6-88
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
6






Configuring

Virtual

Contexts
Configuring
Security

with

ACLs
Note
By
default,

all

traffic

is

denied

by
the
ACE

unless
explicitly
allowed.

Only

traffic

that

is

explicitly
allowed
in

an

ACL

can

pass.

All

other

traffic

is

denied.
Procedure
Step
1
Choose
the

item

to

configure:


To
configure

a

virtual

context,

choose
Config
>

Devices

>

context

>

Security

>

ACLs.


To
configure
a

configuration

building

bl

ock,

choose
Config
>
Global
>
All

Building

Blocks
>
building_block
>

Security

>

ACLs.
The
ACLs

table

appears,

listing

the

existing

ACLs.
Step
2
In
the

ACLs

table,

click
Add.
The
New

Access

Li

st

configuration

window

appears.
Step
3
In
the

ACL

Properties

pane,
do
the
following:
a.
In
the

Name

text

box,

enter

the
ACL
name.
b.
For
the
Type,

choose
Ethertype.
c.
For
the

IP

Address

Type,

choose
IPv4.
This

field

appears

only

for

ACE

module

and

ACE

appliance
software
Version

A5(1.0)

or

l

ater,

which

supports

IPv4

and

IPv6.
Note
You
cannot

use

IPv6

with

an
Ethertype
ACL.
Step
4
Choose
one

of

the

following

radio

buttons:


Deny
to

indicate

that

the

ACE

is

to

block

connections.


Permi
t

to

indicate

that

the

ACE

is

to

allow

connections.
Step
5
In
the

Protocol

field,
choose
one

of

the
following
the

drop-down

list

for
this
ACL:


Any—Specifies
any

EtherType.


BPDU—Specifies
bridge

protocol

data
units.

The

ACE

receives

trunk

port

(Cisco

proprietary)
BPDUs
because

ACE

por

ts

are

trunk

ports.

Trunk

BPDUs

have

VLAN

information

inside

the
payload,
so

the

ACE

modifies

the

payload

with

the

outgoing

VLAN

if

you

allow

BPDUs.

If

you
configure
redundancy,

you

must

allow

BPDUs

on

both

interfaces

with

an

EtherType

ACL

to

avoid
bridging
l

oops.

For

information

about

configuring

redundancy,

see

t

he

“Understanding

ACE
Redundancy”
section

on

pa

ge

13-6 .


IPv6—Specifies
Internet

Protocol

version

6.


MPLS—Specifies
Multi-Protocol

Label

Switching.


The

MPLS

selection

applies
to

both

MPLS
unicast
and

MPLS

multicast

traffic.

If

you

allow

MPLS,

ensure

that

Label

Distribution

Protocol
(LDP)
and

Tag

Distribution

Protocol

(TDP)

TCP

c

onnections

ar

e

es

tablished

t

hrough

the

ACE

by
configuring
both

MPLS

routers

connected

to

the

ACE

to

use

the

IP

address

on

the

ACE

interface

as
the
router-id

for

LDP

or

TDP

ses

sions.

LDP

and

TDP

allow

MPLS

routers

to

negotiate

the

labels
(addresses)
used

to

forward

packets.
Step
6
Click
Add
to

Table

and

add

one

or

mo

re

ACL

entries

if

required
repeating
Steps

4

an

d

5
as
needed.
Step
7
(Optional)
Associate

any
VLAN
interface

to

this

ACL

if

required

and
do
one
of
the
following:


Click
Deploy
to

immediately

deploy
this
configuration.
This
option
appears
for
virtual
contexts.