NetScaler also has support for the traditional access-list where we can define four types of lists. All of them have the option to define protocol, but simple ACLs only support TCP/UDP while extended ACLs have a long list of different protocols such as EGP, ICMP, GRE, and so on:
- Simple ACL, which defines only DENY rules for source IP addresses.
- Simple ACL6, which defines only DENY rules for source IPv6 addresses.
- Extended ACL, which allow us to define DENY/ALLOW/BRIDGE rules for source ip, source-range and destination ip, and destination ip-range. It also allows us to configure the source MAC and destination MAC.
- Extended ACL6, which allows us to define DENY/ALLOW/BRIDGE rules for source IPv6, source-range and destination IPv6, and destination IPv6-range. It also allows us to configure the source MAC and destination MAC.
Simple ACLs are only stored in memory and cannot be seen in the running configuration; so, when we define a simple ACL, it has a TTL of eight seconds and therefore can expire and be deleted. Simple ACLs are very memory-effective and should therefore only be used to block out single IP addresses for a period of time.
Extended ACLs do not have an expiration timer and give more granular control over where we want to ALLOW/DENY traffic.
An extended ACL example in the CLI might look like this:
add ns acl ext_block_bad_ip ALLOW -srcIP = 100.0.0.0-101.0.0.255 -protocol TCP -priority 10
By default, an ACL is not active; this can be seen by running a show ACL and viewing the effective status on it. In order to apply an ACL, we need to append the -kernelstate APPLIED parameter to the end of the command. It is however important to remember that the packet processing that takes place on NetScaler will run a packet through on any eventual simple ACLs first before they are then evaluated against the extended ACLs.