Filter
Top Products
Chapter 10: Security Configuration Guide
174 SmartSwitch Router User Reference Manual
When a packet comes into a router at an interface where an inbound ACL is applied, the
router compares the packet with the rules specified by that ACL. If it is permitted, the
packet is allowed into the router. If not, the packet is dropped. If that packet is to be
forwarded to go out of another interface (that is, the packet is to be routed) then a second
ACL check is possible. At the output interface, if an outbound ACL is applied, the packet
will be compared with the rules specified in this outbound ACL. Consequently, it is
possible for a packet to go through two separate checks, once at the inbound interface and
once more at the outbound interface.
In general, you should try to apply ACLs at the inbound interfaces instead of the
outbound interfaces. If a packet is to be denied, you want to drop the packet as early as
possible, at the inbound interface. Otherwise, the router will have to process the packet,
determine where the packet should go only to find out that the packet should be dropped
at the outbound interface. In some cases, however, it may not be simple or possible for the
administrator to know ahead of time that a packet should be dropped at the inbound
interface. Nonetheless, for performance reason, whenever possible, one should create and
apply an ACL to the inbound interface.
Applying ACLs to Services
ACLs can also be created to permit or deny access to system services provided by the
router; for example, HTTP server or Telnet server. This type of ACL is known as a Service
ACL. By definition, a Service ACL is for controlling inbound packets to a service on the
router. For example, you can grant Telnet server access from a few specific hosts or deny
Web server access from a particular subnet. It is true that one can do the same thing with
ordinary ACLs and apply them to all interfaces. However, the Service ACL is created
specifically to control access to some of the services on the router. As a result, the syntax of
a Service ACL is much simpler than that of the ordinary ACL.
Note:
If a service does not have an ACL applied then that service is accessible to
everyone. To control access to a service, an ACL must be used.
ACL Logging
To see whether incoming packets are permitted or denied because of an ACL, one can
enable ACL Logging when applying the ACL. When ACL Logging is turned on, the
router prints out a message on the console about whether a packet is forwarded or
dropped. If you have a Syslog server configured for the SSR then the same information
will also be sent to the Syslog server.
Before enabling ACL Logging, one should consider its impact on performance. With ACL
Logging enabled, the router prints out a message at the console before the packet is
actually forwarded or dropped. Even if the console is connected to the router at a high
baud rate, the delay caused by the console message is still significant. This can get worse if
the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a
Syslog server is configured then a Syslog packet must also be sent to the Syslog server,