- Simple ACLs and Simple ACL6s
- Extended ACLs and Extended ACL6s
- MAC Address Wildcard Mask for ACLs
- Blocking Traffic on Internal Ports
Extended ACLs and Extended ACL6s
Jan 31, 2011
Extended ACLs and extended ACL6s provide parameters and actions not available with simple ACLs. You can filter data on the basis of parameters such as source IP address, source port, action, and protocol. You can specify tasks to allow a packet, deny a packet, or bridge a packet.
Extended ACLs and ACL6s can be modified after they are created, and you can renumber their priorities to specify the order in which they are evaluated.
Note: If you
configure both simple and extended ACLs, simple ACLs take precedence over
extended ACLs.
The following actions can be performed on extended ACLs and ACL6s: Modify, Apply, Disable, Enable, Remove, and Renumber (the priority). You can display extended ACLs and ACL6s to verify their configuration, and you can display their statistics.
You can configure the NetScaler ADC to log details for packets that match an extended ACL. However, you cannot log details of packets that match an ext
Applying Extended ACLs and Extended ACL6s
Unlike simple ACLs and ACL6s, extended ACLs and ACL6s created on the NetScaler ADC do not work until they are applied. Also, if you make any modifications to an extended ACL or ACL6, such as disabling the ACLs, changing a priority, or deleting the ACLs, you must reapply the extended ACLs or ACL6s. You must also reapply them after enabling logging. The procedure to apply extended ACLs or ACL6s reapplies all of them. For example, if you have applied extended ACL rules 1 through 10, and you then create and apply rule 11, the first 10 rules are applied afresh.
If a session has a DENY ACL related to it, that session is terminated when you apply the ACLs.
Extended ACLs and ACL6s are enabled by default. When they are applied, the NetScaler ADC starts comparing incoming packets against them. However, if you disable them, they are not used until you reenable them, even if they are reapplied.
Renumbering the priorities of Extended ACLs and Extended ACL6s
Priority numbers determine the order in which extended ACLs or ACL6s are matched against a packet. An ACL with a lower priority number has a higher priority. It is evaluated before ACLs with higher priority numbers (lower priorities), and the first ACL to match the packet determines the action applied to the packet.
When you create an extended ACL or ACL6, the NetScaler ADC automatically assigns it a priority number that is a multiple of 10, unless you specify otherwise. For example, if two extended ACLs have priorities of 20 and 30, respectively, and you want a third ACL to have a value between those numbers, you might assign it a value of 25. If you later want to retain the order in which the ACLs are evaluated but restore their numbering to multiples of 10, you can use the renumber procedure.
This section
includes the following details:
Configuring Extended ACLs and Extended ACL6s
Configuring an
extended ACL or ACL6 on a NetScaler ADC consists of the following tasks.
- Create an extended ACL or ACL6 to either allow, deny, or bridge a packet. You can specify an IP address or range of IP addresses to match against the source or destination IP addresses of the packets. You can specify a protocol to match against the protocol of incoming packets.
- (Optional) You can modify extended ACLs or ACL6s that you previously created. Or, if you want to temporarily take one out of use you can disable it, and later reenable it.
- Apply extended ACLs or ACL6s. After you create, modify, disable or reenable, or delete an extended ACL or ACL6, you must apply the extended ACLs or ACL6s to activate them.
- (Optional) Renumber the priorities of extended ACLs or ACL6s. If you have configured ACLs with priorities that are not multiples of 10 and want to restore the numbering to multiples of 10, use the renumber procedure.
To create an extended ACL by using the command line interface
At the command prompt, type:
- add ns acl <aclname> <aclaction> [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-TTL <positive_integer>] [-srcMac <mac_addr>] [(-protocol <protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED | DISABLED )] [-logstate ( ENABLED | DISABLED ) [-ratelimit <positive_integer>]]
- show ns acl [<aclName>]
Example
> add ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP Done
To create an extended ACL6 by using the command line interface
At the command prompt, type:
- add ns acl6 <acl6name> <acl6action> [-srcIPv6 [<operator>] <srcIPv6Val>] [-srcPort [<operator>] <srcPortVal>] [-destIPv6 [<operator>] <destIPv6Val>] [-destPort [<operator>] <destPortVal>] [-TTL <positive_integer>] [-srcMac <mac_addr>] [(-protocol <protocol> [-established]) | -protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface <interface_name>] [-icmpType <positive_integer> [-icmpCode <positive_integer>]] [-priority <positive_integer>] [-state ( ENABLED | DISABLED )]
- show ns acl6 [<aclName>]
Example
> add ns acl6 rule6 DENY -srcport 45-1024 -destIPv6 2001::45 -protocol TCP Done
To modify an extended ACL by using the command line interface
To modify an extended ACL, type the set ns acl command, the name of the extended ACL, and the parameters to be changed, with their new values.
