1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. OL-4387-02
  6. Configuration manual

Downstream Access Control List-Outacl; Upstream Access Control List-Inacl; Restrictions For Packet Filtering - Cisco OL-4387-02 Configuration Manual

Router service selection gateway configuration guide
Hide thumbs
Table of Contents

Advertisement

Packet Filtering
Downstream Access Control List—outacl
Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going
to the user.
Cisco-AVpair = "ip:outacl[# numbe r]={ standard-access-control-list |
extended-access-control-lis t}"
Upstream Access Control List—inacl
Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming
from the user.
Cisco-AVpair = "ip:inacl[# numbe r]={ standard-access-control-list |
extended-access-control-lis t}"

Restrictions for Packet Filtering

Packet filtering for SSG has the following restrictions:
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
11-4
SSG accepts only the permit and deny actions for a per-user ACL. You can place ACLs on user
traffic for both the input and output directions that are similar to existing Cisco IOS ACLs; however,
the log option is not accepted.
SSG supports mini-ACLs with eight or less access control entries (ACEs). The ACEs can be
extended ACEs.
SSG does not support turbo ACLs applied to SSG users. Turbo ACLs have more than eight ACEs
defined.
To support some SSG features, SSG prepends ACEs on user ACLs. Because the number of ACEs is
restricted to a maximum of eight, the number of ACEs that you can define is therefore reduced in
some cases. For example, for the Port-Bundle Host Key feature, an ACE is required on both the host
input and output ACL. This allows seven ACEs that you can define.
SSG does not support the ability to apply per-service (connection level) ACLs. ACLs for QoS
classification are not applicable to SSG host interfaces.
SSG ACLs take precedence over Cisco IOS ACLs. If you configure a Cisco IOS ACL on an SSG
interface by using the ip access-group command, the router applies the ACL as long as an SSG ACL
is not applied to the interface in the same direction. If an SSG ACL is applied to the interface in the
same direction, the router applies the SSG ACL.
Chapter 11
Miscellaneous SSG Features
OL-4387-02

Advertisement

Table of Contents
loading

Related Manuals for Cisco OL-4387-02

Related Content for Cisco OL-4387-02

This manual is also suitable for:

10000 series

Table of Contents