ACLs and Datasets
Contributed by Magnus Esse
Summary
This document intends to give a brief description of how the usage of datasets in combination with ACLs might reduce your configuration considerably as well as make it a lot easier to understand what has been configured, and makes life a lot easier if there are any changes needed in the future.
Limitations
ADC access lists (ACL) only look at the incoming traffic on the ADC interfaces. An ACL will never affect any of the internal ADC traffic.
There is currently (firmware release 13.1) a limitation of 10,000 Effective ACL Count, which might be higher than what you have actually configured. You can check the number of ACLs in use by the command stat acl and look for the following information.
| ACL Count |
|
| -- |
| 1 |
| Effective ACL Count |
| -- |
| 1 |
Examples
In later releases, it is possible to use datasets instead of specifying a range of IP addresses in the source and destination fields. This makes it simpler to configure, and the configuration will be easier to understand and maintain. However, there is one major thing to keep in mind if using datasets within the ACL configuration, and that is that even though it will look like you get fewer ACLs, it might be the other way around. always verify with the stat acl command how many resources are being used.
Some benefits of looking at using datasets together with ACLs are that it will be a lot easier to get an overview and manage a bit more complex ACL configuration. One clear advantage is the simplification, as it is a lot easier to add/remove items from a dataset than doing it in the actual ACLs.
Let's look at the following simple example for two ACL configurations that will achieve the same result.
Example 1:
add ns acl ACL-01 ALLOW -srcIP = 10.10.10.10-10.10.10.19 -destIP = 10.100.100.10-10.100.100.19 -destPort = 22 -protocol TCP -priority 10add ns acl ACL-02 ALLOW -srcIP = 10.20.20.10-10.20.20.19 -destIP = 10.100.100.10-10.100.100.19 -destPort = 22 -protocol TCP -priority 20add ns acl ACL-03 ALLOW -srcIP = 10.10.10.10-10.10.10.19 -destIP = 10.100.100.10-10.100.100.19 -destPort = 443 -protocol TCP -priority 30add ns acl ACL-04 ALLOW -srcIP = 10.20.20.10-10.20.20.19 -destIP = 10.100.100.10-10.100.100.19 -destPort = 443 -protocol TCP -priority 40apply ns acls
Stat acl gives the following information regarding number of ACLs in use:
| ACL Count |
|
| -- |
| 4 |
| Effective ACL Count |
| -- |
| 4 |
Example 2:
add policy dataset srcIP_dataset ipv4add policy dataset dstIP_dataset ipv4add policy dataset dstport_dset numberbind policy dataset srcIP_dataset 10.10.10.10 -index 1 -endRange 10.10.10.19bind policy dataset srcIP_dataset 10.20.20.10 -index 2 -endRange 10.20.20.19bind policy dataset dstIP_dataset 10.10.10.110 -index 1 -endRange 10.10.10.119bind policy dataset dstport_dset 22 -index 1bind policy dataset dstport_dset 443 -index 2add ns acl ACL-01 ALLOW -srcIP = srcIP_dataset -destIP = dstIP_dataset -destPort = dstport_dset -protocol TCP -priority 10
Stat acl gives the following information regarding number of ACLs in use:
| ACL Count |
|
| -- |
| 1 |
| Effective ACL Count |
| -- |
| 4 |
Example Summary:
Consider the changes you will need to do in the configurations in the two examples above if you would need to also allow for traffic on port 80. In example 1 that would include creating 2 new ACL rules. In example 2 it would only be needed to add port 80 to the dataset.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now