Applying ACLs to Services

Chapter 10: Security Configuration Guide

When a packet comes into a router at an interface where an inbound ACL is applied, the router compares the packet with the rules specified by that ACL. If it is permitted, the packet is allowed into the router. If not, the packet is dropped. If that packet is to be forwarded to go out of another interface (that is, the packet is to be routed) then a second ACL check is possible. At the output interface, if an outbound ACL is applied, the packet will be compared with the rules specified in this outbound ACL. Consequently, it is possible for a packet to go through two separate checks, once at the inbound interface and once more at the outbound interface.

In general, you should try to apply ACLs at the inbound interfaces instead of the outbound interfaces. If a packet is to be denied, you want to drop the packet as early as possible, at the inbound interface. Otherwise, the router will have to process the packet, determine where the packet should go only to find out that the packet should be dropped at the outbound interface. In some cases, however, it may not be simple or possible for the administrator to know ahead of time that a packet should be dropped at the inbound interface. Nonetheless, for performance reason, whenever possible, one should create and apply an ACL to the inbound interface.

ACLs can also be created to permit or deny access to system services provided by the router; for example, HTTP server or Telnet server. This type of ACL is known as a Service ACL. By definition, a Service ACL is for controlling inbound packets to a service on the router. For example, you can grant Telnet server access from a few specific hosts or deny Web server access from a particular subnet. It is true that one can do the same thing with ordinary ACLs and apply them to all interfaces. However, the Service ACL is created specifically to control access to some of the services on the router. As a result, the syntax of a Service ACL is much simpler than that of the ordinary ACL.

Note: If a service does not have an ACL applied then that service is accessible to everyone. To control access to a service, an ACL must be used.

ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, one can enable ACL Logging when applying the ACL. When ACL Logging is turned on, the router prints out a message on the console about whether a packet is forwarded or dropped. If you have a Syslog server configured for the SSR then the same information will also be sent to the Syslog server.

Before enabling ACL Logging, one should consider its impact on performance. With ACL Logging enabled, the router prints out a message at the console before the packet is actually forwarded or dropped. Even if the console is connected to the router at a high baud rate, the delay caused by the console message is still significant. This can get worse if the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a Syslog server is configured then a Syslog packet must also be sent to the Syslog server,

174	SmartSwitch Router User Reference Manual

9032578-02 specifications

Cabletron Systems 9032578-02 is a notable component in the realm of networking equipment, especially recognized for its robust performance and reliability. As part of Cabletron’s commitment to delivering high-quality networking solutions, this device has become integral for many organizations seeking efficient data management.

One of the standout features of the 9032578-02 is its advanced switching capabilities. With the ability to manage multiple data streams seamlessly, it ensures that data packets are routed efficiently, minimizing latency and maximizing throughput. This is particularly crucial in environments where high-volume data transfer is the norm, such as in data centers or enterprises with extensive digital infrastructures.

The device is equipped with various connectivity options that enhance its versatility. These include support for multiple types of network interfaces, allowing for easy integration into existing systems. Whether it's Ethernet connections or fiber optics, the 9032578-02 accommodates diverse network requirements, making it suitable for various applications across different industries.

In terms of technology, the Cabletron Systems 9032578-02 employs cutting-edge networking protocols that ensure secure and reliable communication. This includes support for both IPv4 and IPv6 protocols, which future-proofs the device as organizations transition to newer standards. The incorporation of Quality of Service (QoS) features further enhances its capability to prioritize critical network traffic, ensuring that bandwidth-intensive applications receive the necessary resources for optimal performance.

Another critical characteristic of the 9032578-02 is its scalability. Organizations can expand their network infrastructure without the need for complete system overhauls. This modularity allows businesses to grow and adapt to changing demands while maintaining investment in their existing technology.

Additionally, Cabletron integrates advanced monitoring and management tools within the 9032578-02. Network administrators can easily track performance metrics, analyze traffic patterns, and troubleshoot issues in real-time. This level of visibility is essential for maintaining a stable network environment, particularly in dynamic organizational settings.

In summary, Cabletron Systems 9032578-02 is synonymous with high performance, scalability, and advanced technology. Its comprehensive features make it an excellent choice for organizations requiring reliable networking solutions that can adapt to evolving demands and ensure efficient data communication across their systems.

Cabletron Systems 9032578-02 manual Applying ACLs to Services, ACL Logging

Models: 9032578-02