[f-nsp] [4G SSL] ACLs flow-based Vs rule-based
Ryan DeBerry
rdeberry at gmail.com
Fri May 1 09:59:31 EDT 2009
What version of code are you running?
On Fri, May 1, 2009 at 12:44 PM, Youssef Ghorbal <Youssef.Ghorbal at netplus.fr
> wrote:
> Hello,
>
> We are migration a ServerIronXL to a 4G SSL box. Both act in L3 mode
> (they are "routers" and not "switchs")
> In the ServerIronXL we used to have an ACL on the uplink interface
> of the box. Something like :
>
> interface ethernet 1
> ip access-group ALL-IN in
>
> The ACL is applied on the ethernet interface and not on VE.
> In the 4G SSL box, the ip access-group command does not exist in the
> "interface ethernet 1" context. But does in the VE context (ip interace ve
> 1)
> It seems that ACLs apply per VLAN bases now.
>
> Also, in the documentation, a disctinction is made between
> flow-based ACLs and rule-based ACLs but I can't see the reel difference
> between the two. In which case is it usefull to do flow-based ACLs and in
> which it doesn't.
>
> My problem is this :
> In the past we used to have a "big" ACL applied on the uplink port.
> The big ACL contains rules regarding all subnets (VEs) configured on the
> ServerIronXL
> On the 4G SSL, ACLs are applied on VE basis. And I have to choose to
> use rule-based or flow-based ACLs.
>
> Should I keep the big ACL and apply it to all VE interfaces ?
> Should I make an ACL per VE ? (devide the big ACL in little ones)
> Should I activate flow-based ACLs or rule-based ones ? It would be
> nice if someone can explain me the exact difference between them.
>
> Regards,
> Youssef Ghorbal
>
>
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20090501/15b7afec/attachment.html>
More information about the foundry-nsp
mailing list