Extended ACLs and Extended ACL6s
Extended ACLs and extended ACL6s provide parameters and actions not available with simple ACLs. You can filter data based on parameters such as source IP address, source port, action, and protocol. You can specify tasks to allow a packet, deny a packet, or bridge a packet.
Extended ACLs and ACL6s can be modified after they are created, and you can renumber their priorities to specify the order in which they are evaluated.
Note: If you configure both simple and extended ACLs, simple ACLs take precedence over extended ACLs.
The following actions can be performed on extended ACLs and ACL6s: Modify, Apply, Disable, Enable, Remove, and Renumber (the priority). You can display extended ACLs and ACL6s to verify their configuration, and you can display their statistics.
You can configure the NetScaler to log details for packets that match an extended ACL.
Applying Extended ACLs and Extended ACL6s: Unlike simple ACLs and ACL6s, extended ACLs and ACL6s created on the NetScaler do not work until they are applied. Also, if you make any changes to an extended ACL or ACL6, such as disabling the ACLs, changing a priority, or deleting the ACLs, you must reapply the extended ACLs or ACL6s. You must reapply them after enabling logging. The procedure to apply extended ACLs or ACL6s reapplies all of them. For example, if you have applied extended ACL rules 1 through 10, and you then create and apply rule 11, the first 10 rules are applied afresh.
If a session has a DENY ACL related to it, that session is terminated when you apply the ACLs.
Extended ACLs and ACL6s are enabled by default. When they are applied, the NetScaler starts comparing incoming packets against them. However, if you disable them, they are not used until you reenable them, even if they are reapplied.
Renumbering the priorities of Extended ACLs and Extended ACL6s: Priority numbers determine the order in which extended ACLs or ACL6s are matched against a packet. An ACL with a lower priority number has a higher priority. It is evaluated before ACLs with higher priority numbers (lower priorities), and the first ACL to match the packet determines the action applied to the packet.
When you create an extended ACL or ACL6, the NetScaler automatically assigns it a priority number that is a multiple of 10, unless you specify otherwise. For example, if two extended ACLs have priorities of 20 and 30, respectively, and you want a third ACL to have a value between those numbers, you might assign it a value of 25. If you later want to retain the order in which the ACLs are evaluated but restore their numbering to multiples of 10, you can use the renumber procedure.
Configuring Extended ACLs and Extended ACL6s
Configuring an extended ACL or ACL6 on a NetScaler consists of the following tasks.
- Create an extended ACL or ACL6. Create an extended ACL or ACL6 to either allow, deny, or bridge a packet. You can specify an IP address or range of IP addresses to match against the source or destination IP addresses of the packets. You can specify a protocol to match against the protocol of incoming packets.
- (Optional) Modify an extended ACL or ACL6. You can modify extended ACLs or ACL6s that you previously created. Or, if you want to temporarily take one out of use you can disable it, and later reenable it.
- Apply extended ACLs or ACL6s. After you create, modify, disable or reenable, or delete an extended ACL or ACL6, you must apply the extended ACLs or ACL6s to activate them.
- (Optional) Renumber the priorities of extended ACLs or ACL6s. If you have configured ACLs with priorities that are not multiples of 10 and want to restore the numbering to multiples of 10, use the renumber procedure.
CLI procedures
To create an extended ACL by using the CLI:
At the command prompt, type:
-
**add ns acl** <aclname> <aclaction> [-**srcIP** [<operator>] <srcIPVal>] [-**srcPort** [<operator>] <srcPortVal>] [-**destIP** [<operator>] <destIPVal>] [-**destPort** [<operator>] <destPortVal>] [-**TTL** <positive_integer>] [-**srcMac** <mac_addr>] [(-**protocol** <protocol> [-established]) | -**protocolNumber** <positive_integer>] [-**vlan** <positive_integer>] [-**interface** <interface_name>] [-**icmpType** <positive_integer> [-**icmpCode** <positive_integer>]] [-**priority** <positive_integer>] [-**state** ( ENABLED | DISABLED )] [-**logstate** ( ENABLED | DISABLED ) [-**ratelimit** <positive_integer>]]
-
show ns acl [<aclName>]
To create an extended ACL6 by using the CLI:
At the command prompt, type:
-
**add ns acl6** <acl6name> <acl6action> [-**srcIPv6** [<operator>] <srcIPv6Val>] [-**srcPort** [<operator>] <srcPortVal>] [-**destIPv6** [<operator>] <destIPv6Val>] [-**destPort** [<operator>] <destPortVal>] [-**TTL** <positive_integer>] [-**srcMac** <mac_addr>] [(-**protocol** <protocol> [-established]) | -**protocolNumber** <positive_integer>] [-**vlan** <positive_integer>] [-**interface** <interface_name>] [-**icmpType** <positive_integer> [-**icmpCode** <positive_integer>]] [-**priority** <positive_integer>] [-**state** ( ENABLED | DISABLED )]
-
show ns acl6 [<aclName>]
To modify an extended ACL by using the CLI:
To modify an extended ACL, type the set ns acl command, the name of the extended ACL, and the parameters to be changed, with their new values.
