Simple ACLs and Simple ACL6s
A simple ACL or simple ACL6 uses few parameters and can be configured only to drop IP packets. Packets can be dropped based on their source IP address and, optionally, their protocol, destination port, or traffic domain.
When creating a simple ACL or simple ACL6, you can specify a time to live (TTL), in seconds, after which the ACL expires. ACLs with TTLs are not saved when you save the configuration. You can display simple ACLs and simple ACL6s to verify their configuration, and you can display their statistics.
Configuring Simple ACLs and Simple ACL6s
Configuring a simple ACL or simple ACL6 on a Citrix ADC can include the following tasks.
- Create simple ACLs or simple ACL6s. Creating simple ACLs or simple ACL6s to drop (deny) packets based on their source IP address and, optionally, their protocol, destination port, or traffic domain.
- Remove simple ACLs or simple ACL6s. These ACLs cannot be modified once created. If you must modify a simple ACL or simple ACL6, you must remove it and create a one.
CLI procedures
To create a simple ACL by using the CLI:
At the command prompt, type:
- - - - - - nssimpleacl DENY -srcIP [-destPort -protocol ( TCP | UDP )] [-TTL \] - show ns simpleacl [\] Example:
> add simpleacl rule1 DENY -srcIP 10.102.29.5 -TTL 600 Done To create a simple ACL6 by using the CLI:
At the command prompt, type:
- add ns simpleacl6 DENY - srcIPv6 [-destPort -protocol ( TCP | UDP )] [-TTL ] - show ns simpleacl6 [] Example:
> add ns simpleacl6 rule1 DENY –srcIPv6 3ffe:192:168:215::82 -destPort 80 -Protocol TCP -TTL 9000 Done To remove a single simple ACL by using the CLI:
At the command prompt, type:
- rm ns simpleacl
- show ns simpleacl
To remove a single simple ACL6 by using the CLI:
At the command prompt, type:
- rm ns simpleacl6
- show ns simpleacl6
To remove all simple ACLs by using the CLI:
At the command prompt, type:
clear ns simpleacl
show ns simpleacl
To remove all simple ACL6s by using the CLI:
At the command prompt, type:
clear ns simpleacl6
show ns simpleacl6
GUI procedures
To create a simple ACL by using the GUI:
Navigate toSystem > Network > ACLsand, on theSimple ACLstab, add a new simple ACL.
To create a simple ACL6 by using the GUI:
Navigate toSystem > Network > ACLsand, on theSimple ACL6stab, add a new simple ACL6.
To remove a single simple ACL by using the GUI:
Navigate toSystem > Network > ACLsand, on theSimple ACLstab, delete the simple ACL.
To remove a single simple ACL6 by using the GUI:
Navigate toSystem > Network > ACLsand, on theSimple ACL6stab, delete the simple ACL6.
To remove all simple ACLs by using the GUI:
- Navigate toSystem > Network > ACLs.
- On theSimple ACLstab, in theActionlist, clickClear.
To remove all simple ACL6s by using the GUI:
- Navigate toSystem > Network > ACLs.
- On theSimple ACL6stab, in theActionlist, clickClear.
Displaying Simple ACL and Simple ACL6 Statistics
You can display the simple ACL (or simple ACL6) statistics, which include the number of matches, the number of misses, and the number of simple ACLs configured.
The following table describes the statistics you can display for simple ACLs and simple ACL6s.
| Statistics | Indicates |
|---|---|
| ACL match | Packets matching an ACL |
| ACL misses | 包不匹配任何ACL |
| ACL count | Number of ACLs configured |
CLI procedures
To display simple ACL statistics by using the CLI:
At the command prompt, type:
- stat ns simpleacl
Example:
> stat ns simpleacl SimpleACL Statistics Rate (/s) Total SimpleACL hits 0 0 SimpleACL misses 0 51872 SimpleACLs count -- 2 Done To display simple ACL6 statistics by using the CLI:
At the command prompt, type:
- stat ns simpleacl6
GUI procedures
To display simple ACL statistics by using the GUI:
Navigate toSystem>Network>ACLsand, on theSimple ACLstab, select the ACL and clickStatistics.
To display simple ACL6 statistics by using the GUI:
Navigate toSystem > Network > ACLsand, on theSimple ACL6stab, select the simple ACL6 and clickStatistics.
Terminating Established Connections
对于一个简单的ACL或简单的ACL6, Citrix ADC提单ocks any new connections that match the conditions specified in the ACL. Packets related to existing connections that were established before the ACL was created are not blocked. To terminate previously established connections that match an existing ACL, you can run a flush operation from the CLI or the GUI.
Flush can be useful in the following cases:
- You receive a list of blacklisted IP addresses and want to completely block those IP addresses from accessing the Citrix ADC. In this case, you create simple ACLs or simple ACL6s to block any new connections from these IP addresses, and then flush any existing connections associated with those addresses.
- You want to terminate many connections from a particular network without taking the time to terminate them one by one.
在你开始之前
When you run flush, the Citrix ADC searches through all of its established connections and terminates the connections that match the conditions specified in any of the simple ACLs configured on the ADC.
If you plan to create more than one simple ACL and flush existing connections that match any of them, you can minimize the effect on performance by first creating all simple ACLs and then running flush only once.
CLI procedures
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the CLI:
At the command prompt, type:
- flush simpleacl -estSessions
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the CLI:
At the command prompt, type:
- flush simpleacl6 -estSessions
GUI procedures
To terminate all established IPv4 connections that match any of your configured simple ACLs by using the GUI:
- Navigate toSystem > Network > ACLs.
- On theSimple ACLstab, in theActionlist, clickFlush.
To terminate all established IPv6 connections that match any of your configured simple ACL6s by using the GUI:
- Navigate toSystem > Network > ACLs.
- On theSimple ACL6stab, in theActionlist, clickFlush.