not need to specify destination information.
Note:
If a service does not have an ACL applied, that service is accessible to everyone.
To control access to a service, an ACL must be used.
To apply an ACL to a service, enter the following command in Configure mode:
Applying ACLs to Layer-4 Bridging Ports
ACLs can also be created to permit or deny access to one or more ports operating in Layer-
4 bridging mode. Traffic that is switched at Layer 2 through the SSR can have ACLs
applied on the Layer 3/4 information contained in the packet. The ACLs that are applied
to Layer-4 Bridging ports are only used with bridged traffic. The ACLs that are applied to
the interface are still used for routed traffic.
Apply ACL to an interface.
acl <name> apply interface <interface name>
input|output [logging on|off|deny-
only|permit-only][policy local|external]
Apply ACL to a service. acl <name> apply service <service name>
[logging [on|off]]