To modify an extended ACL6 by using the CLI:
To modify an extended ACL6, type the set ns acl6 command, the name of the extended ACL6, and the parameters to be changed, with their new values.
To disable or enable an extended ACL by using the CLI:
At the command prompt, type one of the following commands:
- disable ns acl <aclname>
- enable ns acl <aclname>
To disable or enable an extended ACL6 by using the CLI:
At the command prompt, type one of the following commands:
- disable ns acl6 <aclname>
- enable ns acl6 <aclname>
To apply extended ACLs by using the CLI:
At the command prompt, type:
- apply ns acls
To apply extended ACL6s by using the CLI:
At the command prompt, type:
- apply ns acls6
To renumber the priorities of extended ACLs by using the CLI:
At the command prompt, type:
- renumber ns acls
To renumber the priorities of extended ACL6s by using the CLI:
At the command prompt, type:
- renumber ns acls6
GUI procedures
To configure an extended ACL by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACLs tab, add a new extended ACL or edit an existing extended ACL. To enable or disable an existing extended ACL, select it, and then select Enable or Disable from the Action list.
To configure an extended ACL6s by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACL6s tab, add a new extended ACL6 or edit an existing extended ACL6. To enable or disable an existing extended ACL6, select it, and then select Enable or Disable from the Action list.
To apply extended ACLs by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACLs tab, in the Action list, click Apply.
To apply extended ACL6s by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACL6s tab, in the Action list, click Apply.
To renumber the priorities of extended ACLs by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACLs tab, in the Action list, click Renumber Priority (s).
To renumber the priorities of extended ACL6s by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACL6s tab, in the Action list, click Renumber Priority (s).
Sample Configurations
The following table shows examples of configuring extended ACL rules through the command line interface: ACLs sample configurations.
Logging extended ACLs
You can configure the NetScaler to log details for packets that match extended ACLs.
In addition to the ACL name, the logged details include packet-specific information such as the source and destination IP addresses. The information is stored either in the syslog file or in the nslog
file, depending on the type of global logging (syslog or nslog
) enabled.
Logging must be enabled at both the global level and the ACL level. The global setting takes precedence.
To optimize logging, when multiple packets from the same flow match an ACL, only the first packet’s details are logged, and the counter is incremented for every packet that belongs to the same flow. A flow is defined as a set of packets that have the same values for the source IP address, destination IP address, source port, destination port, and protocol parameters. To avoid flooding of log messages, the NetScaler performs internal rate limiting so that packets belonging to the same flow are not repeatedly logged. The total number of different flows that can be logged at any given time is limited to 10,000.
Note: You must apply ACLs after you enable logging.
CLI procedures
To configure extended ACL Logging by using the CLI:
At the command prompt, type the following commands to configure logging and verify the configuration:
- **set ns acl** <aclName> [-**logState** (ENABLED | DISABLED)] [-**rateLimit** <positive_integer>]
- apply acls
- show ns acl [<aclName>]
GUI procedures
To configure extended ACL Logging by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACLs tab, open the extended ACL.
- Set the following parameters:
-
Log State—Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured
syslog or auditlog
server. - Log Rate Limit—Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.
-
Log State—Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured
Sample configuration
> set ns acl restrict -logstate ENABLED -ratelimit 120
Warning: ACL modified, apply ACLs to activate change
> apply ns acls
Done
<!--NeedCopy-->
Logging extended ACL6s
You can configure the NetScaler appliance to log details for packets that match an extended ACL6 rule. In addition to the ACL6 name, the logged details include packet-specific information, such as the source and destination IP addresses. The information is stored either in a syslog or nslog
file, depending on the type of logging (syslog or nslog
) that you have configured in the NetScaler appliance.
