[f-nsp] [4G SSL] ACLs flow-based Vs rule-based
Youssef Ghorbal
Youssef.Ghorbal at netplus.fr
Fri May 1 08:44:59 EDT 2009
Hello,
We are migration a ServerIronXL to a 4G SSL box. Both act in L3 mode
(they are "routers" and not "switchs")
In the ServerIronXL we used to have an ACL on the uplink interface of
the box. Something like :
interface ethernet 1
ip access-group ALL-IN in
The ACL is applied on the ethernet interface and not on VE.
In the 4G SSL box, the ip access-group command does not exist in the
"interface ethernet 1" context. But does in the VE context (ip
interace ve 1)
It seems that ACLs apply per VLAN bases now.
Also, in the documentation, a disctinction is made between flow-based
ACLs and rule-based ACLs but I can't see the reel difference between
the two. In which case is it usefull to do flow-based ACLs and in
which it doesn't.
My problem is this :
In the past we used to have a "big" ACL applied on the uplink port.
The big ACL contains rules regarding all subnets (VEs) configured on
the ServerIronXL
On the 4G SSL, ACLs are applied on VE basis. And I have to choose to
use rule-based or flow-based ACLs.
Should I keep the big ACL and apply it to all VE interfaces ?
Should I make an ACL per VE ? (devide the big ACL in little ones)
Should I activate flow-based ACLs or rule-based ones ? It would be
nice if someone can explain me the exact difference between them.
Regards,
Youssef Ghorbal
More information about the foundry-nsp
mailing list