If you expect to use the same MATCH criteria in different maps, you can create an ACL (Access Control List), which is a named, reusable set of MATCH criteria.MATCH criteria are based on the 5-tuple, and also provide some additional criteria:
• A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number, and the protocol in use.
• Specifying an application by name is a shorter way of representing a protocol paired with source and/or destination port(s).MATCH criteria are organized in a ordered table with prioritized entries. A packet “scans” the entries, starting with the lowest number (which is the highest priority).As soon as the outbound packet finds an entry it matches, the scan stops and the SET action associated with the entry is performed.
The Protocol you specify determines whether the Application or Source:Destination Ports are accessible as MATCH criteria. When the column is greyed out, its contents are unavailable.
n The Application drop-down list classifies applications as Built-in, User-Defined, or user-defined Application Groups. You can also use the default, any.
The Appliance Manager filters for the application’s source or destination port.
n If you select TCP or UDP from the Protocol field, then you must specify a Source Port and a Destination Port.
any source port and any destination port any source port and only destination port 100 only source port 100 and any destination port only source port 100 and only destination port 100This last case (100:100) is not OR. The only way to match on 100 for either source or destination port is to use two different MATCH entries (0:100, 100:0).
n If you select any other protocol (see list below), then the Application and Source:Destination Port fields are unavailable.
If you want to reuse the same MATCH criteria across multiple maps, you can create an Access Control List (also called an Access List). An ACL is a set of one or more prioritized rules.
• The first part is the filter, as specified by the MATCH criteria. The rule only applies to a packet if all the filter criteria match.
•
• Deny prevents further processing of the flow by that ACL, specifically. The appliance then goes to the next entry in the policy — Route, QoS, or Optimization. For an explanatory diagram, see “Scenario #3 — Traffic matches ACL with Deny”.
• Permit allows the matching traffic flow to proceed on to the policy entry’s associated SET action(s). The default is Permit.
n When creating ACL rules, list the Deny statements first. Also, it’s best to prioritize less restrictive rules ahead of more restrictive rules.
n Note You can see a list of existing flows by going to the Monitoring menu and selecting Current Flows.
Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com. |