Simplify your NetScaler Access Control Lists using datasets

NetScaler Access Control Lists (ACLs) examine the traffic arriving on interfaces and allow or deny it based on the configuration. By restricting access to virtual servers and management interfaces, they can be a superb extra layer to overall security. It's straight forward to write ACLs that allow a single continuous block of IP addresses to communicate with one another, the number of ACLs required can grow quickly when there are many client IPs, which can add numerous complexities.

NetScaler has a simple and elegant solution that reduces avoid this complexity by defining datasets to represent the IP addresses and ports to be blocked or allowed and then calling them as an entity in ACL rules. In this blog post, we'll look at that solution and how it simplifies complex ACL configurations.

ACLs and Datasets

With recent NetScaler releases, you can use datasets instead of specifying a range of IP addresses and ports in the source and destination fields of each rule. This makes an environment much simpler to configure and maintain.

Below are two examples of how the same NetScaler is configured with and without datasets

Example 1 (ACLs without datasets)

add ns acl ClientRange1-HTTP ALLOW -srcIP = 10.10.10.10-10.10.10.19 -destIP =10.100.100.10-10.100.100.19 -destPort = 80 -protocol TCP -priority 10 add ns acl ClientRange2-HTTP ALLOW -srcIP = 10.20.20.10-10.20.20.19 -destIP =10.100.100.10-10.100.100.19 -destPort = 80 -protocol TCP -priority 20 add ns acl ClientRange1-SSL ALLOW -srcIP = 10.10.10.10-10.10.10.19 -destIP =10.100.100.10-10.100.100.19 -destPort = 443 -protocol TCP -priority 30 add ns acl ClientRange2-SSL ALLOW -srcIP = 10.20.20.10-10.20.20.19 -destIP =10.100.100.10-10.100.100.19 -destPort = 443 -protocol TCP -priority 40 apply ns acls

Example 2 (ACLs with datasets)

add policy dataset WebClients_dataset ipv4 add policy dataset WebServers_dataset ipv4 add policy dataset dstport_dset numberbind policy dataset WebClients_dataset 10.10.10.10 -index 1 -endRange 10.10.10.19 bind policy dataset WebClients_dataset 10.20.20.10 -index 2 -endRange 10.20.20.19 bind policy dataset WebServers_dataset 10.100.100.110 -index 1 -endRange 10.100.100.119 bind policy dataset WebPorts_dset 22 -index 1bind policy dataset WebPorts_dset 443 -index 2add ns acl ClientWebRequests ALLOW -srcIP = WebClients_dataset -destIP = WebServers_dataset -destPort = WebPorts_dset -protocol TCP -priority 10apply ns acls

As you can see, the first example needs one ACL for each block of IP addresses and ports on the client and server. If we added a second range of server IP addresses, we'd need twice as many ACLs.

In the second example, we end up with a single ACL. Plus, adding another range of server IPs to "WebServers_dataset" requires just a single bind command.

Imagine how much time and complexity you can save in an environment with lots of clients and servers.

How Do ACLs and Datasets Work?

As you configure ACLs with datasets, NetScaler builds "effective ACLs" in the background.

In our first example, the "ACL Count" and "Effective ACL Count" match because the NetScaler didn't need to create additional ACLs based on the dataset. In the second example, the "ACL Count" is one and the "Effective ACL Count" is four because the NetScaler created the same ACLs that we would have manually created.

The command "stat ACL" shows you both the "ACL count" and the "Effective ACL count". NetScaler can handle a total of 10,000 ACLs, giving you a tremendous amount of flexibility as you design and build your layered security approach.

nsroot@bob-Primary> stat aclACL Statistics                                          Rate (/s)                Total Allow ACL hits                                     0                    0NAT ACL hits                                       0                    0Deny ACL hits                                      0                    0Bridge ACL hits                                    0                    0ACL hits                                           0                    0ACL misses                                         0                    0ACL Count                                         --                    1Effective ACL Count                               --                    4DFD ACL Count                                     --                    0DFD ACL hits                                       0                    0DFD ACL misses                                     0                    0 Done

Learn More

We've shown how datasets and NetScaler ACLs can simplify complex ACL configurations. Learn more about NetScaler ACLs and datasets.