Product Documentation

Blocking Traffic on Internal Ports

Jan 31, 2011

The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance’s NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.

This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.

To disable or enable this parameter by using the command line interface

At the command prompt, type:

set l3param -implicitACLAllow [ENABLED DISABLED]

Note: The parameter implicitACLAllow is enabled by default.

Example

> set l3param -implicitACLAllow DISABLED

Done