Product Documentation

ns acl

Sep 12, 2016

The following operations can be performed on "ns acl":

add ns acl

Adds an extended ACL rule to the NetScaler appliance. To commit this operation, you must apply the extended ACLs. Extended ACL rules filter data packets on the basis of various parameters, such as IP address, source port, action, and protocol.

Synopsys

add ns acl <aclname> <aclaction> [-td <positive_integer>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-TTL <positive_integer>] [-srcMac <mac_addr> [-srcMacMask <string>]] [(-protocol <protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan <positive_integer> | -vxlan <positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED | DISABLED )] [-logstate ( ENABLED | DISABLED ) [-ratelimit <positive_integer>]]

Arguments

aclname

Name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the extended ACL rule is created.

aclaction

Action to perform on incoming IPv4 packets that match the extended ACL rule.

Available settings function as follows:

* ALLOW - The NetScaler appliance processes the packet.

* BRIDGE - The NetScaler appliance bridges the packet to the destination without processing it.

* DENY - The NetScaler appliance drops the packet.

Possible values: BRIDGE, DENY, ALLOW

td

Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

Minimum value: 0

Maximum value: 4094

srcIP

IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

operator

Either the equals (=) or does not equal (!=) logical operator.

Possible values: =, !=, EQ, NEQ

srcIPVal

IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

srcPort

Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

srcPortVal

Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Maximum value: 65535

destIP

IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

destIPVal

IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

destPort

Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Note: The destination port can be specified only for TCP and UDP protocols.

destPortVal

Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Note: The destination port can be specified only for TCP and UDP protocols.

Maximum value: 65535

TTL

Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value.

Minimum value: 1

Maximum value: 2147483647

srcMac

MAC address to match against the source MAC address of an incoming IPv4 packet.

srcMacMask

Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111".

Default value: "000000000000"

protocol

Protocol to match against the protocol of an incoming IPv4 packet.

Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS

protocolNumber

Protocol to match against the protocol of an incoming IPv4 packet.

Minimum value: 1

Maximum value: 255

vlan

ID of the VLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.

Minimum value: 1

Maximum value: 4094

vxlan

ID of the VXLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.

Minimum value: 1

Maximum value: 16777215

interface

ID of an interface. The NetScaler appliance applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.

established

Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule.

icmpType

ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.

Note: This parameter can be specified only for the ICMP protocol.

Minimum value: 0

Maximum value: 65536

icmpCode

Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.

If you set this parameter, you must set the ICMP Type parameter.

Minimum value: 0

Maximum value: 65536

priority

Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.

Minimum value: 1

Maximum value: 100000

state

Enable or disable the extended ACL rule. After you apply the extended ACL rules, the NetScaler appliance compares incoming packets against the enabled extended ACL rules.

Possible values: ENABLED, DISABLED

Default value: ENABLED

logstate

Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ratelimit

Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.

Default value: 100

Minimum value: 1

Maximum value: 10000

Example

add ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP

rm ns acl

Removes an extended ACL rule from the NetScaler appliance. To commit this operation, you must apply the extended ACLs.

Synopsys

rm ns acl <aclname> ...

Arguments

aclname

Name of the extended ACL rule that you want to remove.

Example

rm ns acl restrict

set ns acl

Modifies the parameters of an ACL rule. To commit this operation, you must apply the extended ACLs.

Synopsys

set ns acl <aclname> [-aclaction <aclaction>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-srcMac <mac_addr> [-srcMacMask <string>]] [-protocol <protocol> | -protocolNumber <positive_integer>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-vlan <positive_integer> | -vxlan <positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-logstate ( ENABLED | DISABLED )] [-ratelimit <positive_integer>] [-established]

Arguments

aclname

Name of the ACL rule whose parameters you want to modify.

aclaction

Action to perform on incoming IPv4 packets that match the extended ACL rule.

Available settings function as follows:

* ALLOW - The NetScaler appliance processes the packet.

* BRIDGE - The NetScaler appliance bridges the packet to the destination without processing it.

* DENY - The NetScaler appliance drops the packet.

Possible values: BRIDGE, DENY, ALLOW

srcIP

IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

operator

Either the equals (=) or does not equal (!=) logical operator.

Possible values: =, !=, EQ, NEQ

srcIPVal

IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

srcPort

Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

srcPortVal

Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Maximum value: 65535

destIP

IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

destIPVal

IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

destPort

Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Note: The destination port can be specified only for TCP and UDP protocols.

destPortVal

Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Note: The destination port can be specified only for TCP and UDP protocols.

Maximum value: 65535

srcMac

MAC address to match against the source MAC address of an incoming IPv4 packet.

srcMacMask

Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111".

Default value: "000000000000"

protocol

Protocol to match against the protocol of an incoming IPv4 packet.

Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS

protocolNumber

Protocol to match against the protocol of an incoming IPv4 packet.

Minimum value: 1

Maximum value: 255

icmpType

ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.

Note: This parameter can be specified only for the ICMP protocol.

Minimum value: 0

Maximum value: 65536

icmpCode

Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.

If you set this parameter, you must set the ICMP Type parameter.

Minimum value: 0

Maximum value: 65536

vlan

ID of the VLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.

Minimum value: 1

Maximum value: 4094

vxlan

ID of the VXLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.

Minimum value: 1

Maximum value: 16777215

interface

ID of an interface. The NetScaler appliance applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.

priority

Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.

Minimum value: 1

Maximum value: 100000

logstate

Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ratelimit

Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.

