Manualshelf

User Manual

ManualsBrandsCabletron ManualsCables & InterconnectsCabletron Tpfot-2 10BT Transceiver 1 RJ45 Utp to 1 St MMf
401402403404405406407408409410
Applying ACLs
376 Enterasys X-Pedition User Reference Manual
Applying ACLs to Interfaces
An ACL can be applied to an interface to examine either inbound or outbound traffic. Inbound
traffic is traffic coming into the XP. Outbound traffic is traffic going out of the XP. For each
interface, only one ACL can be applied for the same protocol in the same direction. For example,
you cannot apply two or more IP ACLs to the same interface in the inbound direction. You can
apply two ACLs to the same interface if one is for inbound traffic and one is for outbound traffic,
but not in the same direction. However, this restriction does not prevent you from specifying many
rules in an ACL. You just have to put all of these rules into one ACL and apply it to an interface.
Note: You may not apply ACLs to interface EN0 of the control module.
When a packet comes into the XP at an interface where an inbound ACL is applied, the XP
compares the packet to the rules specified by that ACL. If it is permitted, the packet is allowed into
the XP. If not, the packet is dropped. If that packet is to be forwarded to go out of another interface
(that is, the packet is to be routed) then a second ACL check is possible. At the output interface, if
an outbound ACL is applied, the packet will be compared to the rules specified in this outbound
ACL. Consequently, it is possible for a packet to go through two separate checks, once at the
inbound interface and once more at the outbound interface.
When you apply an ACL to an interface, you can also specify whether the ACL can be modified or
removed from the interface by an external agent (such as the Policy Manager application). Note
that for an external agent to modify or remove an applied ACL from an interface, the acl-policy
enable external command must be in the configuration.
In general, you should try to apply ACLs at the inbound interfaces instead of the outbound
interfaces. If a packet is to be denied, you want to drop the packet as early as possible, at the
inbound interface. Otherwise, the XP will have to process the packet, determine where the packet
should go only to find out that the packet should be dropped at the outbound interface. In some
cases, however, it may not be simple or possible for the administrator to know ahead of time that a
packet should be dropped at the inbound interface. Nonetheless, for performance reasons,
whenever possible, you should create and apply an ACL to the inbound interface.
To apply an ACL to an interface, enter the following command in Configure mode:
Note: The XP will display interface names up to 32 characters in length.
Apply ACL to an interface.
acl <name> apply interface <interface name>
input|output [logging on|off|deny-only|permit-
only][policy local|external]