To optimize logging, when multiple packets from the same flow match an ACL6, only the first packet’s details are logged. The counter is incremented for every other packet that belongs to the same flow. A flow is defined as a set of packets that have the same values for the following parameters:
- Source IP
- Destination IP
- Source port
- Destination port
- Protocol (TCP or UDP)
If an incoming packet is not from the same flow, a new flow is created. The total number of different flows that can be logged at any given time is limited to 10,000.
CLI procedures
To configure logging for an extended ACl6 rule by using the CLI:
-
To configure logging while adding the extended ACL6 rule, at the command prompt, type:
- **add acl6** <acl6Name> <acl6action> [-**logState** (ENABLED | DISABLED)] [-**rateLimit** <positive_integer>]
- apply acls6
- show acl6 [<acl6Name>]
-
To configure logging for an existing extended ACL6 rule, at the command prompt, type:
- **set acl6** <acl6Name> [-**logState** (ENABLED | DISABLED)] [-**rateLimit** <positive_integer>]
- show acl6 [<acl6Name>]
- apply acls6
GUI procedures
To configure extended ACL6 Logging by using the GUI:
- Navigate to System > Network > ACLs and, then click the Extended ACL6s tab.
- Set the following parameters while adding, or modifying an existing extended ACL6 rule.
-
Log State — Enable or disable logging of events related to the extended ACL6s rule. The log messages are stored in the configured syslog or
auditlog
server. - Log Rate Limit—Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.
-
Log State — Enable or disable logging of events related to the extended ACL6s rule. The log messages are stored in the configured syslog or
Sample configuration
> set acl6 ACL6-1 -logstate ENABLED -ratelimit 120
Done
> apply acls6
Done
<!--NeedCopy-->
Displaying extended ACLs and extended ACL6s statistics
You can display statistics of extended ACLs and ACL6s.
The following table lists the statistics associated with extended ACLs and ACL6s, and their descriptions.
Statistic | Specifies |
---|---|
Allow ACL matches | Packets matching ACLs with processing mode set to ALLOW. The NetScaler processes these packets. |
NAT ACL matches | Packets matching a NAT ACL, resulting in a NAT session. |
Deny ACL matches | Packets dropped because they match ACLs with processing mode set to DENY. |
Bridge ACL matches | Packets matching a bridge ACL, which in transparent mode bypasses service processing. |
ACL matches | Packets matching an ACL. |
ACL misses | Packets not matching any ACL. |
ACL Count | Total number of ACL rules configured by users. |
Effective ACL Count | Total number of effective ACL configured internally. For an extended ACL with a range of IP addresses, the NetScaler appliance internally creates an extended ACL for each IP address. For example, for an extended ACL with 1000 IPv4 addresses (range or dataset), the NetScaler internally creates 1000 extended ACLs. |
CLI procedures
To display the statistics of all extended ACLs by using the CLI:
At the command prompt, type:
- stat ns acl
To display the statistics of all extended ACL6s by using the CLI:
At the command prompt, type:
- stat ns acl6
GUI procedures
To display the statistics of an extended ACL by using the GUI:
- Navigate to System > Network > ACLs, on the Extended ACLs tab, select the extended ACL, and click Statistics.
To display the statistics of an extended ACL6 by using the GUI:
- Navigate to System > Network > ACLs, on the Extended ACL6s tab, select the extended ACL, and click Statistics.
Stateful ACLs
A stateful ACL rule creates a session when a request matches the rule and allows the resulting responses even if these responses match a deny ACL rule in the NetScaler appliance. A stateful ACL offloads the work of creating more ACL rules/forwarding session rules for allowing these specific responses.
Stateful ACLs can be best used in an edge firewall deployment of a NetScaler appliance having the following requirements:
- The NetScaler appliance must allow requests initiated from internal clients and the related responses from the Internet.
- The appliance must drop the packets from the Internet that are not related to any client connections.
Before you begin
Before you configure stateful ACL rules, note the following points:
- The NetScaler appliance supports stateful ACL rules and stateful ACL6 rules.
- In a high availability setup, the sessions for a stateful ACL rule are not synchronized to the secondary node.
- You cannot configure an ACL rule as stateful if the rule is bound to any NetScaler NAT configuration. Some examples of NetScaler NAT configurations are:
- RNAT
- Large Scale NAT (large scale NAT44, DS-Lite, large scale NAT64)
- NAT64
- Forwarding session
- You cannot configure an ACL rule as stateful if TTL and Established parameters are set for this ACL rule.
- The sessions created for a stateful ACL rule continue to exist until time out irrespective of the following ACL operations:
- Remove ACL
- Disable ACL
- Clear ACL
- Stateful ACLs are not supported for the following protocols:
- Active FTP
- TFTP
Configure stateful IPv4 ACL rules
Configuring a stateful ACL rule consists of enabling the stateful parameter of an ACL rule.
