NetScaler also has support for the traditional access-list where we can define four types of lists. All of them have the option to define protocol, but simple ACLs only support TCP/UDP while extended ACLs have a long list of different protocols such as EGP, ICMP, GRE, and so on:
Simple ACLs are only stored in memory and cannot be seen in the running configuration; so, when we define a simple ACL, it has a TTL of eight seconds and therefore can expire and be deleted. Simple ACLs are very memory-effective and should therefore only be used to block out single IP addresses for a period of time.
Extended ACLs do not have an expiration timer and give more granular control over where we want to ALLOW/DENY traffic.
An extended ACL example in the CLI might look like this:
add ns acl ext_block_bad_ip ALLOW -srcIP = 100.0.0.0-101.0.0.255 -protocol TCP -priority 10
By default, an ACL is not active; this can be seen by running a show ACL and viewing the effective status on it. In order to apply an ACL, we need to append the -kernelstate APPLIED
parameter to the end of the command. It is however important to remember that the packet processing that takes place on NetScaler will run a packet through on any eventual simple ACLs first before they are then evaluated against the extended ACLs.