Cabletron Systems SmartSwitch Enabling ACL Logging, Preventing Web Objects From Being Cached

Chapter 17: Access Control List Configuration Guide

and a destination address of 1.2.3.4) from being redirected to a cache server. Packets that match the profile’s selection criteria are sent to the Internet instead.

ssr(config)# web-cache policy1 deny hosts profile prof4

When the Web caching policy is applied to an interface (with the web-cache apply interface command), HTTP traffic with a source address of 10.10.10.10 and a destination address of 1.2.3.4 goes to the Internet instead of to the cache servers.

Preventing Web Objects From Being Cached

You can also use a Profile ACL to prevent certain Web objects from being cached. For example, you can specify that information in packets originating from Internet site 1.2.3.4 and destined for local host 10.10.10.10 not be sent to the cache servers. The following commands illustrate this example.

This command creates a Profile ACL called prof5 that uses as its selection criteria all packets with a source address of 1.2.3.4 and a destination address of 10.10.10.10:

ssr(config)# acl prof5 permit ip 1.2.3.4 10.10.10.10

To have packets matching Profile ACL prof5’s selection criteria bypass the cache servers, use the following command:

ssr(config)# web-cache policy1 create bypass-list profile prof5

When the Web caching policy is applied to an interface, information in packets originating from source address 1.2.3.4 and destined for address 10.10.10.10 is not sent to the cache servers.

See “Web Caching” on page 240 for more information on using the web-cachecommand.

Enabling ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, you can enable ACL Logging when applying the ACL. When ACL Logging is turned on, the router prints out a message on the console about whether a packet is forwarded or dropped. If you have a Syslog server configured for the SSR, the same information will also be sent to the Syslog server.

Before enabling ACL Logging, you should consider its impact on performance. With ACL Logging enabled, the router prints out a message at the console before the packet is actually forwarded or dropped. Even if the console is connected to the router at a high baud rate, the delay caused by the console message is still significant. This can get worse if the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a Syslog server is configured, then a Syslog packet must also be sent to the Syslog server,