Chapter 11 Miscellaneous SSG Features

Packet Filtering

Downstream Access Control List—outacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the user.

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list extended-access-control-list}"

Upstream Access Control List—inacl

Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the user.

Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list extended-access-control-list}"

Restrictions for Packet Filtering

Packet filtering for SSG has the following restrictions:

SSG accepts only the permit and deny actions for a per-user ACL. You can place ACLs on user traffic for both the input and output directions that are similar to existing Cisco IOS ACLs; however, the log option is not accepted.

SSG supports mini-ACLs with eight or less access control entries (ACEs). The ACEs can be extended ACEs.

SSG does not support turbo ACLs applied to SSG users. Turbo ACLs have more than eight ACEs defined.

To support some SSG features, SSG prepends ACEs on user ACLs. Because the number of ACEs is restricted to a maximum of eight, the number of ACEs that you can define is therefore reduced in some cases. For example, for the Port-Bundle Host Key feature, an ACE is required on both the host input and output ACL. This allows seven ACEs that you can define.

SSG does not support the ability to apply per-service (connection level) ACLs. ACLs for QoS classification are not applicable to SSG host interfaces.

SSG ACLs take precedence over Cisco IOS ACLs. If you configure a Cisco IOS ACL on an SSG interface by using the ip access-groupcommand, the router applies the ACL as long as an SSG ACL is not applied to the interface in the same direction. If an SSG ACL is applied to the interface in the same direction, the router applies the SSG ACL.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

11-4

OL-4387-02

 

 

Page 74
Image 74
Cisco Systems OL-4387-02 manual Downstream Access Control List-outacl, Upstream Access Control List-inacl, 11-4