Enterasys ssr-glx19-02 Guía Del Usuario
CoreWatch User’s Manual
225
Chapter 13: Configuring Security on the SSR
administrator to know ahead of time that a packet should be dropped at the inbound
interface. Nonetheless, for performance reasons, whenever possible, one should create
and apply an ACL to the inbound interface.
interface. Nonetheless, for performance reasons, whenever possible, one should create
and apply an ACL to the inbound interface.
When a packet comes into a router at an interface where an inbound ACL is applied, the
router compares the packet with the rules specified by that ACL. If it is permitted, the
packet is allowed into the router. If not, the packet is dropped. If that packet is to be
forwarded to go out of another interface (that is, the packet is to be routed) then a second
ACL check is possible. At the output interface, if an outbound ACL is applied, the packet
will be compared with the rules specified in this outbound ACL. Consequently, it is
possible for a packet to go through two separate checks, once at the inbound interface and
once more at the outbound interface.
router compares the packet with the rules specified by that ACL. If it is permitted, the
packet is allowed into the router. If not, the packet is dropped. If that packet is to be
forwarded to go out of another interface (that is, the packet is to be routed) then a second
ACL check is possible. At the output interface, if an outbound ACL is applied, the packet
will be compared with the rules specified in this outbound ACL. Consequently, it is
possible for a packet to go through two separate checks, once at the inbound interface and
once more at the outbound interface.
Note:
When you apply an ACL to an interface, the SSR appends an implicit deny rule to
that ACL. The implicit deny rule denies all traffic. If you intend to allow all traffic
that does not match your specified ACL rules to go through, you must explicitly
define a rule to permit all traffic. To do so, make sure the last rule of the ACL
permits all traffic.
that ACL. The implicit deny rule denies all traffic. If you intend to allow all traffic
that does not match your specified ACL rules to go through, you must explicitly
define a rule to permit all traffic. To do so, make sure the last rule of the ACL
permits all traffic.
You can apply previously defined IP ACLs only to IP interfaces and previously defined
IPX, IPX RIP, or IPX SAP ACLs only to IPX interfaces.
IPX, IPX RIP, or IPX SAP ACLs only to IPX interfaces.
Caution
: You can apply up to two IP ACLs to an IP interface, and you can apply two of
each of the different IPX ACLs (IPX, IPX RIP, and IPX SAP) to an IPX interface. When
applying multiple ACLs to an IP interface, one ACL must govern inbound traffic and the
other ACL must govern outbound traffic. When applying multiple ACLs of the same type
to an IPX interface, one ACL must govern inbound traffic and the other must govern
outbound traffic.
applying multiple ACLs to an IP interface, one ACL must govern inbound traffic and the
other ACL must govern outbound traffic. When applying multiple ACLs of the same type
to an IPX interface, one ACL must govern inbound traffic and the other must govern
outbound traffic.
You may apply an ACL to an interface either when you create the interface or afterwards.
For details on applying an IP ACL while creating an IP interface, see
For details on applying an IP ACL while creating an IP interface, see
. For details on applying an IPX, IPX RIP, or IPX SAP ACL while
creating an IPX interface, see
.
You apply an IP or IPX, IPX RIP, or IPX SAP ACL to an interface after the interface is
created by either copying the ACL or by editing the interface’s definition. Separate
discussions on each task follow.
created by either copying the ACL or by editing the interface’s definition. Separate
discussions on each task follow.
Copying an ACL to Apply It to an Interface
You can copy an ACL to apply it to an interface by either dragging it or using the Copy
and Paste buttons. To apply an ACL by copying it to an interface:
and Paste buttons. To apply an ACL by copying it to an interface:
1.
Start Configuration Expert if you have not already done so.
2.
Open the configuration file you want to modify and then double-click that file’s
Routing Configuration object.
Routing Configuration object.
3.
Expand the configuration tree until you locate the interface to which you want to
apply the ACL. Double-click that interface’s object.
apply the ACL. Double-click that interface’s object.