Enabling acl logging, Preventing web objects from being cached – Cabletron Systems SmartSwitch User Manual

Page 268

background image

Chapter 17: Access Control List Configuration Guide

268

SmartSwitch Router User Reference Manual

and a destination address of 1.2.3.4) from being redirected to a cache server. Packets that
match the profile’s selection criteria are sent to the Internet instead.

When the Web caching policy is applied to an interface (with the web-cache apply
interface

command), HTTP traffic with a source address of 10.10.10.10 and a destination

address of 1.2.3.4 goes to the Internet instead of to the cache servers.

Preventing Web Objects From Being Cached

You can also use a Profile ACL to prevent certain Web objects from being cached. For
example, you can specify that information in packets originating from Internet site 1.2.3.4
and destined for local host 10.10.10.10 not be sent to the cache servers. The following
commands illustrate this example.

This command creates a Profile ACL called prof5 that uses as its selection criteria all
packets with a source address of 1.2.3.4 and a destination address of 10.10.10.10:

To have packets matching Profile ACL prof5’s selection criteria bypass the cache servers,
use the following command:

When the Web caching policy is applied to an interface, information in packets originating
from source address 1.2.3.4 and destined for address 10.10.10.10 is not sent to the cache
servers.

See

“Web Caching” on page 240

for more information on using the web-cache command.

Enabling ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, you can
enable ACL Logging when applying the ACL. When ACL Logging is turned on, the
router prints out a message on the console about whether a packet is forwarded or
dropped. If you have a Syslog server configured for the SSR, the same information will
also be sent to the Syslog server.

Before enabling ACL Logging, you should consider its impact on performance. With ACL
Logging enabled, the router prints out a message at the console before the packet is
actually forwarded or dropped. Even if the console is connected to the router at a high
baud rate, the delay caused by the console message is still significant. This can get worse if
the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a
Syslog server is configured, then a Syslog packet must also be sent to the Syslog server,

ssr(config)# web-cache policy1 deny hosts profile prof4

ssr(config)# acl prof5 permit ip 1.2.3.4 10.10.10.10

ssr(config)# web-cache policy1 create bypass-list profile prof5