Simple ACLs and Simple ACL6s
A simple ACL or simple ACL6 uses few parameters and can be configured only to drop IP packets. Packets can be dropped on the basis of their source IP address and, optionally, their protocol, destination port, or traffic domain.
When creating a simple ACL or simple ACL6, you can specify a time to live (TTL), in seconds, after which the ACL expires. ACLs with TTLs are not saved when you save the configuration. You can display simple ACLs and simple ACL6s to verify their configuration, and you can display their statistics.
Configuring Simple ACLs and Simple ACL6s
Configuring a simple ACL or simple ACL6 on a Citrix ADC can include the following tasks.
- Create simple ACLs or simple ACL6s. Creating simple ACLs or simple ACL6s to drop (deny) packets on the basis of their source IP address and, optionally, their protocol, destination port, or traffic domain.
- Remove simple ACLs or simple ACL6s. These ACLs cannot be modified once created. If you need to modify a simple ACL or simple ACL6, you must remove it and create a new one.
CLI procedures
To create a simple ACL by using the CLI:
At the command prompt, type:
- **add ns simpleacl** <aclname> DENY -**srcIP** <ip_addr> [-**destPort**<port> -**protocol** ( TCP | UDP )] [-**TTL** <positive_integer>]
- show ns simpleacl [<aclname>]
Example:
> add simpleacl rule1 DENY -srcIP 10.102.29.5 -TTL 600
Done
<!--NeedCopy-->
To create a simple ACL6 by using the CLI:
At the command prompt, type:
- **add ns simpleacl6** <aclname> DENY -**srcIPv6** <ipv6_addr|null> [-**destPort**<port> -**protocol** ( TCP | UDP )] [-**TTL** <positive_integer>]
- show ns simpleacl6 [<aclname>]
Example:
> add ns simpleacl6 rule1 DENY –srcIPv6 3ffe:192:168:215::82 -destPort 80 -Protocol TCP -TTL 9000
Done
<!--NeedCopy-->
To remove a single simple ACL by using the CLI:
At the command prompt, type:
- rm ns simpleacl <aclname>
- show ns simpleacl
To remove a single simple ACL6 by using the CLI:
At the command prompt, type:
- rm ns simpleacl6<aclname>
- show ns simpleacl6
To remove all simple ACLs by using the CLI:
At the command prompt, type:
-
clear ns simpleacl
-
show ns simpleacl
To remove all simple ACL6s by using the CLI:
At the command prompt, type:
-
clear ns simpleacl6
-
show ns simpleacl6
GUI procedures
To create a simple ACL by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACLs tab, add a new simple ACL.
To create a simple ACL6 by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACL6s tab, add a new simple ACL6.
To remove a single simple ACL by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACLs tab, delete the simple ACL.
To remove a single simple ACL6 by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACL6s tab, delete the simple ACL6.
To remove all simple ACLs by using the GUI:
- Navigate to System > Network > ACLs.
- On the Simple ACLs tab, in the Action list, click Clear.
To remove all simple ACL6s by using the GUI:
- Navigate to System > Network > ACLs.
- On the Simple ACL6s tab, in the Action list, click Clear.
Displaying Simple ACL and Simple ACL6 Statistics
You can display the simple ACL (or simple ACL6) statistics, which include the number of hits, the number of misses, and the number of simple ACLs configured.
The following table describes statistics you can display for simple ACLs and simple ACL6s.
Statistics | Indicates |
---|---|
ACL hits | Packets matching an ACL |
ACL misses | Packets not matching any ACL |
ACL count | Number of ACLs configured |
CLI procedures
To display simple ACL statistics by using the CLI:
At the command prompt, type:
- stat ns simpleacl
Example:
> stat ns simpleacl
SimpleACL Statistics
Rate (/s) Total
SimpleACL hits 0 0
SimpleACL misses 0 51872
SimpleACLs count -- 2
Done
<!--NeedCopy-->
To display simple ACL6 statistics by using the CLI:
At the command prompt, type:
- stat ns simpleacl6
GUI procedures
To display simple ACL statistics by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACLs tab, select the ACL and click Statistics.
To display simple ACL6 statistics by using the GUI:
Navigate to System > Network > ACLs and, on the Simple ACL6s tab, select the simple ACL6 and click Statistics.
Terminating Established Connections
For a simple ACL or simple ACL6, the Citrix ADC blocks any new connections that match the conditions specified in the ACL. Packets related to existing connections that were established before the ACL was created are not blocked. To terminate previously established connections that match an existing ACL, you can run a flush operation from the CLI or the GUI.
Flush can be useful in the following cases:
- You receive a list of blacklisted IP addresses and want to completely block those IP addresses from accessing the Citrix ADC. In this case, you create simple ACLs or simple ACL6s to block any new connections from these IP addresses, and then flush any existing connections associated with those addresses.
- You want to terminate a large number of connections from a particular network without taking the time to terminate them one by one.
Before you begin
-
When you run flush, the Citrix ADC searches through all of its established connections and terminates those that match conditions specified in any of the simple ACLs configured on the ADC.
-
If you plan to create more than one simple ACL and flush existing connections that match any of them, you can minimize the effect on performance by first creating all of the simple ACLs and then running flush only once.
CLI procedures
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the CLI:
At the command prompt, type:
- flush simpleacl -estSessions
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the CLI:
At the command prompt, type:
- flush simpleacl6 -estSessions
GUI procedures
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the GUI:
- Navigate to System > Network > ACLs.
- On the Simple ACLs tab, in the Action list, click Flush.
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the GUI:
- Navigate to System > Network > ACLs.
- On the Simple ACL6s tab, in the Action list, click Flush.