Table of Contents
Advertisement
Chapter 9: Security Configuration Guide
Although the implicit deny rule seems obvious in the above example, this is not always
the case. For example, consider the following ACL rule:
acl 102 deny ip 10.1.20.0/24 any any any
If a packet comes in from a network other than 10.1.20.0/24, one might expect the
packet to go through because it doesn't match the first rule. However, that is not the
case because of the implicit deny rule. With the implicit deny rule attached, the rule
looks like this:
acl 102 deny ip 10.1.20.0/24 any any any
acl 102 deny any any any any any
A packet coming from 10.1.20.0/24 will not match the first rule, but will match the
implicit deny rule. As a result, no packets will be allowed to go through. Rule 1 is
simply a subset of Rule 2. To allow packets from subnets other than 10.1.20.0/24 to go
through, the administrator must explicitly define a rule to permit other packets to go
through.
To fix the above example and let packets from other subnets enter the router, one must
add a new rule to permit packets to go through:
acl 101 deny ip 10.1.20.0/24 any any any
acl 101 permit ip
acl 101 deny any any any any any
The second rule will forward all packets that are not denied by the first rule.
Due to the nature of the implicit deny rule, when creating an ACL, one should take the
approach where a firewall is elected to deny all traffic. "Holes" are then punched into
the firewall to permit specific types of traffic, for example, traffic from a specific
subnet or traffic from a specific application.
Applying ACLs to Interfaces
Defining an ACL specifies what sort of traffic to permit or deny. However, an ACL has
no effect unless it is applied to an interface. An ACL can be applied to examine either
inbound or outbound traffic. Inbound traffic is traffic coming into the router. Outbound
traffic is traffic going out of the router. For each interface, only one ACL can be applied
for the same protocol in the same direction. For example, you cannot apply two or
more IP ACLs to the same interface in the inbound direction. You can apply two ACLs
to the same interface if one is for inbound traffic and one is for outbound trafic, but not
in the same direction. However, this restriction does not prevent you from specifying
9 - 12
SSR User Reference Manual
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Cabletron Systems SmartSwitch 8-slot
Related Products for Cabletron Systems SmartSwitch 8-slot
- Cabletron Systems SmartSwitch Router
- Cabletron Systems SmartSwitch Router 250 ADSL-DMT
- Cabletron Systems SmartSwitch Router 520
- Cabletron Systems SmartSWITCH 7H02-06
- Cabletron Systems SMARTSWITCH ROUTER 9032578-05
- Cabletron Systems SmartSwitch 2200 2E253-49R
- Cabletron Systems SmartSwitch 2200 2H253-25R
- Cabletron Systems SMARTSWITCH SSR-HTX12-08
Need help?
Do you have a question about the SmartSwitch 8-slot and is the answer not in the manual?
Questions and answers