Networking
--
Questions
--
Followers
Top Experts
How to limit traffic to Netscaler 10.5 VIP
I want to permit a few dozen ip hosts, subnets and ip address ranges to a VIP. Citrix documentation gives no example of a range.
Can someone provide an example creating an ACL to limit access to one VIP to a host, a subnet and a range? Thank you.
Also are there any performance gotchas regarding implementing ACLs on Netscaler?
https://docs.citrix.com/en-us/netscaler/11/networking/access-control-lists-acls/extended-acls-and-extended-acl6s.html
Can someone provide an example creating an ACL to limit access to one VIP to a host, a subnet and a range? Thank you.
Also are there any performance gotchas regarding implementing ACLs on Netscaler?
https://docs.citrix.com/en-us/netscaler/11/networking/access-control-lists-acls/extended-acls-and-extended-acl6s.html
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thank you very much.
On a related note - have you ever tried listener policies to achieve the same effect? Better or worse than overall ACL?
On a related note - have you ever tried listener policies to achieve the same effect? Better or worse than overall ACL?
ACLs needs to be on a src --> dest IP basis.
Listen or Responder policy targets anything passing through it. For e.g.
Listen or Responder policy targets anything passing through it. For e.g.
Create these polices:It tends to be similar goals but normally if src and dest specific, acl can be consider otherwise the policies will be straightforward. Performance should not be an issue as the consideration is easier. Actually processing is faster for the policy compared to acl typically due to the "lesser" field to inspect or peek the traffic packet.
>Â add responder policy "DropEverything" TRUE DROP
>Â add responder policy "AllowCertainIPs" q/CLIENT.IP.SRC.EQ(1.2.3.4) || CLIENT.IP.SRC.EQ(4.3.2.1)/ NOOP
Â
Then bind these two responder policies to your vServer(s) that you want to lock down, with the 'DropEverything' policy being at a lower priority (i.e. bigger priority number) than the 'AllowCertainIPs' policy.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Networking
--
Questions
--
Followers
Top Experts
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.