Building Policy Maps : How Policies and ACLs Filter Traffic
How Policies and ACLs Filter Traffic
The following three scenarios illustrate how policies and ACLs interact to isolate flows:
Scenario #1 — Policy with no ACLs in MATCH Criteria
Scenario #2 — Traffic matches ACL with Permit
Scenario #3 — Traffic matches ACL with Deny
It’s important to remember that ACLs are only applied when called out for use in a policy’s MATCH criteria.
w
Scenario #1 — Policy with no ACLs in MATCH Criteria
w
Scenario #2 — Traffic matches ACL with Permit
a
The traffic comes to entry 30 in the policy, where ACL-1 defines the MATCH criteria.
ACL-1 has three rules.
b
The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.
c
ACL Rule 20 has a Permit action, so the appliance applies the SET actions for Policy entry 30.
w
Scenario #3 — Traffic matches ACL with Deny
a
The traffic arrives at entry 30 in the policy, where ACL-2 is the MATCH criteria.
ACL-2 has three rules.
b
The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.
c
ACL Rule 20 has a Deny action, so it prevents further processing of that ACL. Traffic looks for a match with the next policy entry.
d
No other user-configured policy entries fit, so the Default entry processes the traffic.
Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.