To modify an extended ACL6 by using the command line interface
To modify an extended ACL6, type the set ns acl command, the name of the extended ACL6, and the parameters to be changed, with their new values.
To disable or enable an extended ACL by using the command line interface
At the command prompt, type one of the following commands:
- disable ns acl <aclname>
- enable ns acl <aclname>
To disable or enable an extended ACL6 by using the command line interface
At the command prompt, type one of the following commands:
- disable ns acl6 <aclname>
- enable ns acl6<aclname>
To apply extended ACLs by using the command line interface
At the command prompt, type:
apply ns acls
To apply extended ACL6s by using the command line interface
At the command prompt, type:
apply ns acls6
To renumber the priorities of extended ACLs by using the command line interface
At the command prompt, type:
renumber ns acls
To renumber the priorities of extended ACL6s by using the command line interface
At the command prompt, type:
renumber ns acls6
To configure an extended ACL by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACLs tab, add a new extended ACL or edit an existing extended ACL. To enable or disable an existing extended ACL, select it, and then select Enable or Disable from the Action list.
To configure an extended ACL6sACL6s by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACL6s tab, add a new extended ACL6 or edit an existing extended ACL6. To enable or disable an existing extended ACL6, select it, and then select Enable or Disable from the Action list.
To apply extended ACLs by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACLs tab, in the Action list, click Apply.
To apply extended ACL6sACL6s by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACL6s tab, in the Action list, click Apply.
To renumber the priorities of extended ACLs by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACLs tab, in the Action list, click Renumber Priority (s).
To renumber the priorities of extended ACL6sACL6s by using the configuration utility
Navigate to System > Network > ACLs and, on the Extended ACL6s tab, in the Action list, click Renumber Priority (s).
Logging Extended ACLs (IPv4 Only)
You can configure the NetScaler ADC to log details for packets that match extended ACLs.
Note: You
cannot enable logging for extended ACL6s.
In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog file, depending on the type of global logging (syslog or nslog) enabled.
Logging must be enabled at both the global level and the ACL level. The global setting takes precedence. For more information about enabling logging globally, see "."
To optimize logging, when multiple packets from the same flow match an ACL, only the first packet's details are logged, and the counter is incremented for every packet that belongs to the same flow. A flow is defined as a set of packets that have the same values for the source IP address, destination IP address, source port, destination port, and protocol parameters. To avoid flooding of log messages, the NetScaler ADC performs internal rate limiting so that packets belonging to the same flow are not repeatedly logged. The total number of different flows that can be logged at any given time is limited to 10,000.
Note: You must
apply ACLs after you enable logging.
To configure extended ACL Logging by using the command line interface
At the command prompt, type the following commands to configure logging and verify the configuration:
- set ns acl <aclName> [-logState (ENABLED | DISABLED)] [-rateLimit <positive_integer>]
- show ns acl [<aclName>]
Example
> set ns acl restrict -logstate ENABLED -ratelimit 120 Warning: ACL modified, apply ACLs to activate change
To configure extended ACL Logging by using the configuration utility
- Navigate to and, on the Extended ACLs tab, open the extended ACL.
- Set the
following parameters:
- Log State—Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.
- Log Rate Limit—Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.
Displaying Extended ACL and Extended ACL6s Statistics
You can display statistics of extended ACLs and ACL6s.
The following table lists the statistics associated with extended ACLs and ACL6s, and their descriptions.
| Statistic | Specifies |
| Allow ACL hits | Packets matching ACLs with processing mode set to ALLOW. The NetScaler ADC processes these packets. |
| NAT ACL hits | Packets matching a NAT ACL, resulting in a NAT session. |
| Deny ACL hits | Packets dropped because they match ACLs with processing mode set to DENY. |
| Bridge ACL hits | Packets matching a bridge ACL, which in transparent mode bypasses service processing. |
| ACL hits | Packets matching an ACL. |
| ACL misses | Packets not matching any ACL. |
To display the statistics of all extended ACLs by using the command line interface
At the command prompt, type:
stat ns acl
To display the statistics of all extended ACL6s by using the command line interface
At the command prompt, type:
stat ns acl6
To display the statistics of an extended ACL by using the configuration utility
Navigate to , on the Extended ACLs tab, select the extended ACL, and click Statistics.