To enable the stateful parameter of an ACL rule by using the CLI:
-
To enable the stateful parameter while adding an ACL rule, at the command prompt, type:
- **add acl** <lname> ALLOW -**stateful** (ENABLED | DISABLED)
- apply acls
- show acl <name>
-
To enable the stateful parameter of an existing ACL rule, at the command prompt, type:
- **set acl** <name> -**stateful** (ENABLED | DISABLED)
- apply acls
- show acl <name>
To enable the stateful parameter of an ACL rule by using the GUI:
-
Navigate to System > Network > ACLs and, on the Extended ACLs tab.
-
Enable the Stateful parameter while adding, or modifying an existing ACL rule.
Sample configuration
> add acl ACL-1 allow -srciP 1.1.1.1 -stateful Yes
Done
> apply acls
Done
> show acl
1) Name: ACL-1
Action: ALLOW Hits: 0
srcIP = 1.1.1.1
destIP
srcMac:
Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: NOTAPPLIED
Priority: 10 NAT: NO
TTL:
Log Status: DISABLED
Forward Session: NO
Stateful: YES
<!--NeedCopy-->
Configure stateful ACL6 rules
Configuring a stateful ACL6 rule consists of enabling the stateful parameter of an ACL6 rule.
To enable the stateful parameter of an ACL6 rule by using the CLI:
-
To enable the stateful parameter while adding an ACL6 rule, at the command prompt, type:
- **add acl6** <name> ALLOW -stateful ( ENABLED | DISABLD )
- apply acls6
- show acl6 <name>
-
To enable the stateful parameter of an existing ACL6 rule, at the command prompt, type:
- **set acl6** <name> -**stateful** ( ENABLED | DISABLED )
- apply acls6
- show acl6 <name>
To enable the stateful parameter of an ACL6 rule by using the GUI:
- Navigate to System > Network > ACLs and, on the Extended ACL6s tab.
- Enable the Stateful parameter while adding, or modifying an existing ACL6 rule.
Sample configuration
> add acl6 ACL6-1 allow -srcipv6 1000::1 –stateful Yes
Done
> apply acls6
Done
> show acl6
1) Name: ACL6-1
Action: ALLOW Hits: 0
srcIPv6 = 1000::1
destIPv6
srcMac:
Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: NOTAPPLIED
Priority: 10 NAT: NO
TTL:
Forward Session: NO
Stateful: YES
<!--NeedCopy-->
Dataset based extended ACLs
Many ACLs are required in an enterprise. Configuring and managing many ACLs is difficult and cumbersome when they require frequent changes.
A NetScaler appliance supports datasets in extended ACLs. Dataset is an existing feature of a NetScaler appliance. A dataset is an array of indexed patterns of types: number (integer), IPv4 address, or IPv6 address.
Dataset support in extended ACLs is useful for creating multiple ACL rules, which require common ACL parameters.
While creating an ACL rule, instead of specifying the common parameters, you can specify a dataset, which includes these common parameters.
Any changes made in the dataset are automatically reflected in the ACL rules that are using this dataset. ACLs with datasets are easier to configure and manage. They are also smaller and easier to read than the conventional ACLs.
Currently, the NetScaler appliance supports only the following types of datasets for the extended ACLs:
- IPv4 address (for specifying the source IP address or the destination IP address or both for an ACL rule)
- number (for specifying the source port or the destination port or both for an ACL rule)
Before you begin
Before configuring dataset based extended ACL rules, note the following points:
-
Make sure that you are familiar with the dataset feature of a NetScaler appliance. For more information about datasets, see Pattern sets and data sets.
-
The NetScaler appliance supports datasets only for IPv4 extended ACLs.
-
The NetScaler appliance supports only the following types of datasets for the extended ACLs:
- IPv4 address
- number
- The NetScaler appliance supports dataset based extended ACLs for all NetScaler set ups: standalone, high availability, and cluster.
-
For an extended ACL with datasets containing ranges, the NetScaler appliance internally creates an extended ACL for each combination of the dataset values.
-
Example 1: For an IPv4 dataset based extended ACL with 1000 IPv4 addresses bound to the dataset, and the dataset is set to the source IP parameter, the NetScaler appliance internally creates 1000 extended ACLs.
-
Example 2: A dataset based extended ACL with following parameters set:
- Source IP is set to a dataset containing 5 IP addresses.
