Filter
Top Products
SmartSwitch Router User Reference Manual 173
Chapter 10: Security Configuration Guide
If a packet comes in and doesn't match the first two rules, the packet will be dropped. This
is because the third rule (implicit deny) will match all packets.
Although the implicit deny rule seems obvious in the above example, this is not always
the case. For example, consider the following ACL rule:
If a packet comes in from a network other than 10.1.20.0/24, one might expect the packet
to go through because it doesn't match the first rule. However, that is not the case because
of the implicit deny rule. With the implicit deny rule attached, the rule looks like this:
A packet coming from 10.1.20.0/24 will not match the first rule, but will match the
implicit deny rule. As a result, no packets will be allowed to go through. Rule 1 is simply a
subset of Rule 2. To allow packets from subnets other than 10.1.20.0/24 to go through, the
administrator must explicitly define a rule to permit other packets to go through.
To fix the above example and let packets from other subnets enter the router, one must
add a new rule to permit packets to go through:
The second rule will forward all packets that are not denied by the first rule.
Due to the nature of the implicit deny rule, when creating an ACL, one should take the
approach where a firewall is elected to deny all traffic. “Holes” are then punched into the
firewall to permit specific types of traffic, for example, traffic from a specific subnet or
traffic from a specific application.
Applying ACLs to Interfaces
Defining an ACL specifies what sort of traffic to permit or deny. However, an ACL has no
effect unless it is applied to an interface. An ACL can be applied to examine either
inbound or outbound traffic. Inbound traffic is traffic coming into the router. Outbound
traffic is traffic going out of the router. For each interface, only one ACL can be applied for
the same protocol in the same direction. For example, you cannot apply two or more IP
ACLs to the same interface in the inbound direction. You can apply two ACLs to the same
interface if one is for inbound traffic and one is for outbound trafic, but not in the same
direction. However, this restriction does not prevent you from specifying many rules in an
ACL. You just have to put all of these rules into one ACL and apply it to an interface.
acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny any any any any any
acl 101 deny ip 10.1.20.0/24 any any any
acl 101 permit ip
acl 101 deny any any any any any