Default value: 100

Minimum value: 1

Maximum value: 10000

established

Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule.

Example

set ns acl restrict -srcPort 50

unset ns acl

Resets the attributes of the specified extended ACL rule. Attributes for which a default value is available revert to their default values. Refer to the set ns acl command for a description of the parameters..Refer to the set ns acl command for meanings of the arguments.

Synopsys

unset ns acl <aclname> [-srcIP] [-srcPort] [-destIP] [-destPort] [-srcMac] [-srcMacMask] [-protocol] [-icmpType] [-icmpCode] [-vlan] [-vxlan] [-interface] [-logstate] [-ratelimit] [-established]

Example

unset ns acl rule1 -srcPort 

enable ns acl

Enables an extended ACL rule. To commit this operation, you must apply the extended ACLs. After you apply the extended ACL rules, the NetScaler appliance compares incoming packets against the enabled extended ACL rules.

Synopsys

enable ns acl <aclname> ...

Arguments

aclname

Name of the extended ACL rule that you want to enable.

Example

enable ns acl foo

disable ns acl

Disables an extended ACL rule. To commit this operation, you must apply the extended ACLs. After you apply the ACL rules, the NetScaler appliance does not compare incoming packets against the disabled extended ACL rules.

Synopsys

disable ns acl <aclname> ...

Arguments

aclname

Name of the extended ACL rule that you want to disable.

Example

disable ns acl foo

stat ns acl

Displays statistics related to the extended ACL rules. To display statistics of all the extended ACL rules, run the command without any parameters. To display statistics of a particular extended ACL rule, specify the name of the extended ACL rule.

Synopsys

stat ns acl [<aclname>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]

Arguments

aclname

Name of the extended ACL rule whose statistics you want the NetScaler appliance to display.

detail

Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues

Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes

The number of times, in intervals of seven seconds, the statistics should be displayed.

Default value: 1

Minimum value: 0

logFile

The name of the log file to be used as input.

clearstats

Clear the statsistics / counters

Possible values: basic, full

Outputs

count

devno

stateflag

Outputs

Bridge ACL hits (ACLBdg)

Packets matching a bridge ACL, which is in transparent mode and bypasses service processing.

Deny ACL hits (ACLDeny)

Packets dropped because they match ACLs with processing mode set to DENY.

Allow ACL hits (ACLAllow)

Packets matching ACLs with processing mode set to ALLOW. NetScaler processes these packets.

NAT ACL hits (ACLNAT)

Packets matching a NAT ACL, resulting in a NAT session.

ACL hits (ACLHits)

Packets matching an ACL.

ACL misses (ACLMiss)

Packets not matching any ACL.

ACL Count (ACLCount)

Total number of ACL rules configured.

Hits for this ACL (Hits)

Number of times the acl was hit

Example

stat acl

rename ns acl

Renames an extended ACL rule.

Synopsys

rename ns acl <aclname> <newName>

Arguments

aclname

Name of the extended ACL rule that you want to rename.

newName

New name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.

Example

rename acl rule rule-new

show ns acl

Displays settings related to the extended ACL rules. To display settings of all the extended ACL rules, run the command without any parameters. To display settings of a particular extended ACL rule, specify the name of the extended ACL rule.

Synopsys

show ns acl [<aclname>]

Arguments

aclname

Name of the extended ACL rule whose details you want the NetScaler appliance to display.

Outputs

td

Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

aclaction

Action to perform on incoming IPv4 packets that match the extended ACL rule.

Available settings function as follows:

* ALLOW - The NetScaler appliance processes the packet.

* BRIDGE - The NetScaler appliance bridges the packet to the destination without processing it.

* DENY - The NetScaler appliance drops the packet.

srcMac

MAC address to match against the source MAC address of an incoming IPv4 packet.

srcMacMask

Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value "000000111111".

stateflag

ACL state flag.

protocol

The protocol number in IP header or name.

protocolNumber

The protocol number in IP header or name.

srcPortVal

Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

destPortVal

Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [40-90].

Note: The destination port can be specified only for TCP and UDP protocols.

srcIPVal

IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

destIPVal

IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen and enclose within brackets. For example: [10.102.29.30-10.102.29.189].

vlan

ID of the VLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.

vxlan

ID of the VXLAN. The NetScaler appliance applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.

state

Enable or disable the extended ACL rule. After you apply the extended ACL rules, the NetScaler appliance compares incoming packets against the enabled extended ACL rules.

TTL

Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value.

icmpType

ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.

Note: This parameter can be specified only for the ICMP protocol.

icmpCode

Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.

If you set this parameter, you must set the ICMP Type parameter.

interface

ID of an interface. The NetScaler appliance applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.

hits

The hits of this ACL.

established

This flag indicates that the ACL should be used for TCP response traffic only.

priority

Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.

operator

Either the equals (=) or does not equal (!=) logical operator.

kernelstate

The commit status of the ACL.

logstate

Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.

ratelimit

Packet rate limit for acl logging

time

Time when this acl is applied.

aclassociate

ACL linked

devno

count

Example

sh acl foo     Name: foo                               Action: ALLOW    Hits: 0     srcIP = 10.102.1.150     destIP = 202.54.12.47     srcMac:                               srcMacMask:  Protocol: TCP     srcPort                                destPort = 110     Vlan:                                   Interface:     Active Status: ENABLED                   Applied Status: NOTAPPLIED     Priority: 1027