- Destination IP is set to a dataset containing 5 IP addresses.
- Source port is set to a dataset containing 5 ports.
- Destination port is set to a dataset containing 5 ports.
The NetScaler appliance internally creates 625 extended ACLs. Each of these internal ACLs contains a unique combination of the above mentioned four parameter values.
-
The NetScaler appliance supports a maximum of 10K extended ACLs. For an IPv4 dataset based extended ACL with a range of IP addresses bound to the dataset, the NetScaler appliance stops creating internal ACLs once the total number of extended ACLs reaches the maximum limit.
-
The following counters are present as part of the extended ACL statistics:
- ACL count. Total number of ACL rules configured by users.
- Effective ACL count. Total number of effective ACL rules that the NetScaler appliance configures internally.
For more information, see Displaying extended ACL and extended ACL6s Statistics.
-
- The NetScaler appliance does not support
set
andunset
operations for associating/dissociating datasets with the parameters of an extended ACL. You can set the ACL parameters to a dataset only during theadd
operation.
Configure dataset based extended ACLs
Configuring a dataset based extended ACL rule consists of the following tasks:
-
Add a dataset. A dataset is an array of indexed patterns of types: number (integer), IPv4 address, or IPv6 address. In this task, you create a type of dataset, for example, a dataset of type IPv4.
-
Bind values to the dataset. Specify a value or a range of values to the dataset. The specified values must be of the same type as the dataset type. For example, you can specify an IPv4 address, or an IPv4 address range, or an IPv4 address range in CIDR notation to an IPv4 dataset.
-
Add an extended ACL and set ACL paramters to the dataset. Add an extended ACL and set the required ACL parameters to the dataset. This setting results in the parameters set to the values specified in the dataset.
-
Apply extended ACLs. Apply the ACLs to activate any new or modified extended ACLs.
To add a policy dataset by using the CLI:
At the command prompt, type:
- add policy dataset <name> <type>
- show policy dataset
To bind a pattern to the data set by using the CLI:
At the command prompt, type:
- bind policy dataset <name> <value> [-endRange <string>]
- show policy dataset
To add an extended ACL and set the ACL paramters to the dataset by using the CLI:
At the command prompt, type:
- add ns acl <aclname> <aclaction> [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] …
- show acls
To apply extended ACLs by using the CLI:
At the command prompt, type:
- apply acls
Sample configuration
In the following sample configuration of a dataset based extended ACL, two IPv4 datasets DATASET_IP_ACL_1
and DATASET_IP_ACL_2
are created. Two port datasets DATASET_PORT_ACL_1
and DATASET_PORT_ACL_1
are created.
Two IPv4 addresses: 192.0.2.30 and 192.0.2.60 are bound to DATASET_IP_ACL_1
. Two IPv4 address ranges: (198.51.100.15 - 45) and (203.0.113.60-90) are bound to DATASET_IP_ACL_2
. DATASET_IP_ACL_1
is then specified to the srcIP
parameter, and DATASET_IP_ACL_1
to the destIP
parameter of the extended ACL ACL-1
.
Two port numbers: 2001 and 2004, are bound to DATASET_PORT_ACL_1
. Two port ranges: (5001 - 5040) and (8001 - 8040) are bound to DATASET-PORT-ACL-2
. DATASET_IP_ACL_1
is then specified to the srcIP
parameter, and DATASET_IP_ACL_1
to the destIP
parameter of the extended ACL ACL-1
.
add policy dataset DATASET_IP_ACL_1 IPV4
add policy dataset DATASET_IP_ACL_2 IPV4
add policy dataset DATASET_PORT_ACL_1 NUM
add policy dataset DATASET_PORT_ACL_2 NUM
bind dataset DATASET_IP_ACL_1 192.0.2.30
bind dataset DATASET_IP_ACL_1 192.0.2.60
bind dataset DATASET_IP_ACL_2 198.51.100.15 -endrange 198.51.100.45
bind dataset DATASET_IP_ACL_2 203.0.113.1/24
bind dataset DATASET_PORT_ACL_1 2001
bind dataset DATASET_PORT_ACL_1 2004
bind dataset DATASET_PORT_ACL_2 5001 -endrange 5040
bind dataset DATASET_PORT_ACL_2 8001 -endrange 8040
add ns acl ACL-1 ALLOW -srcIP DATASET_IP_ACL_1 -destIP DATASET_IP_ACL_2
-srcPort DATASET_PORT_ACL_1 -destPort DATASET_PORT_ACL_2 –protocol TCP
<!--NeedCopy-->