Product Documentation

Simple ACLs and Simple ACL6s

May 21, 2015

A simple ACL or simple ACL6 uses few parameters and can be configured only to drop IP packets. Packets can be dropped on the basis of their source IP address and, optionally, their protocol, destination port, or traffic domain.

When creating a simple ACL or simple ACL6, you can specify a time to live (TTL), in seconds, after which the ACL expires. ACLs with TTLs are not saved when you save the configuration. You can display simple ACLs and simple ACL6s to verify their configuration, and you can display their statistics.

Configuring Simple ACLs and Simple ACL6s

Configuring a simple ACL or simple ACL6 on a NetScaler ADC can include the following tasks.
  • Create simple ACLs or simple ACL6s to drop (deny) packets on the basis of their source IP address and, optionally, their protocol, destination port, or traffic domain.
  • Remove simple ACLs or simple ACL6s. These ACLs cannot be modified once created. If you need to modify a simple ACL or simple ACL6, you must remove it and create a new one.

To create a simple ACL by using the command line interface

At the command prompt, type the following commands to add an ACL and verify the configuration:

  • add ns simpleacl <aclname> DENY -srcIP <ip_addr> [-destPort<port> -protocol ( TCP | UDP )] [-TTL <positive_integer>]
  • show ns simpleacl [<aclname>]

Example

> add simpleacl rule1 DENY -srcIP 10.102.29.5 -TTL 600 
Done

To create a simple ACL6 by using the command line interface

At the command prompt, type the following commands to add a simple ACL6 and verify the configuration:

  • add ns simpleacl6 <aclname> DENY -srcIPv6 <ipv6_addr|null> [-destPort<port> -protocol ( TCP | UDP )] [-TTL <positive_integer>]
  • show ns simpleacl6 [<aclname>]

Example

>  add ns simpleacl6 rule1 DENY –srcIPv6 3ffe:192:168:215::82 -destPort 80 -Protocol TCP -TTL 9000 
 Done

To remove a single simple ACL by using the command line interface

At the command prompt, type:

  • rm ns simpleacl <aclname>
  • show ns simpleacl

To remove a single simple ACL6 by using the command line interface

At the command prompt, type:

  • rm ns simpleacl6<aclname>
  • show ns simpleacl6

To remove all simple ACLs by using the command line interface

At the command prompt, type:

  • clear ns simpleacl
  • show ns simpleacl

To remove all simple ACL6s by using the command line interface

At the command prompt, type:

  • clear ns simpleacl6
  • show ns simpleacl6

To create a simple ACL by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACLs tab, add a new simple ACL.

To create a simple ACL6 by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACL6s tab, add a new simple ACL6.

To remove a single simple ACL by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACLs tab, delete the simple ACL.

To remove a single simple ACL6 by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACL6s tab, delete the simple ACL6.

To remove all simple ACLs by using the configuration utility

  1. Navigate to System > Network > ACLs.
  2. On the Simple ACLs tab, in the Action list, click Clear.

To remove all simple ACL6s by using the configuration utility

  1. Navigate to System > Network > ACLs.
  2. On the Simple ACL6s tab, in the Action list, click Clear.

Displaying Simple ACL and Simple ACL6 Statistics

You can display the simple ACL (or simple ACL6) statistics, which include the number of hits, the number of misses, and the number of simple ACLs configured.

The following table describes statistics you can display for simple ACLs and simple ACL6s.

Statistic Indicates
ACL hits Packets matching an ACL
ACL misses Packets not matching any ACL
ACL count Number of ACLs configured

To display simple ACL statistics by using the command line interface

At the command prompt, type:

stat ns simpleacl

Example

> stat ns simpleacl 
 
SimpleACL Statistics 
 
                                          Rate (/s)                Total 
SimpleACL hits                                     0                    0 
SimpleACL misses                                   0                51872 
SimpleACLs count                                  --                    2 
Done

To display simple ACL6 statistics by using the command line interface

At the command prompt, type:

stat ns simpleacl6

To display simple ACL statistics by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACLs tab, select the ACL and click Statistics.

To display simple ACL6 statistics by using the configuration utility

Navigate to System > Network > ACLs and, on the Simple ACL6s tab, select the simple ACL6 and click Statistics.

Terminating Established Connections

For a simple ACL or simple ACL6, the NetScaler ADC blocks any new connections that match the conditions specified in the ACL. Packets related to existing connections that were established before the ACL was created are not blocked. To terminate previously established connections that match an existing ACL, you can run a flush operation from the command line interface or the configuration utility.

Flush can be useful in the following cases:
  • You receive a list of blacklisted IP addresses and want to completely block those IP addresses from accessing the NetScaler ADC. In this case, you create simple ACLs or simple ACL6s to block any new connections from these IP addresses, and then flush any existing connections associated with those addresses.
  • You want to terminate a large number of connections from a particular network without taking the time to terminate them one by one.

When you run flush, the NetScaler ADC searches through all of its established connections and terminates those that match conditions specified in any of the simple ACLs configured on the ADC.

Note: If you plan to create more than one simple ACL and flush existing connections that match any of them, you can minimize the effect on performance by first creating all of the simple ACLs and then running flush only once.

To terminate all established IPv4 connections that match any of your configured simple ACLs by using the command line interface

At the command prompt, type:

flush simpleacl -estSessions

To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the command line interface

At the command prompt, type:

flush simpleacl6 -estSessions

To terminate all established IPv4 connections that match any of your configured simple ACLs by using the configuration utility

  1. Navigate to System > Network > ACLs.
  2. On the Simple ACLs tab, in the Action list, click Flush.

To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the configuration utility

  1. Navigate to System > Network > ACLs.
  2. On the Simple ACL6s tab, in the Action list, click Flush.