To display the statistics of an extended ACL6 by using the configuration utility
Navigate to , on the Extended ACL6s tab, select the extended ACL, and click Statistics.
Sample Configurations
The following table shows examples of configuring extended ACL rules through the command line interface.
| Action - ALLOW | |
| Tasks | Steps |
| Create an extended ACL rule to allow a particular host to access the servers. |
>add ns acl allow-client ALLOW -srcIP = 40.40.40.1 Done |
| Create an extended ACL rule to allow a particular network to access the servers. |
>add ns acl allow-client-net ALLOW -srcIP = 40.40.40.0-40.40.40.255 Done |
| Create extended ACL rules to allow HTTP, TFTP, and ICMP traffic. |
>add acl allow-http ALLOW -protocol tcP -destport 80 Done Done >add acl allow-tftp ALLOW -protocol udp -destport 69 Done >add acl allow-icmp ALLOW -protocol icmp Done |
| Create an extended ACL rule to allow access to a particular destination/network. |
>add acl allow-dest-access ALLOW -destip 20.20.20.0-20.20.20.255 Done |
| Create an extended ACL rule to allow traffic coming from a particular VLAN. |
>add acl allow-vlan ALLOW -vlan 3000 Done |
| Action - DENY | |
| Tasks | Steps |
| Create an extended ACL rule to deny access to the servers by a particular host. |
>add ns acl deny-client DENY -srcIP = 50.50.50.1 Done |
| Create an extended ACL rule to deny access to the servers from a particular network. |
> add ns acl deny-client-net DENY -srcIP = 50.50.50.0-50.50.50.255 Done |
| Create extended ACL rules to deny Telnet and FTP traffic. |
>add ns acl deny-client-Telnet DENY -protocol TCP -destPort 23 Done > add ns acl deny-client-FTP DENY -protocol TCP -destPort 20-21 Done |
| Create an extended ACL rule to deny TCP traffic to port 80 from a particular host/network. |
>add ns acl deny-client-TCP DENY -protocol TCP -destPort 80 -destIP 20.20.20.0-20.20.20.255 Done |
| Create an extended ACL rule to deny traffic from a particular VLAN. |
> add acl deny-vlan DENY -vlan 2000 Done |
| Action - BRIDGE | |
| Tasks | Steps |
| Create an extended ACL rule to bridge FTP traffic. |
>add ns acl bridge-ftp BRIDGE -protocol TCP -destport 21 Done >add ns acl bridge-ftp-data BRIDGE -protocol TCP -destport 21 Done |
| Create an extended ACL rule to bridge all traffic from a particular VLAN. |
>add ns acl bridge-client-vlan BRIDGE -vlan 1000 Done |
| MAC Address Filtering | |
| Tasks | Steps |
| Create an extended ACL rule to allow traffic from a particular MAC address to a particular host. |
>add ns acl allow-mac-host ALLOW -srcMAC 2a:c1:69:92:a0:7b -destIP 10.10.10.1 Done |
| Create an extended ACL rule to allow traffic from hosts with a specific MAC UUID. |
> add ns acl allow-mac-uuid ALLOW -srcMAC 2a:c1:69:92:a0:7b -srcMacMask 000000111111 Done |
| ACL with RNAT (Typically, RNAT is used to allow servers configured with private non-routable IP addresses to initiate connections to the Internet.) | |
| Tasks | Steps |
| Create an RNAT rule for a particular host. |
>add ns acl rnat-acl-host ALLOW -srcIP 40.40.40.1 Done >apply ns acls Done >set rnat rnat-acl Done |
| Create an RNAT rule for a particular network. |
>add ns acl rnat-acl-network ALLOW -srcIP 40.40.40.0-40.40.40.255 Done >set rnat rnat-acl-network -NATIP 5.5.5.1 Done |
| ACL with Forwarding Session | |
| Create a forwarding session rule for a case in which a client request forwarded to a server results in a response that has to return by the same path. |
>add ns acl forward-acl-host ALLOW -srcIP 20.20.20.1 Done >add forwardingSession fs -aclname forward-acl-host Done |